[Warning] Kim Jong Il Malicious scam is spreading(Update #3)

1. Introduction

The news of the death of North Korean leader Kim Jong Il was big issue on December 17.
According to this news, various related news and spreading malicious file with social engineering can be happened.
With this reason, INCA Internet's Emergency Response Team has been being concentrated on monitoring.
Various types of malicious file including a Korean entertainer's porn, the death of Steve Jobs, the death of Gadaffi, and so on.

[Caution]Malicious file is spreading via a Korean entertainer's porn video file.


Because social engineering, a classic technique, uses social issue to spreading malicious file, users need to be careful on using internet.

2. Real cases

INCA Internet's Emergency Response Team found the scam for AD with his remains and fortify our detecting level.

Following figure is a capture of blog. The title was "Body analysis of Kim Jong-il" and uploaded attached pics and video files.

However, this video file is NOT REAL. It was just a jpg file and has link to certain URL. This way is very simple but it can be clicked easily.

Following figure is a one of YouTube pages, someone posted reply and user can click that link.
Various videos have been found so far.

To click the link, URL will be redirected to certain page, which leads user to install certain program for playing video file.

To click start, you can download ClickPotato.

Not only this AD, malicious e-mail including malicious file has been found.

Title :
N Korean leader Kim Jong-il dies

Body :
[CNN]North Korean leader Kim Jong-il has died of a heart attack at the age of 69, state media have announced.

Attachment :

2 types of file names have been found. One contains vulnerability in PDF and another contains vulnerability in RTF. We sent both samples to KISA(Korea Information Security Agency) and have cooperated for cybercrime.

Vulnerability in PDF used Win32.CVE-2010-2883, CVE-2011-0611 exploit; therefore, Adobe Reader can be safe with update latest security path.

DOC file structure is same as real RTF file, and it used RTF Stack Buffer Overflow (CVE-2010-3333) exploit.

Brief introduction of Kim Jong-il.pdf
Kim Jong-ils death affects N. Koreas nuclear programs.doc

Following figure is executed malicious PDF file. But it looks like real one.

When vulnerability of PDF document works, it will secretly download and execute malicious and normal PDF files disguised as a Google update related file on User's Local Settings folder.

fabc.scr and abc.scr are different within 5 bytes.
Adding Hex values(4D, 5A, 20, 0D, 0A) on fabc.scr will be abc.src, and log1.txt has the difference.

abc.src will be removed after it creates another malicious file and GoogleUpdate.exe on same folder.

C:\Documents and Settings\(User name)\Local Settings\Application Data\GoogleUpdate.exe

This malicious file is trying to access certain host and it can perform malicious behavior with attacker's command.

INCA Internet's Emergency Response Team collected these malicious file and update is completed.

3. Finishing

Inducing users to click URL or fake video file image is a usual technique of social enginnering. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.