[Warning] Spreading malicious file on famous private internet broadcasting

1. Introduction

December 10, 2011 malicious file spreading through external AD link on accessing one of popular internet private broadcasting web site.
This malicious file was spreading on weekend and was assumed itself to be an APT(Advanced persistent threat).
Especially, origin of malicious file spreading was different by accessing time. Server administrators need to be careful on operating servers.



When user visits Axxxx web site, famous for real-time internet private broadcasting system, malicious file can soak users PC with using vulnerabilities of JAVA and Adobe Flash Player.
Therefore, the latest security update is needed. If not, access web site can make visiting user to victim.

2. Spreading path and symptoms of infection

Malicious file is spreading on AD server on external partners. When users click the AD, exploit code will be run.

Accessing on private broadcasting service of http://www.a******.com will redirect user to http://www.a******.com/ad/af_station_AD.htm and, af_station_AD.js Script will be activated.

AD is located on left top part of this site and is changing frequently.
Since security level of popular website is relatively higher usually, malicious file distributors are seemed to decide AD server for those distribution.

When the external AD service list is connected, malicious code, located in its inside iframe, will be activated and ad.html will be loaded.

java.exe and EXE(XOR encrypted) type malicious file disguised as ie67.gif with using vulnerability in Adobe Flash Player and JAVA Applet will be downloaded and will try to infect user's PC.

ad.html checks user's browser version(IE6.0~8.0) and distinguish exploit code. And it links iframe on Exploit Codes including ad2.html, ad1.htm, java.html.
java.html is loading malicious Applet.jar and rename java.exe to xxoo.exe and download to Temp folder based on ScriptEngineExp.class its inside.

Actually, various variants of this malicious have been reported, user could expose from those variants.
Besides, it controls to access URL of Exploit Code with using Cookie file, and it disturbs normal operation of Anti-Virus products with installing malicious driver-type file (kill.sys).

Finally, malicious file will try to leak account information of domestic on-line game user.

3. How to prevent
 
Various security update for each product is the most important to be safe from infection, especially on Adobe Flash Player and Oracle Java Application. And using believable Anti-virus program and personal Firewall are also needed.
INCA Internet's Emergency Response Team is updating and distributing the latest pattern on our nProtect Anti-Virus family.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.