12345

9/29/2011

[Caution]Malicious file trying to tampering BIOS and MBR found.

1. Introduction

Recently, a malicious file which is tampering BIOS and MBR has been found, and users need to be careful on using PC.
Tampering BIOS and MBR can cause continuous re-infection, however, this malicious hasn't specific symptom so far and is being expected for test.
Because tampered BIOS and MBR are difficult to be treated by anti-virus SW, we want to let you know how to treat.

* BIOS(Basic Input Output System)
- The primary function of the BIOS is to set up the hardware and load and start a boot loader. When the PC starts up, the first job for the BIOS is to initialize and identify system devices such as the video display card, keyboard and mouse, hard disk drive, optical disc drive and other hardware

* MBR(Master Boot Record)
- A master boot record (MBR) is a type of boot sector popularized by the IBM Personal Computer. It consists of a sequence of 512 bytes located at the first sector of a data storage device such as a hard disk. MBRs are usually placed on storage devices intended for use with IBM PC-compatible systems
  


2. Spreading path and symptoms of infection

Following URL was known as the first spreading source; however, it has been blocked now.


The word "test" in URL can be another reason that it was designed to be tested.

This malicious file can be downloaded not only the URL above, but attachment, messenger, and SNS link.
Lately found malicious file checks the BIOS version of infected PC. In case of the BIOS is known as Award BIOS, it will try to tamper MBR.

Following figure is about generated file by this malicious file and infection information of tampered BIOS/MBR.


  
* Generated file

* The order of creation

A. C:\bios.sys
      Check the status of Award BIOS

B. C:\bios.sys1, C:\bios.sys2
      Load service and remove instead of beep.sys.

C. C:\my.sys
      Hook IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL, and so on.
      Including rootkit code
      Protect tampered MBR

D. (User temporary folder)\bios.bin
      Save information of normal BIOS when infected

E. (User temporary folder)\cbrom.exe(Normal file)
      In case of uninfected BIOS, add malicious rom file to ISA ROM

F. (User temporary folder)\hook.rom
      Can perform malicious behavior on running BIOS infected ISA ROM

* (User temporary folder) is "C:\Documents and Settings\(User account)\Local Settings\Temp" generally.

* ISA(Industry Standard Architecture)
Industry Standard Architecture (ISA) is a computer bus standard for IBM PC compatible computers introduced with the IBM Personal Computer to support its Intel 8088 microprocessor's 8-bit external data bus and extended to 16 bits for the IBM Personal Computer/AT's Intel 80286 processor.
   http://en.wikipedia.org/wiki/Industry_Standard_Architecture

* Procedure details

* Create bios.sys / Check the stats of Award BIOS / In case of it isn't Award BIOS

Upon infected, first, bios.sys will be created.
After bios.sys is being created, following infecting procedure will be in progress.

[Created bios.sys1 / bios.sys2 file]
 - bios.sys1
 - bios.sys2
 - These files will be loaded and deleted instead of beep.sys. And beep.sys will be recovered.

After that, bios.sys will check whether infected PC's BIOS is Award BIOS or not. (If it wasn't Award BIOS, it will appear same infected symptom.) If it adopted Award BIOS, bios.sys will find SMI_PORT and set the size of BIOS.


* Process of creating bios.bin and my.sys

bios.sys will drop my.sys. And it saves current BIOS information to bios.bin.
Besides, it will try to add hook.rom in bios.bin in case of the absence "hook.rom" in saved BIOS information.

* Process of creating cbrom.exe and hook.rom / BIOS infection

In this procedure, cbrom.exe tool will be generated, which will insert hook.rom into ISA ROM with /isa parameter as following figure.



Now, BIOS is being infected.

* Process of tampering MBR

With the process of infecting BIOS, MBR can be tampered by host file. It will save normal MBR on certain sector for backup.

Following figure shows the extracting normal MBR value before saving on sector 7.



After, it will tamper normal MBR.


We can find the value of normal and malicious MBR as following.


[Normal MBR]

[Tampered MBR]

* Infected symptom of my.sys

Additionally created my.sys file is known as performing Hooking against IRP_MJ_READ, IRP_MJ_WRITE, and IRP_MJ_DEVICE_CONTROL. It has implemented to protect modifying tampered MBR.

In Device_Object Structure, it locates Driver_Object and contains Stealth Function code with controlling Call result through pre-execution of rootkit.


  
Upon completed infecting this malicious file, "Find it OK" will appear on booting.



To print "Find it OK" that sentences is located on tampered MBR.



3. How to recover BIOS, MBR manually

Once infected by malicious file above, and tampered BIOS and MBR, complete treatment can be difficult. If infected, you can recover your PC as following procedures.


* Recover BIOS manually

The easiest way to recover tampered BIOS is using BIOS update module by its manufacturer.
Following guide is the one of example in case of GIGABYTE's BIOS update module.



* How to recover MBR

If MBR was tampered, "Windows Installation CD" can work as following.

1. Use "Windows installation CD" and go to recovery mode.



2. Choose the directory to recover and type "fixmbr" Enter. And create new MBR.

"Find it OK" won't appear. And manual recovery is completed.

4. How to prevent

Due to the nature of BIOS and MBR, complete treating by Anti-Virus is difficult.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.Agent.130048.IS
 - Trojan/W32.Small.5632.DS
 - Trojan.Generic.KDV.354955

9/28/2011

[Warning] Malicious file related HSBC online banking has been found from Brazil.

1. Introduction

In the midst of booming security threats and accidents in South Korea, a malicious file aiming at online banking users from Brazil has been reported.
Since banking fraud is getting bigger and bigger, users who use online banking need to be careful on using online transaction.



2. Spreading path and symptoms of infection

Recently founded malicious file is designed to aim online banking user of HSBC. When this malicious program works, it will send account number, password and inputted personal information to certain IP with using SMTP(Simple Mail Transfer Protocol).

This malicious file is named "Modulo_HSBC.exe", and its preference is also disguised as a banking information("HSBC Bank Brasil S.A. - Banco Múltiplo").


Upon executed this malicious file, it will pop-up message box "Please wait a moment while we configure the application for registration to start updates."


* Network transaction information on executing malicious file



When the waiting message "Modulo_hsbc" is closed, "wait while the server connect HSBC" message will appear.



Next phase, user can input "CPF" information.



Next phase, user can input 4-digit password.



In this page, HSBC requires user to input 7-digit password.



Following figure requires information for online banking.



End of the process.



INCA Internet Emergency Response Team figured out that the inputted information will be leaked to certain web site with using SMTP.

* Packet transaction data information

 - Submitted information is recorded as following.



 - Destination IP address is located in United States.



3. How to prevent

To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/W32.Banker.1977856.D

9/27/2011

[Warning] Malicious file using Excel exploit aiming at South Korean users

1. Introduction

Recently, malicious file aiming at South Korean users using Excel exploit has been found.
Even if sender and receiver of this e-mail is South Korean, sender account seems to be fraudulent account.
Since an excel file, attachment of this e-mail, contains its Excel contents, it's difficult to figure out the status of malicious for general users.
This kind of target attacking technique is trying to attack very sophisticatedly and continuously, so general users need to be careful on downloading attachment.



2. Spreading path and symptoms of infection

This malicious file is aiming at South Korean user; it is disguised as a normal e-mail and attachment. Furthermore, it has its Excel contents and can work additional malicious behavior on executed.


Following figure is the body of e-mail.

Mail body : We are attaching contacts. Thanks.

Attachment "주소록.xls(Contacts.xls)" file exploit Excel vulnerability.
If a victim tries to open that file, additional malicious file will be downloaded.


Upon executed "주소록.xls(Contacts.xls)", victim can see the normal address book contents. But it will download additional malicious file with Excel exploit.


Usually, this kind of target attack uses social engineering with containing important or related contents for making user induce easily. It will download additional "주소록.xls(Contacts.xls)" and malicious files (tasksger.exe, 6to4vcs.dll) will be installed.

C:\Documents and Settings\(User Account)\Local Settings\Temp\주소록.xls (Normal file)
C:\Documents and Settings\(User Account)\Local Settings\Temp\tasksger.exe (Malicious file)
C:\WINDOWS\system32\6to4vcs.dll (Malicious file)





3. How to prevent

Applying latest patch of its application and OS is the most important to avoid from this kind of malicious file.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Exploit/W32.Agent.632832
- Trojan/W32.Agent.9728.MV
- Trojan/W32.Agent.19968.PU


9/22/2011

[Warning] HWP document file including malicious file

1. Introduction

Malicious file using vulnerability of HWP(but it looked like normal) has been found again, therefore, general users who use Hangul Word Process need to be careful on using.
Since this malicious file contains its contents, user can't be figured out whether is it malicious or not.
Besides, once infected, it can create additional malicious file on using vulnerability of certain application.

2. Spreading path and symptoms of infection

User can be infected on downloading and executing attachment of uncertain user, or link.
Furthermore, because the content of file seems like as normal, user can be far easily induced by this malicious file.


Recently found malicious name has its file name "(Tripping Point).hwp" and various variants are being expected.



Also, generated "hidaapi.dll" will perform after injected in normal process secretly. Additional analysis is on progress.



* Generated files
- (Window Systems folder)\System32\Msvcr.exe (55,636 bytes)
- (Window Systems folder)\hidaapi.dll (17,920 bytes / File name will be random)

* (Window Systems folder) is C:\WINDOWS\SYSTEM on Windows 95,98,ME, 2000, C:\WINNT\SYSTEM32 on Windows NT, and C:\WINDOWS\SYSTEM32 on Windows XP.

* Control flow of malicious file



3. How to prevent

Applying latest patch of its application and OS is the most important to avoid from this kind of malicious file.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/W32.Hwp-Exploit.79360
- Trojan/W32.Agent.17920.QQ





9/21/2011

Malicious Spyeye application for Android

1. Introduction

Recently, Spyeye malicious application for Android has been reported by various computer security companies.
Finally, it has been revealed that it has no relationship with Spyeye, however, this malicious application can be new threat on mobile security.
And users need to be careful on using this malicious application.


  
2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.


* Permission explanation
- android:name="android.permission.INTERNET"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.READ_SMS"

This malicious application can work on "Android SDK 1.6 or higher". And it doesn't create run icon because MAIN LAUNCHER is not exist on AndroidManifest.xml.
Installation status can be found on following menu.




Because this malicious application doesn't create run icon, it can be activated based on following code.



This app will display "251340" through Toast after making a call to "325000", after that malicious application will be run. But "251340" is a fake code not real. Following figure shows the result.


Following code shows it can collect SMS on infected phone.



Besides, collected information can be sent to remote server with 2 ways.



1. It can send collected information to certain web site.

2. It can send SMS message on parsing with included xml file.

Following code is a part of "settings.xml".

We can find that this malicious application is generated for the test version.
Including these 3 sections ("telephon", "addr", "tels") and unusable value also can be a reason for test version.

3. How to prevent

This malicious application hasn't a relationship with Spyeye so far. But it can cause serious damage with later version of malicious application.
To use Smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.Spitmo.A