12345

8/30/2011

Types of malicious files being spread as an attachment of E-Mail

1. Introduction

Recently, malicious files masqueraded as a normal attachment of e-mail are being reported.
General users need to be careful from those malicious e-mails.
Malicious file can command victim's computer or can be become a root PC for spreading another malicious files.





Spreading malicious file through e-mail is really traditional; however, malicious file distributers are still using this technique for spreading malicious files.
Because this technique is very effective to spread to unspecific user. Since e-mail is our every day's work, attackers and general users are checking mail box very frequently.

2. Spreading cases

The most common techniques of spreading malicious files through e-mail are disguised as a normal e-mail.
Most contents are written in English, however, malicious e-mails are using various languages in these days.

1. In case of invoice

Disguised as a famous logistics company such as UPS(United Parcel Service), Fedex, or DHL.
Following figure is that it has been disguised as a document file which contains malicious file its attachment from UPS. Upon executing, user will be infected.



2. In case of scanned image file

Generally, people are more interested in image files. The file name can induce user to execute attachment.



3. In case of payment receipt

Various kinds of payment receipts from international money transfer service such as Western Union Payment can induce user more easily.
Following figure is one of these cases and can be modified due to its variants.



3. How to prevent

The common features of those techniques, we mentioned above, are making people interest and desire user to open the attachment. That's the reason why general users need to be careful on downloading and executing attachments; even those e-mails are from user's well known person.

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-Downloader/W32.Small.29184.BG
 - Trojan-Downloader/W32.FraudLoad.29696.K
 - Backdoor/W32.Agobot.42496


8/29/2011

[Warning] Identified Ransomware disguised Adobe Flash Player

1. Introduction

Recently, a ransomware of variants spreading all over the world masqueraded as Flash Player's icon and file name has been identified.
Since this ransomware is using social engineering technique with disguising file name and property value general users need to be careful to avoid this social engineering technique. Upon infected, ransomware can induce user for money. The most important thing is prevention for being infected.
  
2. Spreading path and symptoms of infection

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

One of the biggest features is that it was disguised as Flash Player's file name and icon.


General users can execute this malicious file due to its icon and file name. Upon executed, this following figure will be shown on infected PC.



To use PC normally, it requires certain keys to be inputted. To acquire key, this page induces sending certain
amount of money. After infected, only input field is activating for inputting code. Following process describes malicious behavior on executing this malicious file.


 
We found that additional malicious file will be created and certain process(exeplorer.exe) will be killed, also we can see the registered information on registry.

"swap32.exe", additionally generated, is a clone file of "flashplayer.exe", which can be run in concurrence with Explorer.exe based on this registry values.

* Registry value
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- Name : Shell
- Data : "Explorer.exe, C:\Documents and Settings\(User account)\Local Settings\Application Data\Aware Products\Temp\Cache\Extension"

This ransomware has valid code for comparing inputted value by user.
Valid code can be found by tracing as follow.


  
* Valid code for unlock



* Valid code
Valid code is "123456545".

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/W32.Agent.112128.LY

[Warning] Microsoft Windows remote desktop worm "Morto" is spreading

1. Introduction

F-secure, one of security SW companies has reported a worm "Morto", which can be spread via remote desktop, on Aug 28, 2011.
Currently, this malicious worm can infect both Windows-based workstation and server. This has been reported generating a lot of network traffics through RDP(Remote Desktop Protocol) port.

* Windows Remote Desktop worm "Morto" spreading

http://www.f-secure.com/weblog/archives/00002227.html

2. Spreading path and symptoms of infection

This malicious worm can be spread through RDP, we mentioned above, and tries to access remote connection with using exposed or simply-combined administaration passwords. In this process, it can damage new system or can download additional malicious file and execute. Furthermore, it makes a lot of traffics on certain port (3389/TCP) on accessing network connection.

Once infected by "Morto", it will scan local network's RDP port for remote connection. And then, while victim computer is connected by remote system, remote PC will copy itself to victim's certain drive after file sharing function will be activated.

Following paths have been known as the destination of copied files.

C:\Windows\Temp\ntshrui.dll
C:\Windows\System32\Sens32.dll
C:\Windows\Offline Web Pages\Cache.txt

Generated "sens32.dll" file will be added registry value, and it will work on booting.

[HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters]
- Value name : "ServiceDll"
- Value data : "%windir%\temp\ntshrui.dll"

[HKLM\SYSTEM\CurrentControlSet\Services\6to4]
- Value name : "Description"
- Value data : "0"

[HKLM\SYSTEM\CurrentControlSet\Services\Sens]
- Value name : "DependOnService"
- Value data : "0"

[HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters]
- Value name : "ServiceDll"
- Value data : "%windir%\system32\sens32.dll"

Infected PC will be remain on subnet network, and tries to login other systems with using following general passwords.

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

3. How to prevent

To use PC safely from security threats of these malicious worms, we recommend following "Security management tips" for general users.

Security management tips

1. Maintains latest security patch on OS and applications.
2. Makes password complex on logging Windows.
3. Stops un-using sharing folder.
4. Uses personal or business firewall.
5. Sets normal or higher internet browser's security preference.
6. Uses Anti-Virus SW and keeps latest security patch.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Worm/W32.Morto.7184

8/25/2011

[Warning] Ransomwares are prevalent in these days.

1. Introduction

Recently, ransomwares to bother normal using PC are booming all over the world especially in Russia.
Upon infected, correspondence is tricky and needs a lot of effort to revert its own status, therefore, general users need to be careful on surfing internet.
Financial purpose malicious wares with using various techniques are prevalent these days, and can cause various damages.

2. Spreading path and symptoms of infection

This malicious file has been being spread all over the world. Although visible damage hasn't been reported so far in South Korea, this malicious file can infect all over the world and can show same page.

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

Downloaded file is disguised as a video file.


General users can be easily seduced by this social engineering technique.


  
* Comparison MBR between before/after infected

In the previous ransomwares, once infected, it had changed modified MBR to original MBR. But lately found ransomware doesn't modify unlike previous versions.




  
"System exit" Window can appear on executing downloaded malicious file.



* System Exit status

This system exit status was occurred by accessing kernel mode on certain function.
Follow figure show the structure.





PC will be rebooted after "3 seconds" of showing system exit Window. All we can do is just seeing.
Then window for inputting certain code will be opened.



User can only input text field and cannot use rest of the window. To use PC normally, it requires certain valid code, which will be given after sending certain amount of money to this Russian cellphone number(9872701688).

3. How to prevent

Ransomware will let user know untruth information like "All data is encrypted. or MBR area was destroyed."
In the company, or some users who are urgent for using his/her PC just follow the guideline and send money.
With its malicious feature, various variants can be emerged. To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.Timer.78336

8/23/2011

[Warning] Identified malicious application using Gingerbread vulnerability

1. Introduction

These days, several malwares to try root have been found, however, those only work lower than Android SDK 2.2 version.
Since new malicious application using vulnerability of Gingerbread(Android SDK 2.3 version) has been found, user who has Ginderbread's device needs to be careful on using.
This malicious application is designed to target Chinese user so far, however, there are a lot of possibilities emerging variants. We also found 10 more variants.


  
2. Spreading path and symptoms of infection

This repackaged malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.


Permission explanation

- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.DELETE_CACHE_FILES"
- android:name="android.permission.ACCESS_CACHE_FILESYSTEM"
- android:name="android.permission.WRITE_SECURE_SETTINGS"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.INTERNET"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"
- android:name="android.permission.READ_OWNER_DATA"
- android:name="android.permission.WRITE_OWNER_DATA"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="com.android.launcher.permission.INSTALL_SHORTCUT"
- android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.RESTART_PACKAGES"

Upon installed, this will create execution icon as following, clicking icon will show you various entertainers.


  
* Run icon (Variants has different icon.)
 

* Run screen (It shows famous entertainers.)




* Detailed analysis

* Infected symptoms

1. Collects IMEI/IMSI, numbers in contacts, processes through /proc/cpuinfo, CPU type, manufacturer
2. Sends collected information to certain external site
3. Gets SDK version information for rooting
4. Gets root permission
5. Downloads and installs additional apk files


  
* Code for collecting information

After the installation, various Activities are registered including one receiver(GameBootReceiver), following code will help to leak various information to external site.



* Get root permission with using Gingerbread vulnerability

This malicious application can acquire root permission through Gingerbreak rooting technique using Gingerbread vulnerability with following code.



This malicious application uses "gbfm.png" file, one of packaged file in its inside, to acquire root permission.
Actually this file is "ELF" file, but just masqueraded as a PNG file. This disguised file can acquire root permission with shell command.

Additionally, gbmf of "gbmf.png" is known as abridged word of "GingerBreak For Me".

* Try additional apk file download

This malicious application can download certain apk file with the connection of external C&C server and tries to install additional package with acquired root permission mentioned above.

* File download URL for additional apk file
- http://apk.(~)/apk/(yymmdd)/19225910801.apk


3. How to prevent

With the disclosure of Gingerbread vulnerability, appearance of various malicious applications can be prevalent.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

■ Diagnosis name

- Trojan-Spy/Android.GingerMaster.A
- Trojan-Spy/Android.GingerMaster.B
- Trojan-Spy/Android.GingerMaster.C
- Trojan-Spy/Android.GingerMaster.D
- Trojan-Spy/Android.GingerMaster.E
- Trojan-Spy/Android.GingerMaster.F
- Trojan-Spy/Android.GingerMaster.G
- Trojan-Spy/Android.GingerMaster.H
- Trojan-Spy/Android.GingerMaster.I
- Trojan-Spy/Android.GingerMaster.J
- Trojan-Spy/Android.GingerMaster.K



8/22/2011

[Warning] Identified another malicious application inducing SMS premium service charge

1. Introduction

 
These days, the damage range of malicious applications is getting wider from simply collecting information to acting specific malicious behaviors quietly.
In the midst of this atmosphere, inducing malicious app charging SMS premium service has been found, so that user who frequently downloads apps at black market needs to be careful.

  
2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.



* Permission explanation

- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.INTERNET"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"

Upon installed, this will create execution icon as following, clicking icon will show you following screen.


  
* Run Icon


* Run Screen


  
* Detailed analysis

This malicious application registers 1 Receiver to manage SMS, and can set high priority.

* Receiver register- com.talkweb.comm.SmsReceiver

Furthermore, this malicious application can subscribe premium service after being infected, and subscription procedure will be proceed by receiving SMS from certain premium service provider's number.

* Subscription procedures
- Sends service register SMS to service provider
- Replies SMS about detailed service description from service provider
- User needs to send reply SMS including this word "Y" for confirming.

After the subscription, this malicious application can finish subscription procedure after confirming sending SMS. Besides, this app will remove related SMS through following code before being recognized by user.



But there is a difference between this app and previous similar application on numbering additional service number in its code's condition states.

3. How to prevent

In case of this malicious application, since it was designed to target Chinese user, it hasn't been reported in South Korea, but it can be repackaged and give financial damage to general user.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.