12345

7/06/2011

[Warning] Detected malicious file using HWP file’s vulnerability

1. Introduction

Recently, user needs special attention about prevalent malicious file using vulnerability of Hangul Word Processer file.
This malicious file looks almost same to a normal file, so it seems hard to distinguish with a view of general user.
In addition, the biggest feature of this malicious file is that it can print documents and behave as usual.




[About HWP]

Hangul Word Processor (also known as HWP) is a proprietary word processing application published by the South Korean company Hancom Inc..
 It is used extensively in South Korea, especially by the government.
HWP's support for the special needs of the Korean written language has gained it widespread use in South Korea. Microsoft Word and Hangul are used alongside each other in many South Korean companies.

[Get more details of HWP]
 http://en.wikipedia.org/wiki/Hangul_(word_processor)
 http://www.hancom.co.kr/group.eng_main.main.do


[HWP Code Execution Vulnerability Security Update Advisory]
 http://www.krcert.or.kr/secureNoticeView.do?num=554&seq=-1



2. Spreading path and symptoms of infection.

The malicious file using HWP’s vulnerability can be spread via SMS, instant messenger, attachment in mail, which is the contents of a purported internal document, or information contained in the social interest is likely to be masqueraded.
Some malicious files collected by INCA Internet Response Team as follows: "2011.hwp". And a number of variants have been found.

Depending on the variant, some of those use HWP 2.x, 3.x binary format, and HWP 2010 documents compatible format also.

* Resources
Haansoft opened to public HWP’s document type to be easily available to everyone on on June 29, 2010..

http://www.haansoft.com/notice.noticeView.do?targetRow=1&notice_seqno=33

HWP 2.x/3.x version had been used from the "Hangul 97" to "Hangul 2.1".
HWP 5.x has been used from “Hangul 2002” to so far.


When it runs as normal after infected with malicious file using HWP Document vulnerability, it will install additional malicious file, included internally, and execute.






* Generated files

 - (Temporary folder)\svchost.exe (17,920 bytes; malicious File)
 - (Temporary folder)\2.hwp (14,336 bytes; normal File)
 - (Windows System Folder)\ieprotect.dll (9,728 bytes; malicious File)


* (user's temporary folder) generally refers to C:\Documents and Settings\(User Account)\Local Settings\Temp
* (Windows System Folder) typically 95, 98, ME in the C:\WINDOWS\SYSTEM,
And, 2000, NT in C:\WINNT\SYSTEM32,
Windows XP in C:\WINDOWS\SYSTEM32

When these infections are underway, a normal document "2.hwp" File as shown below is executed, the normal Hangul allows users to print a document to be mistaken as to create normal.



Content is written Korean and contains about "Worries about stuxnet, Zeroday vulnerability, Booming mobile environment and its effects" What a ironical situdation!! Actually it spreads malicious behavior though.

In addition, the generated dll file, as shown in the figure below, was injected the normal process and working clandestinely. And the precise analysis of the malicious file is in progress now.


3. How to prevent
 
Currently, Haansoft provides security patches for preventing the malicious file, and the latest security patches must be performed under a similar secure PC from malicious files for HWP users.





* How to patch the latest security patches (in HWP 2007)

1. Hangul as shown below after running ->"Help" -> "Haansoft Automatic Update (U)" (red box)
.



2. After the first process, as shown below, security configuration update window will be printed. Click "Update (U)" Button to proceed.



3. If the latest security patches installation has been done, the output screen while executing malicious file will be shown like below, and Normal execution of malicious file will be denied.




To keep safe from this kind of malicious file, the most important thing is updating and maintaining latest security patch, and we recommend user obey the safety precautions as following :
 
Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security response center / response team) provides diagnosis/treatment function such as malicious file stated above and runs responding system against various security threats.

This following image is a result of scanning; there are many files and other variants.

- Trojan/W32.Hwp-Exploit.52116

- Trojan/W32.Hwp-Exploit.40960
- Trojan/W32.Agent.393160.ADX and so on



Because HWP uses in Korea, supports Korean strongly and is not of main interest for foreigner, we have hesitated to upload this post. But domestic market is also a big portion to each company. Hope you beneficial for enhancing your sight you've never expected.

56 comments:

  1. I think that information on how to write great research paper article you can find here. You should check it out

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.
    notepad.software
    vidmate.onl
    filezilla.software

    ReplyDelete
  4. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.

    ReplyDelete
  5. It's a great and useful review. Your audience will love that. Thanks a lot!

    ReplyDelete
  6. The way you start your essay would tell a teacher more than you think! Follow this link and learn how to make it better.thanks here

    ReplyDelete
  7. One factor that stands out most about our law essay writing services is that every time our writers formulate a law essay, they make it a point to incorporate as many sources and references as prompted by the client. All efforts are exerted to consult all the resources and collect as much valuable information as possible. With these remarkable qualities, pay to write essay has garnered an exceptionally high reputation in the industry that is still undisputed to this day!

    ReplyDelete
  8. Nice post with lots of information! You can watch videos on VidMate official website VidMate apk download too. Many people enjoy it daily.

    ReplyDelete
  9. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    gbwhatsapp apk

    bestapkmods.com

    Vidmate App

    Vidmate Apk

    Vidmate For Pc

    ReplyDelete
  10. Really nice and awesome and very sophisticated post I've ever seen in my entire existence brother from another mother.
    Buy Tartan Kilts Online

    ReplyDelete
  11. Nice Article!I would like to recommend a free video downloader for Android: Vidmate. You may also download from its official websiteVidmate app

    ReplyDelete
  12. Really awesome and dope post I enjoyed reading it. It's the perfect amount of words that make up for such an interesting article! Thanks :)
    outlander costumes kilt

    ReplyDelete
  13. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected! Also Check here
    Click Here

    .

    .

    .

    .

    .

    .

    https://ividmateapp.com

    ReplyDelete
  14. This is a nice blog to watch out for and we provided information on unique interview questions to ask the employer make sure you can check it out and keep on visiting and please share our blog.

    ReplyDelete
  15. Download Smadav 2020 for PC | Smadav can convert two or three new viruses that are not recognized on USB regardless of whether the virus is obtained temporarily in the database. Not only for cowl, on the other hand, Smadav also allows you to install a USB Flashdisk from a virus and recover hidden / contaminated files via a USB Flashdisk. Download Smadav Antivirus 2020 for PC

    ReplyDelete
  16. Thanks for sharing such an awesome information with us.

    Learn the world leading technology from the best industry certified Professionals of python training in bangalore who can help you to learn the technology from scratch to advanced level.

    ReplyDelete
  17. I found one so useful website which provides Real Estate, transport service, job and event notification, directory and many more on just one platform only for Malawi check outMalawi News

    ReplyDelete
  18. VivaVideo is one of the best video camera & video editor apps in Android For Download CLick Here

    ReplyDelete
  19. A great software. Thanks for sharing! You could download one of the most popular short video app Likee app for funny videos, musics and movie videos and more.

    ReplyDelete
  20. Malicious files can easily be removed once noticed, just you need to have a guide on how to do this step, we learned all these steps on Showbox app, you need to visit this website to have a complete guide on it...

    ReplyDelete
  21. This is awesome to read this blog. I am very glad to see how easily you put the words into your blog. Very Nice. Thanks for sharing this kind of blog. New Zealand Dedicated Server

    ReplyDelete
  22. Welcome to the Banjara Hills Escorts Service,
    Her you can find Call Girls in Banjara Hills,High Profile Escort in Banjara Hills, Model Escorts in ...

    ReplyDelete

  23. Get free homescapes coins and stars then use check this detail article on homescapes which will give you unlimited coins and stars within 3min.
    Homescapes Cheats

    Great method to get free Coin Master Cheats coins and stars without human verification.
    you can check all the free methods as well as use the online Tool which can generate unlimited coins and stars within 3min.
    Coin Master Cheats

    ReplyDelete
  24. If you are looking for High Profile Escorts in Hyderabad.
    They are #1 among Hyderabad escorts provider.They have genuine escorts in Hyderabad works 24/7.For High profile escorts girl services and full enjoyment 24 hours.

    ReplyDelete


  25. Are you confused or have no idea about the right and loyal escort agency in hyderabad that can give you safest time and have the calibre to fulfil your fantasies?
    Hyderabad escorts ...

    ReplyDelete
  26. Sonia Hyderabad Escorts
    Hi, baby, my name is Sonia Mehra with lusty attitude. I am just 23 and love to go wild.
    Call me now if you want to have some unforgettable moments with Madhapur Escorts?

    ReplyDelete
  27. This articles is also excellent and detailed as always. Thank you so much for sharing nice and great information. Cheap Dedicated Server

    ReplyDelete
  28. This comment has been removed by the author.

    ReplyDelete
  29. Really nice and to the point post. I like posts like these they provide value instead of just milking the butter and run away like most people do nowadays. It's sad that we live in a world like this. Anyways, nice work keep it up.

    Jobs In Dubai

    ReplyDelete
  30. Awesomeness overload in this post of yours. It's so cool that I don't have words to describe its praise and uniqueness that cannot be matched in the entire world! Thank you for blessing us.

    jobs in uae

    ReplyDelete
  31. Very helpful article, thank you for sharing. By the way, I would like to recommend you an application to download Videos from Youtube. It is the Vidmate application. You can download Vidmate apk at https://uptofast.com/

    ReplyDelete
  32. This article content is really unique and amazing.This article really helpful and explained very well.So i am really thankful to you for sharing keep it up..
    10 Abs Exercise For Beginner

    ReplyDelete
  33. Best Article buy weed online Excellent post. I appreciate this site. Stick with it! Because the admin of this web page is working, no doubt very quickly it will be well-known, due to its quality contents.This website was how do you say it? Relevant!! Finally, I’ve found something that helped me.

    ReplyDelete
  34. Yes It helps in increase website traffic thanks for this nice information I am happy to read this blog.
    I have been just watching that blog, it is really Impressive. Just loved that information content of that blog. Keep writing the stuff like that. Thanks,
    New Zealand Dedicated Server

    ReplyDelete

  35. Best Article buy weed online Excellent post. I appreciate this site. Stick with it! Because the admin of this web page is working, no doubt very quickly it will be well-known, due to its quality contents.This website was how do you say it? Relevant!! Finally, I’ve found something that helped me.

    ReplyDelete