12345

9/26/2012

[Warning] New Internet Explorer Zero-Day exploits

1. Introduction

Zero-day exploit code for Internet Explorer of Microsoft has been detected on Italian certain web site. A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. Microsoft is analyzing that vulnerability. Malicious files were reported at Italian web site for winter supplies. And now, all exploit code had been removed.




2. Malicious file information

IE 0-day malicious files were found on following web site.


Files were submitted on September 14, 2012, and removed on September 16, 2012. exp.txt is only remained.



Reported Virus Total's results are as following.

[exploit.html]
https://www.virustotal.com/file/9d66323794d493a1deaab66e36d36a820d814ee4dd50d64cddf039c2a06463a5/analysis/

[Moh2010.swf]
https://www.virustotal.com/file/70f6a2c2976248221c251d9965ff2313bc0ed0aebb098513d76de6d8396a7125/analysis/

[Protect.html]
https://www.virustotal.com/file/2a2e2efffa382663ba10c492f407dda8a686a777858692d073712d1cc9c5f265/analysis/

[111.exe]
https://www.virustotal.com/file/85ad20e922f5e9d497ec06ff8db5af81fbdcbb6e8e63dc426b8faf40d5cc32c6/analysis/

"exploit.html" will execute Moh2010.swf which contains DoSWF(http://www.doswf.com/) program and can execute "Protect.html" with using iframe script.




"Protect.html" works for aiming at IE 7 and 8. It will try to install "111.exe" which were encoded XOR.



Upon executing "111.exe", it will install "mspmsnsv.dll" on system folder and try to access on certain host.

3. Summary

INCA Internet response team is fortifying security monitoring about IE 0-day vulnerability and abnormal symptom. New variants of malicious file can be detected by our nProtect Anti-Virus family. Users need to maintain latest update from being safe by these malicious files. Furthermore, in case of being spread by web site, these files are using security vulnerability. So, latest updates of OS and applications used frequently are needed. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

9/13/2012

Microsoft Security Bulletin Summary for September 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for August 2012.
Users who use MS OS strongly recommended update to be safe from Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege and Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege.



2. Update details

[Important]
[MS12-061] Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege (2719584)

Vulnerability: XSS Vulnerability - CVE-2012-1892 

This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability. In all cases, however, an attacker would have no way to force users to perform these actions. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

Affected Softwares

- Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1

- Reference site



[Important]
[MS12-062] Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege (2741528)

Vulnerability: Reflected XSS Vulnerability - CVE-2012-2536

This security update resolves a privately reported vulnerability in Microsoft System Center Configuration Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to persuade users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Affected Softwares

- Microsoft Systems Management Server 2003 Service Pack 3
- Microsoft System Center Configuration Manager 2007 Service Pack 2

- Reference site

9/12/2012

[Information] Android malicious application for Japanese women

1. Introduction

There was a report about Android malicious application which aims for Japanese women. Usually malicious applications aims for men, however; it is the first case of being found for women. Besides, if this malicious application installed in Korean environment, personal information can be leaked. Therefore, users need to be careful on using and downloading applications.



2. Spreading path and Symptom of infection

This malicious application has 2 spreading methods.



Source : http://www.symantec.com/connect/blogs/loozfon-malware-targets-female-android-users

One is sending spam e-mail and tries to induce user for clicking link on mail. The other is inducing to click link for meeting man. Both ways are for downloading and installing malicious application.

Analysis info

Malicious behaviors procedures

- Tries to collect and leak IMEI info
- Collects contact info(Name, Tel number, E-mail address)
- Accesses to certain web site [http://58.(~~).(~~).229//(~~)/addressBookRegist] (External URL)

This malicious application requires permissions as following.


Following image shows all permissions in "AndroidManifest.xml".



Installing status of this malicious application can be found on "Settings" > "Applications" > "Manage applications".




This malicious application doesn't register certain receiver or service, but it counts from 1 to 0 as following.



This counting is implemented as a repetition. It collects personal and device information and tries to leak on certain web site.



Following code shows collecting info and leaking collected info on certain web site.



Detailed info of code for leaking info

Red box shows collecting IMEI with referring other class.



Green box shows collecting smartphone number.

Blue box distinguish between Android 1.6 version or lower and Android 1.6 version or higher. There was big change on API of collecting contacts. This malicious application can collect both.

Following code shows in case of Android version is 1.6 or higher.



With this code, we can find it collects name, phone number, and mail address.

We assume this malicious application for sending spam mail and collecting various info including(Contacts, IMEI, and personal info).

3. How to prevent

There are a lot of reports about various malicious applications for financial purpose. This malicious application can easily collect and leak information. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan-Spy/Android.Loozfon.A
- Trojan-Spy/Android.Loozfon.B


9/05/2012

[Caution] Spreading malicious files masqueraded as Facebook image.

1. Introduction

INCA Internet response team detected malicious files disguised as sent from Facebook. Facebook is a social networking service launched in February 2004, owned and operated by Facebook, Inc. As of June 2012, Facebook has over 955 million active users, more than half of them using Facebook on a mobile device. Security threats for SNS have been increased since the number of Facebook user has grown. Therefore, Facebook users need to understand these security threats and to be careful from attachment on e-mail. Because of social engineering, an understood to mean the art of manipulating people into performing actions or divulging confidential information, is consistently used, users need to be careful from malicious behaviors.



2. Spreading path

[Warning] Malicious e-mails disguising as image file were found.
http://en-erteam.nprotect.com/2012/07/warning-malicious-e-mails-disguising-as.html

[Warning] Malicious personal message from fake LinkedIn friend
http://en-erteam.nprotect.com/2012/06/warning-malicious-personal-message-from.html

[Warning] Malicious files are spreading through Facebook chat window
http://en-erteam.nprotect.com/2012/02/warningmalicious-files-are-spreading.html

Spreading fake e-mails from Twitter or Facebook have been being found on uncertain interval. It's really classical, though, it is the strongest way to spread malicious files. Reported case on Aug. 28, 2012 is as following.


To create and propagate malicious files are very intelligent. Following image was sent from on Aug. 29, 2012. Besides, receiver's mail address is hidden.


Each e-mail contains malicious file as a ZIP form, which name is "New_Photo_with_You_on_Facebook_PHOTOIDJKG3JSP0.zip" and "Your_Friend_New_photos-updates_id929690899.zip".

Each ZIP file contains executable malicious file.


It contains "New_Photo_with_your_friend_on_Facebook.jpeg.exe", "Your_Friend_New_Photos-and-Updates.jpeg.exe". If a user checked to hide known extension name, .exe will be invisible.


Upon executed malicious file, it will create "svchost.exe" on "All Users" folder and perform malicious behaviors such as collecting or leaking device info.


INCA Internet response team added these patterns to our AVS, so users are needed to update latest version for being safe from these malicious files.

3. Summary

Spreading fake e-mails from Twitter or Facebook are really classical, though, it is the strongest way to spread malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
nProtect Anti-Virus/Spyware v3.0 diagnoses and treats various variant files.

Free installation link of nProtect AVS : http://avs.nprotect.com/

9/04/2012

[Information] Chinese malicious application called SMS Zombie

1. Introduction

Malicious applications called SMS Zombie have been found in these days. With booming of malicious applications for smartphone, the rumor has that more than 500 thousands smartphone were infected by malicious application. Of course, this malicious app runs for Chinese android smartphone user, they haven't harm to Korean users so far. But the noticeable thing is that the spreading of malicious application for monetary exploitation has been started in overseas countries.



2. Spreading path and symptom of infection

This malicious application has been being spread on Chinese unofficial markets as following.


This malicious application performs sending SMS without permission, collecting information, and trying to install additional malicious application.

Installation screen is as following.


It doesn't show permissions for installation and "Open" button is deactivated. It means that malicious application is coded as wall paper type and additional permission for various functions is not manifest but dynamic registration process. Besides, the reason of deactivate of "Open" button is that it runs as a service.

Following image is some part of permission on AndroidManifest.xml.


Dropper-typed Host malicious application

Because this application registered nothing but wall paper service, to activate this program, user have to click following wall paper.


Upon executing wall paper, AlertDialog for installing additional application will be shown.


Left button is for confirm and right button is for cancel. If a user clicks confirm button, this application will try to install additional files from malicious file.


As you see, this file looked like image file, however; this file is APK file. Clicking "Confirm" button can install additional malicious application.

Analysis of additional malicious file working real malicious behaviors

Following figure is run screen of additional malicious file.


This also runs as a service, so "Open" button is deactivated. Following figure is some part of AndroidManifest.xml. We can see requiring permission code.


After installed, we can see that this malicious application has loaded as a service.


Besides, it shows administration activating screen for getting permission as following.


As it shows, there are 2 buttons both "Activate" and "Cancel", however; "Activate" button is only working. To click "Cancel" will show Activate device administrator window.


Finally, this malicious application will get permission for inducing to click "Activate" button. And then it will get various permissions including application removal.

※ Getting permission of device administrator

Usually malicious applications try to get administrator permission for obtaining its removal rights. After getting that permission, general uninstall procedure won't work.


※ How to remove

In case of this kind of application, both malicious and normal types are presence. To remove, following procedure will be needed.

"Settings" - "Location and security" - "Device administrators"


Click and choose "deactivate". Of course, clicking "deactivate" seemed nothing to be done. And then hold the home button - "task manager" - "exit all running program" - remove "this application" on program tap.

After installation, it will create "phone.xml" on certain path.


"phone.xml" will contain certain keyword by following code and encoded by Simplified Chinese.


Following figure shows real contents on phone.xml which can snatch bank account information and mobile transaction history. (by monitoring SMS.)


And then, this malicious application will send collected information to certain number(13093632006) as SMS secretly.


※ Details of SMS sending message

- 1.5V:Model(Model info:sdk);os(OS version info);Language(Using language);NET(Network usage info:3G/wifi)

In case of unable to use wifi, it will send SMS including certain message on following.


Except this case, this malicious application check rooting status of infected smartphone and sends SMS.


This application monitors SMS. AndroidManifest.xml doesn't contain code for getting permission but its internal code contains dynamic SMS monitoring receiver.


It seems that various security solutions may detect SMS monitoring receiver on AndroidManifest.xml.

Registered SMS related receiver monitors all SMS which were parsed and compared with keywords in "phone.xml". If string meets condition, it will send SMS to certain number.


Some of sent SMS will be removed with following code.


3. How to prevent

In case of this malicious application which contains 1st Dropper, if this Dropper is modified, various security threats can be existed. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

- Trojan/Android.SMSZombie.A
- Trojan/Android.SMSZombie.B
- Trojan/Android.SMSZombie.C