12345

12/20/2011

[Warning] Kim Jong Il Malicious scam is spreading(Update #3)

1. Introduction

The news of the death of North Korean leader Kim Jong Il was big issue on December 17.
According to this news, various related news and spreading malicious file with social engineering can be happened.
With this reason, INCA Internet's Emergency Response Team has been being concentrated on monitoring.
Various types of malicious file including a Korean entertainer's porn, the death of Steve Jobs, the death of Gadaffi, and so on.





[Caution]Malicious file is spreading via a Korean entertainer's porn video file.

http://en-erteam.nprotect.com/2011/12/cautionmalicious-file-is-spreading-via.html

Because social engineering, a classic technique, uses social issue to spreading malicious file, users need to be careful on using internet.

2. Real cases

INCA Internet's Emergency Response Team found the scam for AD with his remains and fortify our detecting level.

Following figure is a capture of blog. The title was "Body analysis of Kim Jong-il" and uploaded attached pics and video files.

However, this video file is NOT REAL. It was just a jpg file and has link to certain URL. This way is very simple but it can be clicked easily.


Following figure is a one of YouTube pages, someone posted reply and user can click that link.
Various videos have been found so far.


To click the link, URL will be redirected to certain page, which leads user to install certain program for playing video file.



To click start, you can download ClickPotato.


Not only this AD, malicious e-mail including malicious file has been found.

Title :
N Korean leader Kim Jong-il dies

Body :
[CNN]North Korean leader Kim Jong-il has died of a heart attack at the age of 69, state media have announced.

Attachment :
brief_introduction_of_kim-jong-il.pdf.pdf

2 types of file names have been found. One contains vulnerability in PDF and another contains vulnerability in RTF. We sent both samples to KISA(Korea Information Security Agency) and have cooperated for cybercrime.

Vulnerability in PDF used Win32.CVE-2010-2883, CVE-2011-0611 exploit; therefore, Adobe Reader can be safe with update latest security path.

DOC file structure is same as real RTF file, and it used RTF Stack Buffer Overflow (CVE-2010-3333) exploit.

Brief introduction of Kim Jong-il.pdf
Kim Jong-ils death affects N. Koreas nuclear programs.doc


Following figure is executed malicious PDF file. But it looks like real one.



When vulnerability of PDF document works, it will secretly download and execute malicious and normal PDF files disguised as a Google update related file on User's Local Settings folder.



fabc.scr and abc.scr are different within 5 bytes.
Adding Hex values(4D, 5A, 20, 0D, 0A) on fabc.scr will be abc.src, and log1.txt has the difference.





abc.src will be removed after it creates another malicious file and GoogleUpdate.exe on same folder.

C:\Documents and Settings\(User name)\Local Settings\Application Data\GoogleUpdate.exe



This malicious file is trying to access certain host and it can perform malicious behavior with attacker's command.


INCA Internet's Emergency Response Team collected these malicious file and update is completed.


3. Finishing

Inducing users to click URL or fake video file image is a usual technique of social enginnering. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Anti-Virus/Spyware” for detecting such as malicious file stated above and runs responding system against various security threats.

25 comments:

  1. Stuck on writing an expository essay? Can't pick a topic? Take a look at some great expository essay topics here, guys!

    ReplyDelete
  2. INCA Internet's Emergency Response Team collected these malicious file and update is completed....

    ReplyDelete
  3. This is also a very good post which I really enjoyed reading. It is not everyday that I have the possibility to see something like this.

    go movies

    ReplyDelete
  4. I finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks run 3

    ReplyDelete
  5. I understand what you bring it very meaningful and useful, thanks.
    five nights at freddy's

    ReplyDelete
  6. Thanks for the information you shared
    @ashleyjordae

    ReplyDelete
  7. Thank you very much for these great cake recipes, I have learned a lot from your web blog

    ReplyDelete
  8. Thank for your writting. You have made it very clear that the problem is happening. I really like your way of thinking

    ReplyDelete
  9. Your thoughts are very deep, I feel it has many meanings and humanities
    read manga online

    ReplyDelete
  10. The experts of Myassignmenthelp Australia are not only proficient in writing the analysis assignments, but they are also comfortable with other genres of assignment writing.
    Students always come to us and ask to do my assignment for me. For all sorts of assignment help services, our experts are capable enough to do your assignment online. Students will always get plagiarism-free papers from this service. All these utilities are available at reasonable prices.
    Essayassignmenthelp.com.au also provides urgent assignment help service to the students through which the students can get assignments within a few hours from placement of the order. This service is especially useful when the students are required to get their essays done immediately.

    ReplyDelete
  11. Our team is continue working for the students to give them best service online, we are offering top service of thesis topics ideas so students can get it from the studentsassignmenthelp. We are every day working to give our services that's we are having best writer, our experts are continue working 24x7. So students can easily take all the services always.

    ReplyDelete
  12. Thank you for sharing this. The blog is very informative. We also provide affordable Accounting Assignment Help in uk.

    ReplyDelete
  13. Good source of information! Your post shares all information of the Assignment Help in a detailed manner. If you want to place your order for assignment completion, browse the website greatassignmenthelp to connect with the highly experienced writers.
    Assignment Help Online
    Online Assignment Help
    Assignment Help Online Services
    Assignment Helper
    Assignment Assistance
    Assignment Help Experts
    Online Assignment Help Services

    ReplyDelete
  14. Nice Post! When you are facing technical errors related to Quicken, our technical experts are technically experienced for solving common quicken problems in very nominal charges. We are technically known for solving all technical issues related to Quicken. Our Quicken Help is open 24 hours to provide instant solutions for any difficulty.
    Quicken Customer Service
    Quicken Customer Service Phone Number
    Quicken Customer Service Number
    Quicken Customer Support Number
    Quicken Customer Support Phone Number
    Quicken Customer Support
    quicken.com/support
    www.quicken.com/support
    Quicken support Phone number
    Quicken Support Number
    Quicken support
    Quicken Error CC-501
    Quicken Error CC-502
    quicken error cc-503
    Quicken won't open
    quicken won't open after update

    ReplyDelete
  15. Very nice!!! This is really good blog information thanks for sharing. We are a reliable third party Quickbooks software company, offering technical support for various types of technical errors.

    ReplyDelete
  16. Thanks for your insight for your fantastic posting. I’m glad I have taken the time to see this
    red ball 4

    ReplyDelete
  17. “Avail the assistance from our experts to eradicate Canon error code 5b00”
    To Resolve Canon Printer Error Code 5b00 is not such a difficult task for you if you come across an error, and particularly when the continuous ink systems are being installed all the time. These tend to push the printers to their very limits. The error encounters on the canon printers when the inkpad absorber has filled up with the ink. If you are also dealing with the same issue with your Canon printer, follow some given steps. First of all, turn off your printer, then hold the “Resume” button subsequent by holding the power button. Now, release the Resume and Power button. After that, Reset Counter Absorber and at last switch on your printer. If these steps won’t satisfy you, go for Canon Support to eradicate Canon error code 5b00. Dial our toll-free number and take assistance from our experts.
    Canon error code 5b00
    Canon B200 Error
    Canon Wireless Printer Setup
    Connect Canon Printer To Wi-Fi
    Canon printer offline

    ReplyDelete