12345

12/26/2011

[Warning] Santa Claus is coming to down with scams.(Update #1)

1. Information

As a result of intensive monitoring during Christmas season, INCA Internet's Emergency Response Team detected various scams around the year.
Malicious hackers are trying to spread malicious files with using Christmas season and the end of the year.
Users need to be careful on using about "Christmas, video URL, season's greetng, SNS message, or shorten URL", especially on e-mail with attachment or URL.



Malicious file distributors are using social engineering and social issues for spreading malicious files.
Our team was fortifying our emergency monitoring during Christmas season, and we found many spreading cases.

[Information] Be careful about scams around the end of the year
http://en-erteam.nprotect.com/2011/12/information-be-careful-about-scams.html

Issues on 2011 and predictions of upcoming 2012
http://en-erteam.nprotect.com/2011/12/issues-on-2011-and-predictions-of.html

2. Malicious files related Christmas

During this Christmas, MS Word exploit, Christmas program, and PDF exploits have been reported.

* Case1 - THIS XMAS SAY NO TO MADE IN CHINA

This e-mail seemed to be related Tibet, and it contains attachment which name is "THIS XMAS SAY NO TO MADE IN CHINA.doc".
It is malicious and installs malicious file secretly.


This e-mail is expected to spread malicious files to multiple countries.
And the recipients are including Indian, Nepalese, Switzerland's, Japanese, Canadian, French, Russian; therefore, attacker seemed to attack Tibet related users.

If user executed attachment, it will create normal document file and shows to user, then it will create another malicious file and execute.
Let's see the document.


Those files including wordupgrade.exe will be created in Temp folder and executed, and it hides itself with using batch command.


Upon executed malicious "wordupgrade.exe", it will install additional malicious file disguised as internet service function, then "wordupgrade.exe" will be deleted itself by batch file command.

C:\Program Files\Online Services\Internet Services.exe


Executing "Internet Services.exe" will create other malicious files, which will also be deleted by its batch file command.


And then, it accesses to certain host and waits for additional commend. When remote control connection is established, Backdoor can work and victim's PC can be in danger.


* Case 2 - Malicious file disguised as Christmas decoration program

Christmas tree desktop program can be seen in right bottom of desktop.


This freeware can be downloaded on http://get-xmas.com/, malicious file distributor injected malicious code and repackaged.

Malicious file uses WinRAR SFX(Self-extracting), and it contains various malicious files including normal mas.exe.


Once executed, it will create "udp.exe, taskngr.exe, drv.cmd, mas.exe, spoolcv.exe, svghost.exe" on system folder, and it can update additional malicious file on accesses certain domain.




Especially, disguised as install_flash_player.exe is the biggest feature of this file, and it adopted WinRAR SFX as similar as the program above.


This malicious file can download additional malicious file disguised as flash player.

* Case 3 - Malicious file using PDF exploit

Merry Christmas.pdf uses Adobe Reader program's vulnerability and installs secretly.


When malicious PDF file is executed, it is disguised as a normal file with showing normal document.
And it installs malicious gupdater.exe on Application Data folder with using updates.js, Winword.js coded by Embedded JavaScript

3. How to prevent

Social engineering can be on users via e-mail or SNS. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

12 comments:

  1. Welcome to the Best writer Review, Here you can get the best All Assignment Help reviews sites. We strongly urge you to check our entire website once and we will assure you will find this review website very useful. Our hard work will be rewarded if students like you will appreciate our effort and spread the message about this site with your class-fellows and friends.

    ReplyDelete
  2. I feel it interesting, your post gave me a new perspective! I have read many other articles about the same topic, but your article convinced me! Thanks your share!

    ReplyDelete
  3. https://irantahsil.org/
    Thank you ever so for you article post.Really looking forward to read more.
    pls see my site

    ReplyDelete
  4. Thank you ever so for you article post.Really looking forward to read more.

    ReplyDelete
  5. Thank you for sharing your details and experience. I think it very good for me.bloons tower defense 5
    super smash flash 2

    ReplyDelete