12345

7/06/2011

[Warning] Detected malicious file using HWP file’s vulnerability

1. Introduction

Recently, user needs special attention about prevalent malicious file using vulnerability of Hangul Word Processer file.
This malicious file looks almost same to a normal file, so it seems hard to distinguish with a view of general user.
In addition, the biggest feature of this malicious file is that it can print documents and behave as usual.




[About HWP]

Hangul Word Processor (also known as HWP) is a proprietary word processing application published by the South Korean company Hancom Inc..
 It is used extensively in South Korea, especially by the government.
HWP's support for the special needs of the Korean written language has gained it widespread use in South Korea. Microsoft Word and Hangul are used alongside each other in many South Korean companies.

[Get more details of HWP]
 http://en.wikipedia.org/wiki/Hangul_(word_processor)
 http://www.hancom.co.kr/group.eng_main.main.do


[HWP Code Execution Vulnerability Security Update Advisory]
 http://www.krcert.or.kr/secureNoticeView.do?num=554&seq=-1



2. Spreading path and symptoms of infection.

The malicious file using HWP’s vulnerability can be spread via SMS, instant messenger, attachment in mail, which is the contents of a purported internal document, or information contained in the social interest is likely to be masqueraded.
Some malicious files collected by INCA Internet Response Team as follows: "2011.hwp". And a number of variants have been found.

Depending on the variant, some of those use HWP 2.x, 3.x binary format, and HWP 2010 documents compatible format also.

* Resources
Haansoft opened to public HWP’s document type to be easily available to everyone on on June 29, 2010..

http://www.haansoft.com/notice.noticeView.do?targetRow=1&notice_seqno=33

HWP 2.x/3.x version had been used from the "Hangul 97" to "Hangul 2.1".
HWP 5.x has been used from “Hangul 2002” to so far.


When it runs as normal after infected with malicious file using HWP Document vulnerability, it will install additional malicious file, included internally, and execute.






* Generated files

 - (Temporary folder)\svchost.exe (17,920 bytes; malicious File)
 - (Temporary folder)\2.hwp (14,336 bytes; normal File)
 - (Windows System Folder)\ieprotect.dll (9,728 bytes; malicious File)


* (user's temporary folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp
* (Windows System Folder) typically 95, 98, ME in the C:\WINDOWS\SYSTEM,
And, 2000, NT in C:\WINNT\SYSTEM32,
Windows XP in C:\WINDOWS\SYSTEM32

When these infections are underway, a normal document "2.hwp" File as shown below is executed, the normal Hangul allows users to print a document to be mistaken as to create normal.



Content is written Korean and contains about "Worries about stuxnet, Zeroday vulnerability, Booming mobile environment and its effects" What a ironical situdation!! Actually it spreads malicious behavior though.

In addition, the generated dll file, as shown in the figure below, was injected the normal process and working clandestinely. And the precise analysis of the malicious file is in progress now.


3. How to prevent
 
Currently, Haansoft provides security patches for preventing the malicious file, and the latest security patches must be performed under a similar secure PC from malicious files for HWP users.





* How to patch the latest security patches (in HWP 2007)

1. Hangul as shown below after running ->"Help" -> "Haansoft Automatic Update (U)" (red box)
.



2. After the first process, as shown below, security configuration update window will be printed. Click "Update (U)" Button to proceed.



3. If the latest security patches installation has been done, the output screen while executing malicious file will be shown like below, and Normal execution of malicious file will be denied.




To keep safe from this kind of malicious file, the most important thing is updating and maintaining latest security patch, and we recommend user obey the safety precautions as following :
 
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security response center / response team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

This following image is a result of scanning; there are many files and other variants.

- Trojan/W32.Hwp-Exploit.52116

- Trojan/W32.Hwp-Exploit.40960
- Trojan/W32.Agent.393160.ADX and so on



Because HWP uses in Korea, supports Korean strongly and is not of main interest for foreigner, we have hesitated to upload this post. But domestic market is also a big portion to each company. Hope you beneficial for enhancing your sight you've never expected.

21 comments:

  1. I think that information on how to write great research paper article you can find here. You should check it out

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.
    notepad.software
    vidmate.onl
    filezilla.software

    ReplyDelete
  4. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.

    ReplyDelete
  5. It's a great and useful review. Your audience will love that. Thanks a lot!

    ReplyDelete
  6. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.thanks here

    ReplyDelete
  7. One factor that stands out most about our law essay writing services is that every time our writers formulate a law essay, they make it a point to incorporate as many sources and references as prompted by the client. All efforts are exerted to consult all the resources and collect as much valuable information as possible. With these remarkable qualities, pay to write essay has garnered an exceptionally high reputation in the industry that is still undisputed to this day!

    ReplyDelete
  8. Nice post with lots of information! You can watch videos on VidMate official website VidMate apk download too. Many people enjoy it daily.

    ReplyDelete
  9. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    gbwhatsapp apk

    bestapkmods.com

    Vidmate App

    Vidmate Apk

    Vidmate For Pc

    ReplyDelete
  10. Really nice and awesome and very sophisticated post I've ever seen in my entire existence brother from another mother.
    Buy Tartan Kilts Online

    ReplyDelete
  11. Nice Article!I would like to recommend a free video downloader for Android: Vidmate. You may also download from its official websiteVidmate app

    ReplyDelete
  12. Really awesome and dope post I enjoyed reading it. It's the perfect amount of words that make up for such an interesting article! Thanks :)
    outlander costumes kilt

    ReplyDelete
  13. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    Click Here

    .

    .

    .

    .

    .

    .

    https://ividmateapp.com

    ReplyDelete
  14. This is a nice blog to watch out for and we provided information on unique interview questions to ask the employer make sure you can check it out and keep on visiting and please share our blog.

    ReplyDelete
  15. Download Smadav 2020 for PC | Smadav can convert two or three new viruses that are not recognized on USB regardless of whether the virus is obtained temporarily in the database. Not only for cowl, on the other hand, Smadav also allows you to install a USB Flashdisk from a virus and recover hidden / contaminated files via a USB Flashdisk. Download Smadav Antivirus 2020 for PC

    ReplyDelete
  16. Thanks for sharing such an awesome information with us.

    Learn the world leading technology from the best industry certified Professionals of python training in bangalore who can help you to learn the technology from scratch to advanced level.

    ReplyDelete