Spreading DDoS malicious file tampered with KMPlayer

1. Introduction

Malicious DDoS file tampered with KMPlayer, one of South Korea's media players for Microsoft Windows, has been reported that it is installed by itself as a option while installing KMPlayer.
Users can be infected by the technique adding malicious file on installation file.
Therefore, for users who recently installed KMPlayer need to check security on his computer.



The most recent version of KMPlayer is KMPlayer_KR_3.0.0.1442_R2.exe noticed its official web site and posted on September 21st.



However, downloaded file on November 26th was tampered by someone and contained malicious file to install additionally. Tampered file looked like normal KMPlayer, but its file information contains Chinese language. Based on our analysis, creator of this program seems to be used Binder program, combine 2 execution files to 1 file.

Tampered KMPlayer_KR_3.0.0.1442_R2.exe contains malicious file SOURCE which contains "malicious resource code", and it will be installed on certain name and executed. Finally it will be infected by malicious file for attacking DDoS.

2. Spreading path and symptoms of infection

On executing tampered KMPlayer_KR_3.0.0.1442_R2.exe, it will create both normal and malicious install files on temp folder.

Since, both files are designated its name by (fixed+changeable alphabet), its name will be created differently every time.

* Combination of generating normal file(EXE) : e+(fixed)+a+(fixed)+l+(fixed)+r.exe
* Combination of generating malicious file(EXE) : l+(fixed)+a+(fixed)+l+(fixed)+r.exe
* Combination of generating malicious file(DLL) : T+(fixed)+m+(fixed)+t+(fixed)+D.dll

Upon executing normal KMPlayer installation file, it will ask user install language.
Malicious file will insert certain DLL file with hidden property in system folder
This malicious file is also masqueraded as Which Battery Meter Helper

The latest version of nProtect Anti-Virus can detect it as Trojan/W32.DoS.67584.B.

Once infected by this kind of malicious file, attacker can connect victim's IP address and control with using remote management program.

Following figure is list of Zombie PCs. Numerous PCs can be infected and work as a DDoS Agent even be leaked personal information.

3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Virus/W32.Patched.V
- Trojan/W32.DoS.67584.B

[Information] Continuous appearances of malicious file with using HWP exploit

1. Introduction

With continuous appearances of malicious documents using HWP vulnerability, HWP users need to be careful on using that product.
In case of recently found malicious HWP document, it is disguised as a certain official document and induces user to be threaten.
So, we are trying to let you know the case of this malicious file and security patch of Hancom Inc's.

[Advisory of security update for HWP's Stack Buffer overflows vulnerability]

* KISA BOHONARA
http://www.boho.or.kr/dataroom/data_05_dtl.jsp?u_id=217&page=1&TempNum=216

* Outline
 Stack Buffer overflow was found on 'HWP', one of Korean popular word processor.
 Attacker can terminate infected software with using vulnerability or execute malicious code.
 An earlier version user can be easily infected by malicious code and is recommended to update newest version.

* Systems
  Affected Softwares
  - HWP 2004.earlier than 6.0.5.770
  - HWP 2005.earlier than 6.7.10.1067
  - HWP 2007 earlier than 4.5.12.623
  - HWP 2010 SE earlier than 8.5.6.1131

* How to prevent
  For earlier version user
  - Visit official web site and download or use auto update
  - http://www.hancom.co.kr/downLoad.downPU.do?mcd=001
  - Auto update : Start → Programs → Hamcom → Hamcom auto update

* Hancom Inc.

http://www.hancom.co.kr/downLoad.downPU.do?mcd=001

2. Spreading path and symptoms of infection

This kind of malicious file especially from attachment of suspicious e-mail or certain web site can infect victim's system. Besides, since this document is masqueraded as an official document, general user can easily download and execute.



[File information]

[HWP2007]
- (Application Program)\Hwp70\Hwpeq9x.dll (57,344 bytes)
- (Windows\Systems)\mvcert.dll (32,768 bytes)

[Registry information]



3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan-Exploit/W32.Hwp-Exploit.322296
 - Trojan-Exploit/W32.Hwp_Exploit.439312
 - Trojan/W32.Agent.193736
 - Trojan/W32.Agent.32768.BWC
 - Trojan/W32.Agent.57344.COQ
 - Trojan/W32.Agent.65536.CBK
 

[Information] Status for Android-based mobile malicious file

1. Introduction

Based on our analysis about malicious files for Android, the number of files is exponentially increasing from June 2011.
It means that the number of Android user is rapidly increasing.
Actually the real damage case hasn't been reported in South Korea so far, however, it has great possibility to threat for foreigner user.
Therefore, users need to be careful on using this kind of applications.



2. Related information

Against the security threats especially on Android-based malicious file, INCA Internet has distributed Anti-Virus application for Android and given various information to public.

The trend of spreading technique of Android malicious file is continuously sophisticated and even delicate. The starting point of generating malicious file was for curious on certain atmosphere or for being proven certain concept; however, the aim for file can be easily diverted for malicious way.
On both quality and quantity, attacking technique is still evolving.

Step 1 is the data on victim's smartphone of anonymous user.
Step 2 is that its changing its for as a cybercrime for its purpose including inducing payment.
Finally, step 3 can be changed Zombie Phone for DDoS, chasing GPS, C&C Smart Server or even APT(Advance Persistent Threat).

* Status of collected malicious file and update.

Following graph is for our INCA Internet's 2011's collected files.



Based on graph, the number of samples had been rapidly increasing from Sep 2011 so far.

INCA Internet's nProtect Mobile for Android including detect and treat functions has been distributed free of charge.
Besides, Android phone users need to be careful on installation from being infected by malicious files.

3. Finishing

While installing application, we recommend you use official market, check requiring permission, and submit file if suspicious. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

[Information]Various types and variations of malicious spam e-mails

1. Introduction

According to one of Korean security companies' report, the share of spam e-mails has been revealed nearly 69%.
With increasing value and interest of information in these days, its exploit practices are also increasing exponentially.
Among these threats, we are going to review various types of malicious spam e-mails and its security threats and prevention.



Since spam emails via e-mail or its attachments are disguised as a normal contents or disguised its sending address, general user can't find whether or not its fidelity.
Various types of malicious e-mails are as following.



2. Spreading cases

Recently found malicious spam e-mail has been revealed that it came from YouTube.
Furthermore, masquerading sending address as a webmaster can also cause security threats in business side.



As above, malicious spam e-mail is trying to induce user to access certain web site with using social engineering technique or vulnerability of web browser, then it installs malicious file on victim's computer.
With using victim's infected computer, it performs malicious functions including accessing remote access or stealing victim's online banking information.
Besides, it can make another victim by forwarding another user.



3. How to prevent

Security threats including spam e-mail will be getting bigger. To use internet safely from malicious spam e-mails, we recommend following tips "Anti-spam e-mail management tips" for general users.

Anti-spam e-mail management

1. Set mail address to be uneasy to track.
2. Do not leave your mail address on using bulletin board.
3. Check "Do not receive e-mail" on registering website.
4. Use program for anti-spam or filtering program.
5. Try not to see e-mail from uncertain user.
6. Make a certain mail for spam e-mails only.
7. Install Anti-virus program for preventing those security threats.

INCA Internet (Security Response Center / Emergency Response Team)  runs responding system against various security threats.

[Information] Android malicious application inducing charge for targeting various countries

1. Introduction

Various types of applications which induce additional charge for certain premium SMS were found.
This kind of premium SMS service is being operated in overseas countries.
But other kind of malicious application targeting victims in various countries has been reported in these days, and variants of this SMS related malicious applications are expected to emerge.
With increasing security threats, users need to be careful on downloading application.

2. Spreading path and symptoms of infection

This malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

* Essentials

This following figure describes permission requirement page on installation.

Since this application is packaged as an installation file, it doesn't need certain permission, but needs permission for sending SMS.

* Permission explanations

 - <uses-permission android:name="android.permission.SEND_SMS" > </uses-permission>

After the installation, this run screen on following figure will be shown.

It tries to download certain application "geared" and you can click "Next" button for downloading and installation.



* Permission requirement of "Geared"

* Run screen

In the page "Rules", it shows term and condition page as following.

We can find the word "make payment" about accessing certain contents and being paid for SMS. But this page could hardly be read usually.

One unusual thing is that both applications have different package names.

* Comparison of package names
- Malicious application : com.depositmobi
- Game application : com.scoreloop.games.geared

* Detailed analysis

Malicious function can be shown on following code.



This kind of malicious function can be activated after executed application and clicking button, victim can't notice about sending SMS.
In case of this SMS sent as a SMS Delivery code, it won't be recorded in sent box.

Besides, this malicious application will perform confirming code about operator of infected smartphone, set language based on that analysis.
"countries.cfg" for setting language and "sms.cfg" for parsing URL on downloading additional game application(geared) in "Raw" folder.

* URL for downloading game application(geared)

- http://moyandroid.net/(~~)/download.php?id

Some part of following code are country code.

3. How to prevent

This kind of SMS related malicious application is a big trend on Android's malicious applications.
In case of this malicious application, however, it has its feature that is uses various social engineering technique and targets multiple countries. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

* Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

* INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

Microsoft Security Bulletin Summary for November 2011

1. Introduction

Microsoft(MS)'s regular security updates were released for November 2011.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Reference Counter Overflow, Vulnerability in TrueType Font Parsing, Vulnerability in Windows Mail Insecure Library Loading, and in Active Directory Could Allow Elevation of Privilege.



2. Update details

[Critical]
[MS11-083] Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

Vulnerbility: Reference Counter Overflow Vulnerability - CVE-2011-2013

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.
This security update is rated Critical for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by modifying the way that the Windows TCP/IP stack keeps track of UDP packets within memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Affected Software

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-083



[Moderate]
[MS11-084] Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

Vulnerbility: TrueType Font Parsing Vulnerability - CVE-2011-2004

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a user opens a specially crafted TrueType font file as an e-mail attachment or navigates to a network share or WebDAV location containing a specially crafted TrueType font file. For an attack to be successful, a user must visit the untrusted remote file system location or WebDAV share containing the specially crafted TrueType font file, or open the file as an e-mail attachment. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to persuade users to do so, typically by getting them to click a link in an e-mail message or Instant Messenger message.

Affected Software

- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-084



[Important]
[MS11-085] Vulnerability in Windows Mail and Windows Meeting Space Could Allow Remote Code Execution (2620704)

Vulnerbility: Windows Mail Insecure Library Loading Vulnerability - CVE-2011-2016

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .eml or .wcinv file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Windows Mail or Windows Meeting Space could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .eml or .wcinv file) from this location that is then loaded by a vulnerable application.

Affected Software

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-085



[Important]
[MS11-086] Vulnerability in Active Directory Could Allow Elevation of Privilege (2630837)

Vulnerbility: LDAPS Authentication Bypass Vulnerability - CVE-2011-2014

This security update resolves a privately reported vulnerability in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS). The vulnerability could allow elevation of privilege if Active Directory is configured to use LDAP over SSL (LDAPS) and an attacker acquires a revoked certificate that is associated with a valid domain account and then uses that revoked certificate to authenticate to the Active Directory domain. By default, Active Directory is not configured to use LDAP over SSL.

Affected Software

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/ms11-086

[Information] Nitro attacks aiming at defense industries and chemical companies

1. Information

Oct 31, 2011, Symantec, one of the largest makers of security software for computers, has reported security threat named Nitro.
Rumor has that this security threat has been reported spreading malicious file with using social engineering technique such as spam-mail and APT(Advanced Persistent Threat) based type.

Based on the report by Symantec, 48 or more defense industries and chemical companies located in United States of America and United Kingdom have been infected by malicious file named Poison Ivy(Remote control function).
Some of chemical companies are known to be involved for manufacturing military vehicles.
In addition, the result of backtracking the epicenter of cyber attacks, the origin address of PC has identified from China.

[The Significance of the“Nitro”Attacks]
http://blog.trendmicro.com/the-significance-of-the-nitro-attacks/

[A Websense White Paper : ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS]
http://www.websense.com/assets/white-papers/advanced-persistent-threats-and-other-advanced-attacks.pdf?cmpid=slbl

[Symantec "Nitro" Report]
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf

* Advanced Persistent Threat (by wikipedia)

Advanced persistent threat (APT) usually refers to a group, such as a foreign nation state government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly used to refer to cyber threats, in particular that of Internet-enabled espionage, but applies equally to other threats such as that of traditional espionage or attack. Other recognised attack vectors include infected media, supply chain compromise, and social engineering. Individuals, such as an individual hacker, are not usually referred to as an APT as they rarely have the resources to be both advanced and persistent even if they are intent on gaining access to, or attacking, a specific target.

* The Nitro Attacks : Stealing Secrets from the Chemical Industry (Image by Symantec)

a. Geographic Location of Infected Computers

b. Country of origin of targeted organizations



2. Spreading path and symptoms of infection

Recently reported security threat aiming at certain company or user is the type of attaching malicious file which contains remote control code and sending on spam mail.
When victim executed this malicious program, control permission and useful information of victim's PC can be leaked.
Nitro attack has its feature which is working itself based on interaction between attacker and victim.
This spam mail contains following contents and attachments and additional variants can be found.

[Types of attachments]
  - Antivirus_update_package.7z
  - acquisition,7z
  - offer.7z
  - update_flashplayer10ax.7z

So far, various variants have been found, and currently malicious file related Nitro is expected of generated by automatic generation toolkit.
Furthermore, easily distributing with using Remote Administration Tool such as Poison Ivy and updating integrated module with fortifying function can make security threats higher.

Infected PC can monitor information of victim's PC as following figure.



With some functions of Remote Control Tools such as Poison Ivy, information of victim's PC can be identified.

a. Registry information of victim's PC

b. Screen Capture of victim's PC

c. Other monitoring information

 - Remote Shell
 - Surveillance(Key Logger, Screen Capture, Webcam Capture)
 - Remote Port Scanner
 - WiFi Scanner
 - Remote PC Information(File, Service, Device, Installed Application etc)

Symantec says that these security threats including Nitro, Advanced Persistent Threat, and Social Engineering can damage certain companies. Besides, leaked information can damage significant loss of assets.

3. How to prevent

Nitro can cause various security threats. To prevent from security threats, following business culture is needed.

1. Educate about important documents and information management
2. Maintain the latest security update on OS and applications
3. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
4. Do not execute media from suspicious or unknown user.

* INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

* Diagnosis name

 - Backdoor/W32.Poison.133511
 - Backdoor/W32.Poison.128421.B
 - Backdoor/W32.Poison.128405
 - Backdoor/W32.Poison.177722
 - Backdoor/W32.Poison.135794
 - Backdoor/W32.Poison.132031
 - Backdoor/W32.Poison.128204
 - Trojan-Dropper/W32.Agent.153938
 - Trojan/W32.Agent2.536397
 - Trojan/W32.Agent2.141530
 - Trojan/W32.Chifrax.150357
 - Trojan/W32.Genome.155705
 - Trojan/W32.Inject.136314
 - Trojan-Downloader/W32.Injecter.532499
 - Trojan-Downloader/W32.Injecter.153026
 - Trojan-Downloader/W32.Injecter.159762
 - Trojan-Downloader/W32.Injecter.150937
 - Trojan-Downloader/W32.Injecter.173068
 - Trojan-Downloader/W32.Injecter.154827