12345

10/20/2011

[Warning] Identified malicious application disguised as a Battery Doctor

1. Introduction

It's a big trend for being spread malicious Android's application disguised as a normal application these days.
Upon infected, this malicious application can collect certain information and can leak to certain URL.
Therefore, users need to be careful on downloading application.
With increased users of Android, various and malicious applications are also be generated.



 2. Spreading path and symptoms of infection

This following figure describes permission requirement page on installation.




* Permission explanations

- android:name="android.permission.GET_TASKS"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.BLUETOOTH"
- android:name="android.permission.CHANGE_WIFI_STATE"
- android:name="android.permission.BLUETOOTH_ADMIN"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.VIBRATE"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.GET_ACCOUNTS

After the installation, this execution icon on following figure will be generated.



* Icon


* Run screen




After the installation, this will perform following malicious behaviors.

* Malicious behaviors

- Collects IMSI
- Collects user name and e-mail account information
- Tries to leak gathered information

* Collects smartphone information

This malicious application will collect IMEI, manufacturer, and model with following code.



Collected information will be hashed as MD5 form and will be leaked to certain site.

* Collects user name and e-mail account information

This malicious application will collect user name and e-mail account information.



* Tries to leak gathered information

Furthermore, this malicious application will tries to leak gathered information to certain URL.

* External URL

http://push.(~~).com/push(~~)

3. How to prevent

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.FakeBatteryDoctor.A

10/14/2011

[Warning]Android malicious application which steals E-mail account and password has been reported.

1. Introduction

Various Android malicious applications which steal E-mail account and password have been reported in these days.
In the midst of booming malicious applications, a peculiar one which tries to steal e-mail account and password has been found.
This malicious application is disguised as a streaming player.
Furthermore, it induces user to input his ID and password which can be leaked finally.
 
2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.



* Permission explanations
- android:name="android.permission.INTERNET"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.INJECT_EVENTS"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.DUMP"
- android:name="android.permission.GET_TASKS"

After the installation, this run icon on following figure will be generated.


Upon executing application, following run screen will appear.
This malicious application can be disguished by its layout.
Left one is Normal and Right one is Malicious version.





Following code shows that this malicious application will leak information to certain URL.




Difference can be also shown in login procedure.



3. How to prevent

General users can be easily deceived by fake malicious application. This application can induce user to download and use, and leaked information can be used malicious way.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.FakeNefilix.A

10/13/2011

[Warning] Android malicious applications that operate without user awareness are increasing.

1. Introduction

According to increasing smartphone security threats, malicious applications are generated continuously.
To extend life cycle of malicious application itself, it uses various techniques.
One of the most prevalent techniques is working on background.
Malicious application which is working on background, tries to send SMS and collects information are increasing.



2. Spreading path and symptoms of infection

Since this malicious application hasn't been spread in Korea, special damage case hasn't been reported so far.
This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

* Features on installation and granting permission



* Permission explanations
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.WRITE_APN_SETTINGS"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.BROADCAST_PACKAGE_REMOVED"
- android:name="android.permission.BROADCAST_PACKAGE_ADDED"
- android:name="android.permission.ACCESS_WIFI_STATE"
- android:name="android.permission.CHANGE_WIFI_STATE"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.INTERNET"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.KILL_BACKGROUND_PROCESSES

Malicious application always asks permissions related system internal information such as "SMS", "PHONE_STATE".
"KILL_BACKGROUND_PROCESSES" is for killing background processes.


Because "LAUNCHER" of Main activity is not defined, this malicious application doesn't have run icon.
This kind of malicious application can be found on "Third-party" on its installation status.


* Malicious behaviors

This malicious application can send SMS for advertisement and can collect contacts, IMSI and so on.
Furthermore, collected information can be leaked to certain external URL. Following code shows collecting IMEI, model name, Android platform and SDK version, and contacts.


Sending SMS function
 


A. Sends SMS



B. Sends MMS



On certain condition, it can send SMS or MMS.


 
Furthermore, this malicious application can collect running application list and can terminate running application.



With the code above, we can confirm that this can kill running application.

※ Method "killBackgroundProcesses()" can terminate process version 2.2 or higher, however, method "restartPackage()" can terminate process 2.1 or lower version.

3. How to prevent

To use PC safely from security threats of these malicious files, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-SMS/Android.AdSms.F

10/12/2011

Microsoft Security Bulletin Summary for October 2011

1. Introduction

Microsoft(MS)'s regular security updates were released for October 2011.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Microsoft Active Accessibility, Vulnerability in Windows Media Center, Vulnerabilities in Windows Kernel-Mode Drivers, Vulnerability in .NET Framework and Microsoft Silverlight



2. Update details

[Important]
[MS11-075] Vulnerability in Microsoft Active Accessibility Could Allow Remote Code Execution (2623699)

Vulnerbility: Active Accessibility Insecure Library Loading Vulnerability- CVE-2011-1247

This security update resolves a privately reported vulnerability in the Microsoft Active Accessibility component. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, the Microsoft Active Accessibility component could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-075



[Important]
[MS11-076] Vulnerability in Windows Media Center Could Allow Remote Code Execution (2604926)

Vulnerability : Media Center Insecure Library Loading Vulnerability- CVE-2011-2009

This security update resolves a publicly disclosed vulnerability in Windows Media Center. The vulnerability could allow remote code execution if an attacker convinces a user to open a legitimate file that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Media Center could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file.

Affected Software

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Media Center TV Pack for Windows Vista (32-bit editions)
- Windows Media Center TV Pack for Windows Vista (64-bit editions)

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-076



[Important]
[MS11-077] Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2567053)

Vulnerability : Win32k Null Pointer De-reference Vulnerability- CVE-2011-1985
Win32k TrueType Font Type Translation Vulnerability- CVE-2011-2002
Font Library File Buffer Overrun Vulnerability- CVE-2011-2003
Win32k Use After Free Vulnerability- CVE-2011-2011

This security update resolves four privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted font file (such as a .fon file) in a network share, a UNC or WebDAV location, or an e-mail attachment. For a remote attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open the specially crafted font file, or open the file as an e-mail attachment.

Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-077



[Critical]
[MS11-078] Vulnerability in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2604930)

Vulnerability : .NET Framework Class Inheritance Vulnerability- CVE-2011-1253

This security update resolves a privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerability could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerability could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and then executes the page, as could be the case in a Web hosting scenario. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Affected Software

- Windows XP SP3 for Microsoft .NET Framework 1.0 SP3
- Windows XP SP3 for Microsoft .NET Framework 1.1 SP1
- Windows XP SP3 for Microsoft .NET Framework 2.0 SP2
- Windows XP SP3 for Microsoft .NET Framework 4
- Windows XP Professional x64 Edition SP2 for Microsoft .NET Framework 1.1 SP1
- Windows XP Professional x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows XP Professional x64 Edition SP2 for Microsoft .NET Framework 4
- Windows Server 2003 SP2 for Microsoft .NET Framework 1.1 SP1
- Windows Server 2003 SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 SP2 for Microsoft .NET Framework 4
- Windows Server 2003 x64 Edition SP2 for Microsoft .NET Framework 1.1 SP1
- Windows Server 2003 x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 x64 Edition SP2 for Microsoft .NET Framework 4
- Windows Server 2003 SP2 Itanium-based for Microsoft .NET Framework 1.1 SP1
- Windows Server 2003 SP2 Itanium-based for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 SP2 Itanium-based for Microsoft .NET Framework 4
- Windows Vista SP2 for Microsoft .NET Framework 1.1 SP1
- Windows Vista SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Vista SP2 for Microsoft .NET Framework 4
- Windows Vista x64 Edition SP2 for Microsoft .NET Framework 1.1 SP1
- Windows Vista x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Vista x64 Edition SP2 for Microsoft .NET Framework 4
- Windows 2008 for 32bit SP2 for Microsoft .NET Framework 1.1 SP1
- Windows 2008 for 32bit SP2 for Microsoft .NET Framework 2.0 SP2
- Windows 2008 for 32bit SP2 for Microsoft .NET Framework 4
- Windows Server 2008 for x64-based SP2 for Microsoft .NET Framework 1.1 SP1
- Windows Server 2008 for x64-based SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2008 for x64-based SP2 for Microsoft .NET Framework 4
- Windows Server 2008 for Itanium SP2 for for Microsoft .NET Framework 1.1 SP1
- Windows Server 2008 for Itanium SP2 for for Microsoft .NET Framework 2.0 SP2
- Windows Server 2008 for Itanium SP2 for Microsoft .NET Framework 4
- Windows 7 for 32-bit for Microsoft .NET Framework 3.5.1
- Windows 7 for 32-bit for Microsoft .NET Framework 4
- Windows 7 for 32bit SP1 for Microsoft .NET Framework 3.5.1
- Windows 7 for 32bit SP1 for Microsoft .NET Framework 4
- Windows 7 for x64-based for Microsoft .NET Framework 3.5.1
- Windows 7 for x64-based SP1 for Microsoft .NET Framework 4
- Windows Server 2008 R2 for x64-based for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for x64-based for Microsoft .NET Framework 4
- Windows Server R2 for x64-based SP1 for Microsoft .NET Framework 3.5.1
- Windows Server R2 for x64-based SP1 for Microsoft .NET Framework 4
- Windows Server 2008 R2 for Itanium-based for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for Itanium-based for Microsoft .NET Framework 4
- Windows Server 2008 R2 for Itanium SP1 for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for Itanium SP1 for Microsoft .NET Framework 4

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-078



[Important]
[MS11-079] Vulnerabilities in Microsoft Forefront Unified Access Gateway Could Cause Remote Code Execution (2544641)

Vulnerability : ExcelTable Response Splitting XSS Vulnerability- CVE-2011-1895
ExcelTable Reflected XSS Vulnerability- CVE-2011-1896
Default Reflected XSS Vulnerability- CVE-2011-1897
Poisoned Cup of Code Execution Vulnerability- CVE-2011-1969
SharePoint XSS Vulnerability- CVE-2011-1893
Null Session Cookie Crash- CVE-2011-2012

This security update resolves five privately reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG). The most severe of these vulnerabilities could allow remote code execution if a user visits an affected Web site using a specially crafted URL. However, an attacker would have no way to force users to visit such a Web site. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site.

Affected Software

- Microsoft Forefront Unified Access Gateway 2010
- Microsoft Forefront Unified Access Gateway 2010 Update
- Microsoft Forefront Unified Access Gateway 2010 Update 2
- Microsoft Forefront Unified Access Gateway 2010 SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-079



[Important]
[MS11-080] Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

Vulnerability : Ancillary Function Driver Elevation of Privilege Vulnerability- CVE-2011-2005

This security update resolves a privately reported vulnerability in the Microsoft Windows Ancillary Function Driver (AFD). The vulnerability could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-080



[Important]
[MS11-081] Cumulative Security Update for Internet Explorer (2586448)

Vulnerability : Scroll Event Remote Code Execution Vulnerability- CVE-2011-1993
OLEAuto32.dll Remote Code Execution Vulnerability- CVE-2011-1995
Option Element Remote Code Execution Vulnerability- CVE-2011-1996
OnLoad Event Remote Code Execution Vulnerability- CVE-2011-1997
Jscript9.dll Remote Code Execution Vulnerability- CVE-2011-1998
Select Element Remote Code Execution Vulnerability- CVE-2011-1999
Virtual Function Table Corruption Remote Code Execution Vulnerability- CVE-2011-2001

This security update resolves eight privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Software

- Internet Explorer 6 with Windows XP Service Pack 3
- Internet Explorer 6 with Windows XP Professional x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 SP2
- Internet Explorer 6 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows XP SP3
- Internet Explorer 7 with Windows XP Professional x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 SP2
- Internet Explorer 7 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 whit Windows Vista SP2
- Internet Explorer 7 with Windows Vista x64 Edition SP2
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems SP2
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems SP2
- Internet Explorer 8 with Windows XP SP3
- Internet Explorer 8 with Windows XP Professional x64 Edition SP2
- Internet Explorer 8 with Windows Server 2003 SP2
- Internet Explorer 8 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 8 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 8 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 8 whit Windows Vista SP2
- Internet Explorer 8 with Windows Vista x64 Edition SP2
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 8 with Windows Server 2008 for 64-bit Systems SP2
- Internet Explorer 8 with Windows 2008 R2 for x64-based Systems SP1
- Internet Explorer 8 with Windows 2008 R2 for Itanium-based Systems SP1
- Internet Explorer 9 with Windows Vista SP2
- Internet Explorer 9 with Windows Vista x64 Edition SP2
- Internet Explorer 9 with Windows Server 2008 for 32-bit SP2
- Internet Explorer 9 with Windows Server 2008 for 64-bit SP2
- Internet Explorer 9 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 9 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 9 with Windows Server 2008 R2 for 64-bit and Windows Server 2008 R2 for 64-bit SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-081



[Important]
[MS11-082] Vulnerabilities in Host Integration Server Could Allow Denial of Service (2607670)

Vulnerability : Endless Loop DoS in snabase.exe Vulnerability- CVE-2011-2007
Access of Unallocated Memory DoS Vulnerability- CVE-2011-2008

This security update resolves two publicly disclosed vulnerabilities in Host Integration Server. The vulnerabilities could allow denial of service if a remote attacker sends specially crafted network packets to a Host Integration Server listening on UDP port 1478 or TCP ports 1477 and 1478. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. In this case, the Host Integration Server ports should be blocked from the Internet.

Affected Software

- Microsoft Host Integration Server 2004 SP1
- Microsoft Host Integration Server 2006 SP1
- Microsoft Host Integration Server 2009
- Microsoft Host Integration Server 2010

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-082

10/05/2011

[Caution] Various types of security threats on attachments

1. Introduction

 
Various types of malicious attachments are being found recently.
Malicious e-mails are spreading indiscriminately, and threat user with virus, worm, phishing, spyware and adware.
With a booming of malicious e-mails, we are introducing various types of e-mails in prevalent these days.



2. Spreading path and symptoms of infection

Spreading technique via e-mail is similar as always. User just can be infected on executing attachment or clicking suspicious URL. Since various types of malicious files using vulnerability of various applications have been reported, general users need to be careful on using internet.

* Various vulnerabilities information

[Microsoft] Security TechCenter
http://technet.microsoft.com/en-us/security/bulletin

[Adobe] Security Bulletins and advisories
http://www.adobe.com/support/security/

[CVE] Common Vulnerabilities and Exposures
http://cve.mitre.org/

Following attachments has been reported to cause malicious behaviors such as Zeus Bot or SpyEye Bot after infecting PC.

1. Disguised as sent by public institutions

Following case is from U.S. Chamber of Commerce.


2. Disguised as sent by express logistics

Following case is from DHL.


Based on our analysis, we got the result as following.

1. Choose the target

- Malicious e-mail distributor sends malicious mails to unspecific user as many as possible.

2. Send mail

- Malicious e-mail can hide malicious file into attachment including MS office file format and PDF or suspicious link.

3. Infect malicious file or cause malicious behavior

- Upon executing attachment or link, malicious program can infect or can install in victim's PC. This installed program can perform as a backdoor or zombie PC. In case of attachment type malicious file, it can exploit various type of document format, and even contains its contents.

4. How to prevent

Due to the nature of BIOS and MBR, complete treating by Anti-Virus is difficult.
To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-Spy/W32.SpyEyes.244224.B
 - Trojan/W32.Agent.24576.BKX