12345

12/26/2011

[Warning] Santa Claus is coming to down with scams.(Update #1)

1. Information

As a result of intensive monitoring during Christmas season, INCA Internet's Emergency Response Team detected various scams around the year.
Malicious hackers are trying to spread malicious files with using Christmas season and the end of the year.
Users need to be careful on using about "Christmas, video URL, season's greetng, SNS message, or shorten URL", especially on e-mail with attachment or URL.



Malicious file distributors are using social engineering and social issues for spreading malicious files.
Our team was fortifying our emergency monitoring during Christmas season, and we found many spreading cases.

[Information] Be careful about scams around the end of the year
http://en-erteam.nprotect.com/2011/12/information-be-careful-about-scams.html

Issues on 2011 and predictions of upcoming 2012
http://en-erteam.nprotect.com/2011/12/issues-on-2011-and-predictions-of.html

2. Malicious files related Christmas

During this Christmas, MS Word exploit, Christmas program, and PDF exploits have been reported.

* Case1 - THIS XMAS SAY NO TO MADE IN CHINA

This e-mail seemed to be related Tibet, and it contains attachment which name is "THIS XMAS SAY NO TO MADE IN CHINA.doc".
It is malicious and installs malicious file secretly.


This e-mail is expected to spread malicious files to multiple countries.
And the recipients are including Indian, Nepalese, Switzerland's, Japanese, Canadian, French, Russian; therefore, attacker seemed to attack Tibet related users.

If user executed attachment, it will create normal document file and shows to user, then it will create another malicious file and execute.
Let's see the document.


Those files including wordupgrade.exe will be created in Temp folder and executed, and it hides itself with using batch command.


Upon executed malicious "wordupgrade.exe", it will install additional malicious file disguised as internet service function, then "wordupgrade.exe" will be deleted itself by batch file command.

C:\Program Files\Online Services\Internet Services.exe


Executing "Internet Services.exe" will create other malicious files, which will also be deleted by its batch file command.


And then, it accesses to certain host and waits for additional commend. When remote control connection is established, Backdoor can work and victim's PC can be in danger.


* Case 2 - Malicious file disguised as Christmas decoration program

Christmas tree desktop program can be seen in right bottom of desktop.


This freeware can be downloaded on http://get-xmas.com/, malicious file distributor injected malicious code and repackaged.

Malicious file uses WinRAR SFX(Self-extracting), and it contains various malicious files including normal mas.exe.


Once executed, it will create "udp.exe, taskngr.exe, drv.cmd, mas.exe, spoolcv.exe, svghost.exe" on system folder, and it can update additional malicious file on accesses certain domain.




Especially, disguised as install_flash_player.exe is the biggest feature of this file, and it adopted WinRAR SFX as similar as the program above.


This malicious file can download additional malicious file disguised as flash player.

* Case 3 - Malicious file using PDF exploit

Merry Christmas.pdf uses Adobe Reader program's vulnerability and installs secretly.


When malicious PDF file is executed, it is disguised as a normal file with showing normal document.
And it installs malicious gupdater.exe on Application Data folder with using updates.js, Winword.js coded by Embedded JavaScript

3. How to prevent

Social engineering can be on users via e-mail or SNS. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

12/22/2011

[Warning] Malicious file masqueraded as a picture of Kim Jong Il's sister

1. Information

 
December 21, 2011, INCA Internet's Emergency Response Team detected malicious file related Kim Jong Il's death.
Due to the time difference, our team is fortifying our emergency monitoring for overseas spreading.
In the midst of this atmosphere, we detected malicious file disguised as his sister(Kim Kyung Hee)'s picture.
Therefore, users need to be careful on using internet.



This malicious file is also showing Kim Kyung Hee picture, and it installs additional malicious file secretly. With the death of Kim Jong Il, various types of malicious files is continuously emerging.

INCA Internet Security Response Center's Emergency Response Team has detected various variants, and based on our analysis, attackers seemed to try to bypass against Anti-Virus Software.

Not only the picture of her, we found another malicious file disguised as a PDF file with the death of Kim Jong Il on December 22, 2011.


The biggest feature of this case is using social engineering and social psychology. If infected by this kind of malicious file, victim's PC can be controlled by attacker.

[Warning] Additional malicious file disguised as the pic of Kim Jong Il (Update #1)
http://en-erteam.nprotect.com/2011/12/warning-additional-malicious-file.html

[Warning] Kim Jong Il Malicious scam is spreading(Update #3)
http://en-erteam.nprotect.com/2011/12/warning-kim-jong-il-malicious-scam-is.html

[Caution]Malicious file is spreading via a Korean entertainer's porn video file.
http://en-erteam.nprotect.com/2011/12/cautionmalicious-file-is-spreading-via.html

With continuous appearances of Kim and his family related malicious files, general users need to be careful not to be seduced about those files including phishing, attachment of e-mail, unofficial news, suspicious link, or Shorten SNS URL.


It was on December 20, 2011.

Especially, be careful on attachments such as PDF, DOC, HWP, PPT, ZIP, EXE, or SCR.

2. Malicious file with a picture of Kim Kyung Hee

Our team detected additional another malicious file disguised as Kim Jong Il's sister on our monitoring.
When this malicious file "Kim Kyung-hee.scr" is executed, it will create Kim Kyung-hee.jpg and msrt.exe on Temp folder and will execute.


msrt.exe is self-extractable RAR file, which will extract wship6.tmp, server.exe on Local Settings folder. And it will change server.exe to chksrv.exe.


As user just can see the following image, victim can't notice of being infected.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

12/21/2011

[Warning] Additional malicious file disguised as the pic of Kim Jong Il (Update #1)

1. Introduction

INCA Internet's Emergency Response Team has detected malicious file disguised the pic of Kim Jong Il.
Its icon and extension is well manipulated as a normal image file, and it shows Kim Jong Il related images on executing.
Therefore, general users can hardly notice about its being infected.
With the death of Kim Jong Il, a bunch of malicious files are up in these days.


 
December 20, 2011, INCA Internet's Emergency Response Team detected various malicious files related his death.

If a user clicks that file and executes malicious attachment, that user can be infected by malicious file.

[Warning] Kim Jong Il Malicious scam is spreading
http://en-erteam.nprotect.com/2011/12/warning-kim-jong-il-malicious-scam-is.html

[Caution]Malicious file is spreading via a Korean entertainer's porn video file.
http://en-erteam.nprotect.com/2011/12/cautionmalicious-file-is-spreading-via.html

With it, various phishing can be generated; therefore, users need to be careful on execute unofficial and suspicious news, image file, video clip and shorten URL.

Especially, various attachments including(PDF, DOC, HWP, PPT, ZIP, EXE, and SCR) can be malicious.

2. Spreading path and symptoms of infection

INCA Internet's Emergency Response Team has found another malicious file disguised the pic of Kim Jong Il.
This malicious file is disguised as a picture of Kim Jong Il unlike previous malicious file used PDF, DOC vulnerability.

Its icon adopted basic JPG and you can show its real extension when "Hide protected operating system files (Recommend)" is unchecked. Actually SCR file is for screen saver, and it disguised its extension to SCR.

Besides, its file name can rise up Kim Jong-il.

Users can be infected on executing.

First, it creates Update.exe in Application Data folder with hidden property, then it creates Kim Jong-il.jpg in the same path of executed malicious Kim Jong-il.jpg.scr.


Then it creates MSN Talk Start.lnk on startup, finally it removes Kim Jong-il.jpg.scr and it pretend that it isn't malicious.


This malicious tries to access certain host, and it installs malicious files such as Kserver.exe, kserver.dll on Recycle Bin folder.

Those two files are remote command Backdoor Server files, and attacker can get the permission of all administrators on victim's PC and can monitor.



* Update 2011. 12. 21


We found the malicious file "The Death of North Korea's Kim Jong Il.pdf" and added pattern on our nProtect Anti-Virus.



3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

12/20/2011

[Warning] Kim Jong Il Malicious scam is spreading(Update #3)

1. Introduction

The news of the death of North Korean leader Kim Jong Il was big issue on December 17.
According to this news, various related news and spreading malicious file with social engineering can be happened.
With this reason, INCA Internet's Emergency Response Team has been being concentrated on monitoring.
Various types of malicious file including a Korean entertainer's porn, the death of Steve Jobs, the death of Gadaffi, and so on.





[Caution]Malicious file is spreading via a Korean entertainer's porn video file.

http://en-erteam.nprotect.com/2011/12/cautionmalicious-file-is-spreading-via.html

Because social engineering, a classic technique, uses social issue to spreading malicious file, users need to be careful on using internet.

2. Real cases

INCA Internet's Emergency Response Team found the scam for AD with his remains and fortify our detecting level.

Following figure is a capture of blog. The title was "Body analysis of Kim Jong-il" and uploaded attached pics and video files.

However, this video file is NOT REAL. It was just a jpg file and has link to certain URL. This way is very simple but it can be clicked easily.


Following figure is a one of YouTube pages, someone posted reply and user can click that link.
Various videos have been found so far.


To click the link, URL will be redirected to certain page, which leads user to install certain program for playing video file.



To click start, you can download ClickPotato.


Not only this AD, malicious e-mail including malicious file has been found.

Title :
N Korean leader Kim Jong-il dies

Body :
[CNN]North Korean leader Kim Jong-il has died of a heart attack at the age of 69, state media have announced.

Attachment :
brief_introduction_of_kim-jong-il.pdf.pdf

2 types of file names have been found. One contains vulnerability in PDF and another contains vulnerability in RTF. We sent both samples to KISA(Korea Information Security Agency) and have cooperated for cybercrime.

Vulnerability in PDF used Win32.CVE-2010-2883, CVE-2011-0611 exploit; therefore, Adobe Reader can be safe with update latest security path.

DOC file structure is same as real RTF file, and it used RTF Stack Buffer Overflow (CVE-2010-3333) exploit.

Brief introduction of Kim Jong-il.pdf
Kim Jong-ils death affects N. Koreas nuclear programs.doc


Following figure is executed malicious PDF file. But it looks like real one.



When vulnerability of PDF document works, it will secretly download and execute malicious and normal PDF files disguised as a Google update related file on User's Local Settings folder.



fabc.scr and abc.scr are different within 5 bytes.
Adding Hex values(4D, 5A, 20, 0D, 0A) on fabc.scr will be abc.src, and log1.txt has the difference.





abc.src will be removed after it creates another malicious file and GoogleUpdate.exe on same folder.

C:\Documents and Settings\(User name)\Local Settings\Application Data\GoogleUpdate.exe



This malicious file is trying to access certain host and it can perform malicious behavior with attacker's command.


INCA Internet's Emergency Response Team collected these malicious file and update is completed.


3. Finishing

Inducing users to click URL or fake video file image is a usual technique of social enginnering. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

12/16/2011

[Information] Automatic detection and analysis system of malicious Android application

1. Information

INCA Internet Security Response Center's Emergency Response Team has gathered Android malicious files for immediate response since July 2011. To collect and analyze automatically, we developed automation system which is using malicious similarity policy.
With this automation system, we have stocked about 2,000 Android malicious files.
The number of Android malicious apps is more than we thought.
 


We already know that the number of Android malicious file is rapidly increasing from the beginning in the second half; however, certain malicious file aiming at Korean users hasn't been reported.
Therefore, Korean users are not familiar with these security threats.

[Information] Malicious Android app for multiple countries
http://en-erteam.nprotect.com/2011/12/information-malicious-android-app-for.html

[Information] Android malicious application in Europe
http://en-erteam.nprotect.com/2011/12/information-android-malicious.html

[Information] Status for Android-based mobile malicious file
http://en-erteam.nprotect.com/2011/11/information-status-for-android-based.html

INCA Internet Security Response Center's Emergency Response Team has been preparing response system for Android security threats.

2. Status of Android file collection

December 6, 2011, Google announced that the number of cumulative download on Android market passed 10 billion downloads. And APK files are spreading on 3rd party market.


According to Google's announcement, Korea ranked #1, which means that South Korea is the most prevalent country on using smartphone.
The fact that China isn't ranked in this table is peculiar, however, it can mean that the great number of users are using 3rd party in China.

Following figure is top 10 most App-crazed Countries.


INCA Internet Security Response Center's Emergency Response Team has collected various malicious files with the 3rd party market's information.


Chinese 3rd party market

Our automatic APK crawling system has collected about 57,000 files (153Gb) and new apps are downloading every day.

In 2012, the range of 3rd party and processing capacity will be widening.

Following figure shows downloading status of our Automatic collecting system of APK files.
We are using this program to download APK files.

Among we collected, There are about 2,000 malicious APK files including Geinimi, ADRD, BaseBrid, GoldDream, DroidKungFu, SendSMS, FakeInstall, GingerMaster, Rooter and so on. And their various variants are also identified.

Following folder size is our collected APKs and those will be included our nProtect Mobile for ANDROID.


With this program, we succeeded to shorten more than 80% to analyze APK files on classifying its variants automatically.
Following figure shows auto-decompiled and analyzed target file by our automation analysis system.
First of all, it extracts Manifest log and Decompiled code for analyzing code. Then it compares extracted code to INCA Internet's malicious pattern. If it matches each other, those files will be moved to malicious sample folder. (More than 98% files of them were revealed as malicious).


3. Finishing

The fact that Android malicious file has been rapidly increasing is very remarkable. Malicious attackers are aiming at various target; therefore, users need to be careful on using.

Following figure is our detecting status of nProtect Mobile for ANDROID.



To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.


Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.