Malicious hackers are trying to spread malicious files with using Christmas season and the end of the year.
Users need to be careful on using about "Christmas, video URL, season's greetng, SNS message, or shorten URL", especially on e-mail with attachment or URL.
Malicious file distributors are using social engineering and social issues for spreading malicious files.
Our team was fortifying our emergency monitoring during Christmas season, and we found many spreading cases.
2. Malicious files related Christmas
During this Christmas, MS Word exploit, Christmas program, and PDF exploits have been reported.
* Case1 - THIS XMAS SAY NO TO MADE IN CHINA
This e-mail seemed to be related Tibet, and it contains attachment which name is "THIS XMAS SAY NO TO MADE IN CHINA.doc".
It is malicious and installs malicious file secretly.
This e-mail is expected to spread malicious files to multiple countries.
And the recipients are including Indian, Nepalese, Switzerland's, Japanese, Canadian, French, Russian; therefore, attacker seemed to attack Tibet related users.
If user executed attachment, it will create normal document file and shows to user, then it will create another malicious file and execute.
Let's see the document.
Those files including wordupgrade.exe will be created in Temp folder and executed, and it hides itself with using batch command.
Upon executed malicious "wordupgrade.exe", it will install additional malicious file disguised as internet service function, then "wordupgrade.exe" will be deleted itself by batch file command.
Executing "Internet Services.exe" will create other malicious files, which will also be deleted by its batch file command.
And then, it accesses to certain host and waits for additional commend. When remote control connection is established, Backdoor can work and victim's PC can be in danger.
* Case 2 - Malicious file disguised as Christmas decoration program
Christmas tree desktop program can be seen in right bottom of desktop.
This freeware can be downloaded on http://get-xmas.com/, malicious file distributor injected malicious code and repackaged.
Malicious file uses WinRAR SFX(Self-extracting), and it contains various malicious files including normal mas.exe.
Once executed, it will create "udp.exe, taskngr.exe, drv.cmd, mas.exe, spoolcv.exe, svghost.exe" on system folder, and it can update additional malicious file on accesses certain domain.
Especially, disguised as install_flash_player.exe is the biggest feature of this file, and it adopted WinRAR SFX as similar as the program above.
This malicious file can download additional malicious file disguised as flash player.
* Case 3 - Malicious file using PDF exploit
Merry Christmas.pdf uses Adobe Reader program's vulnerability and installs secretly.
When malicious PDF file is executed, it is disguised as a normal file with showing normal document.
3. How to prevent
Social engineering can be on users via e-mail or SNS. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.