12345

12/08/2011

[Caution]Malicious file is spreading via a Korean entertainer's porn video file.

1. Introduction

December 7, 2011 INCA Internet Emergency Response Team detected that one of Korean entertainer's porn was being spread including malicious file.
This archived file contains her private pictures, video files, and malicious files.
Since malicious file spreader seems to be aimed at its popularity and redistribution, general users need to be careful on using internet.
With news of her porn, a lot of people searched her video on internet and her name was top ranked on web portal site.
To keep her private and general users from malicious files, something got to be done.

2. Spreading path and symptoms of infection

This malicious file used social engineering technique for its spreading and it uses social issues and public interest. Malicious file distributor seemed to be aiming at its spreading extremely in a short time.

[Information] Be careful about scams around the end of the year
http://en-erteam.nprotect.com/2011/12/information-be-careful-about-scams.html

Origin of spreading malicious file site is a certain community which has about 70,000 users.
Some of users are being expected to be infected by malicious files. Suspected IP addresses had been blocked by KISA(Korea Information Security Agency), however, users need to be careful on similar types. Malicious file is linked as a reply as following.


Twitter is also used to spread that URL address.



Following post is a case of certain bulletin board. Users can click the URL on its post.


That ZIP file contains 8 JPG files, 1 EXE file, and 1 TXT file.


JPG files are captures of private video and those files induce user to click malicious file.


EXE file, archive as SFX type, will extract itself video file and JPG files on certain folder. Besides, it contains document file for its spreading.


In this process, netsecurity.exe will be created and executed. And netdrvsrty.exe will be inserted on system folder. Finally, netsecurity.exe will be erased itself.


Except for spreading malicious file, entertainer's porn file is being included as a MP4 file.


netsecurity.exe will create netdrvsrty.exe on system folder and will try to access certain domain(C&C).  It hasn't performed any command so far, however, various additional malicious behaviors can be performed. INCA Internet Emergency Response Team expected that file as a Adware for domestic users.


And the TXT file ("exe파일을클릭하면압축이풀립니다.다른분한테줄때도이파일을그대로주어야추적이되지않습니다.txt") is for its redistribution.


 
3. How to prevent
 
Social engineering is commonly understood to mean the art of manipulating people into performing actions or divulging confidential information. Real porn of someone can invade of his/her privacy. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment