12345

6/15/2011

[Warning] Spreads various malicious file with being tampered Korean social commerce web site

1. Introduction

On June 3, 2011, one of famous Korean social commerce web sites is revealed that its official web page has been tampered and has spread the number of new malicious files with Flash player’s vulnerability.
In here, social commerce is a big trend for its advantage with buying goods at reasonable price these days.
This company is so widely well known that the scope of being infected can’t be easily estimated. So, user needs caution to avoid being easily infected, when a normal web page has been tampered.



* Social commerce

Social commerce is a subset of electronic commerce that involves using social media, online media that supports social interaction and user contributions, to assist in the online buying and selling of products and services.
The term social commerce was introduced by Yahoo! in November 2005 to describe a set of online collaborative shopping tools such as shared pick lists, user ratings and other user-generated content-sharing of online product information and advice.

 http://en.wikipedia.org/wiki/Social_commerce

2. Spreading path and symptoms of infection

On connecting that tampered famous social commerce Web site, additional malicious files will be downloaded through vulnerabilities in Flash files which can work at some versions Flash player. Downloaded malicious files 095.exe, 95.exe, 122.exe through this process can infect “Lpk.dll”, normal system file, which can hijack specific online game account or behave other malicious behavior.

This type of using flash vulnerability was focusing on the holiday period, but after being deployed official flash player security patch, attacking was also observed during weekdays. Malicious script inserted web site was confirmed no more remains though, with the possibility of additional attack, installing and keeping the latest flash player and MS security patch up to date is the most important to protect user’s asset. If you visit the Web site, most are infected with a malicious file without latest patches mentioned above. If you are an infected user we recommend you to scan with using our nProtect Anti-Virus program.

* Download malicious following tampered social commerce web site

If you access this social commerce web site, downloading and execution additional malicious file through pre-injected malicious URL is possible.




In addition, the same way as above, some of malicious scripts can work on certain version like as following image.


The above image shows decoding screen of SWF file which can download additional malicious file using Flash file’s vulnerability.
The following image is for URL parsing needed downloading and checking browser versions on executing SWF file.


* Adobe Flash Player versions influenced Flash exploit vulnerability

 - 10.3.181.14
 - 10.3.181.22
 - 10.3.181.23
 - 10.1.82.76
 - All versions need update except latest versions (10.3.181.26)

※ Adobe Flash Player update link

 http://www.adobe.com/go/getflash

* Tampering with normal system file(lpk.dll)

Downloaded malicious files like 095.exe, 95.exe, and 122.exe changes normal system file lpk.dll to lpk32.dll then it renames malicious file to lpk.dll which can steal online game account. Therefore, in case of uninfected or infected system, lpk.dll exists in both systems. The best way to check being infected is scanning with latest Anti-Virus product.



3. How to prevent

As above, in case of spreading malicious file via famous and various social-commerce sites, the range of infected can be widened considerably and, a huge financial loss, damage can be followed.

Especially, in this case of using normal site tampering and applications vulnerability, general user may not be recognized being infected or not.

To keep safe from this kind of malicious file, the most important thing is updating and maintaining latest security patch, and we recommend user obey the safety precautions as following :.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security response center / response team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

* Malicious application diagnosis name added nProtect Anti-virus product family

- Trojan-Exploit/W32.SWFlash.5863.JF
- Trojan-Exploit/W32.SWFlash.3949.JG
- Trojan-Exploit/W32.SWFlash.3820.JC
- Trojan-Exploit/W32.SWFlash.2956.JE
- Trojan/W32.Magania.33585878
- Trojan/W32.Agent.83876.C
- Trojan/W32.Agent.33599194
- Script-JS/W32.Agent.CEK
- Script-JS/W32.Agent.CEL
- Script-JS/W32.Agent.CEN
- Script-JS/W32.Agent.ZR
- Script-JS/W32.Agent.CEO


No comments:

Post a Comment