According to this news, various related news and spreading malicious file with social engineering can be happened.
With this reason, INCA Internet's Emergency Response Team has been being concentrated on monitoring.
Various types of malicious file including a Korean entertainer's porn, the death of Steve Jobs, the death of Gadaffi, and so on.
Because social engineering, a classic technique, uses social issue to spreading malicious file, users need to be careful on using internet.
2. Real cases
INCA Internet's Emergency Response Team found the scam for AD with his remains and fortify our detecting level.
Following figure is a capture of blog. The title was "Body analysis of Kim Jong-il" and uploaded attached pics and video files.
However, this video file is NOT REAL. It was just a jpg file and has link to certain URL. This way is very simple but it can be clicked easily.
Following figure is a one of YouTube pages, someone posted reply and user can click that link.
Various videos have been found so far.
To click the link, URL will be redirected to certain page, which leads user to install certain program for playing video file.
To click start, you can download ClickPotato.
Not only this AD, malicious e-mail including malicious file has been found.
2 types of file names have been found. One contains vulnerability in PDF and another contains vulnerability in RTF. We sent both samples to KISA(Korea Information Security Agency) and have cooperated for cybercrime.
Vulnerability in PDF used Win32.CVE-2010-2883, CVE-2011-0611 exploit; therefore, Adobe Reader can be safe with update latest security path.
DOC file structure is same as real RTF file, and it used RTF Stack Buffer Overflow (CVE-2010-3333) exploit.
Brief introduction of Kim Jong-il.pdf
Kim Jong-ils death affects N. Koreas nuclear programs.doc
Following figure is executed malicious PDF file. But it looks like real one.
When vulnerability of PDF document works, it will secretly download and execute malicious and normal PDF files disguised as a Google update related file on User's Local Settings folder.
fabc.scr and abc.scr are different within 5 bytes.
Adding Hex values(4D, 5A, 20, 0D, 0A) on fabc.scr will be abc.src, and log1.txt has the difference.
abc.src will be removed after it creates another malicious file and GoogleUpdate.exe on same folder.
This malicious file is trying to access certain host and it can perform malicious behavior with attacker's command.
INCA Internet's Emergency Response Team collected these malicious file and update is completed.
Inducing users to click URL or fake video file image is a usual technique of social enginnering. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.