12345

12/26/2011

[Warning] Santa Claus is coming to down with scams.(Update #1)

1. Information

As a result of intensive monitoring during Christmas season, INCA Internet's Emergency Response Team detected various scams around the year.
Malicious hackers are trying to spread malicious files with using Christmas season and the end of the year.
Users need to be careful on using about "Christmas, video URL, season's greetng, SNS message, or shorten URL", especially on e-mail with attachment or URL.



Malicious file distributors are using social engineering and social issues for spreading malicious files.
Our team was fortifying our emergency monitoring during Christmas season, and we found many spreading cases.

[Information] Be careful about scams around the end of the year
http://en-erteam.nprotect.com/2011/12/information-be-careful-about-scams.html

Issues on 2011 and predictions of upcoming 2012
http://en-erteam.nprotect.com/2011/12/issues-on-2011-and-predictions-of.html

2. Malicious files related Christmas

During this Christmas, MS Word exploit, Christmas program, and PDF exploits have been reported.

* Case1 - THIS XMAS SAY NO TO MADE IN CHINA

This e-mail seemed to be related Tibet, and it contains attachment which name is "THIS XMAS SAY NO TO MADE IN CHINA.doc".
It is malicious and installs malicious file secretly.


This e-mail is expected to spread malicious files to multiple countries.
And the recipients are including Indian, Nepalese, Switzerland's, Japanese, Canadian, French, Russian; therefore, attacker seemed to attack Tibet related users.

If user executed attachment, it will create normal document file and shows to user, then it will create another malicious file and execute.
Let's see the document.


Those files including wordupgrade.exe will be created in Temp folder and executed, and it hides itself with using batch command.


Upon executed malicious "wordupgrade.exe", it will install additional malicious file disguised as internet service function, then "wordupgrade.exe" will be deleted itself by batch file command.

C:\Program Files\Online Services\Internet Services.exe


Executing "Internet Services.exe" will create other malicious files, which will also be deleted by its batch file command.


And then, it accesses to certain host and waits for additional commend. When remote control connection is established, Backdoor can work and victim's PC can be in danger.


* Case 2 - Malicious file disguised as Christmas decoration program

Christmas tree desktop program can be seen in right bottom of desktop.


This freeware can be downloaded on http://get-xmas.com/, malicious file distributor injected malicious code and repackaged.

Malicious file uses WinRAR SFX(Self-extracting), and it contains various malicious files including normal mas.exe.


Once executed, it will create "udp.exe, taskngr.exe, drv.cmd, mas.exe, spoolcv.exe, svghost.exe" on system folder, and it can update additional malicious file on accesses certain domain.




Especially, disguised as install_flash_player.exe is the biggest feature of this file, and it adopted WinRAR SFX as similar as the program above.


This malicious file can download additional malicious file disguised as flash player.

* Case 3 - Malicious file using PDF exploit

Merry Christmas.pdf uses Adobe Reader program's vulnerability and installs secretly.


When malicious PDF file is executed, it is disguised as a normal file with showing normal document.
And it installs malicious gupdater.exe on Application Data folder with using updates.js, Winword.js coded by Embedded JavaScript

3. How to prevent

Social engineering can be on users via e-mail or SNS. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

5 comments: