12345

3/28/2012

[News] nProtect Anti-Virus on Metascan online solution in U.S.

1. Information

INCA Internet's response team has finished to enlist our nProtect Anti-Virus service in a multi-engine scan solution of OPSWAT. The name of service is Metascan online, which already contains various famous Anti-Virus products.
Both companies have agreed partnership and OEM.
That is, we can provide our service to major companies and public institutions in U.S. And we passed the security and quality procedure about our product and stability.



With a booming of APT(Advanced persistent threat), various security threats are continuously increasing, therefore; most companies and public institutions are concentrating to be safe from various security threats. With this Metascan service, we can fortify our awareness and popularity and we can provide our product in U.S.


2. Metascan online solution

Multiscanning is running multiple anti-malware or antivirus engines concurrently. Traditionally, only a single engine can actively scan a system at a given time. Using multiple engines simultaneously can result in conflicts that lead to system freezes and application failures. However, a number of security applications and application suites have optimized multiple engines to work together.

http://www.metascan-online.com/about


Metascan antivirus SDK is an application with API that combines eight antivirus engines into a single application (Computer Associates, Norman ASA, ESET, VirusBuster, AVG Technologies, Quick Heal Technologies, Sunbelt Software, and ClamWin).

OPSWAT Metascan online : http://www.metascan-online.com/

Metascan includes numerous work-flow and scanning features, which support many environments and allow the technology to be applied to countless use cases, such as scanning file upload servers, connecting to an existing antivirus from vendors like Symantec or McAfee via API, or implementing a data loss prevention solution with custom engines and post actions.


Following link is the result of test on Metascan.

http://www.metascan-online.com/results/14e4mkkulbqu66a4y24v5h3169xkpiqf



When implementing multiple OPSWAT multi-scanning installations into your solution, the Metascan management station provides an easy way to track and manage your installations of Metascan, MetaDefender for Media (MD4M) and MetaDefender for Secure Access (MD4SA). With a simple, clear interface, the management station is a centralized console for various functions.

3. Summary

With this partnership, both companies will work together as a strategic cooperation.
OPSWAT will expand its business range and attended "RSA 2012" for online demonstration of Metascan on Feb 27.

http://www.opswat.com/blog/videos-rsa-2012



INCA Internet, a global security leader on game and finance internet-based infrastructure, established branch in Silicon Valley and provides its security solution on a bank in America.
With this successful partnership, we can provide security service on global network.

3/17/2012

[Caution] Attacking tools using MS12-020 RDP vulnerability detected (#Update 02)

1. Introduction

INCA Internet response team detected attacking tools using MS12-020 RDP vulnerability on March 14.
MS12-020 fixes 2 vulnerabilities generated on remote desktop protocol which could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system.
Most of Windows OS were set RDP function as unavailable by default, however, it can be vulnerable on security threat. Therefore, we recommend install latest security patch from being infected by network worm.

MSRC (Microsoft Security Response Center) set the patch "Critical" when internet worm is available.

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to another computer. The protocol is an extension of the ITU-T T.128 application sharing protocol. Clients exist for most versions of Microsoft Windows (including Windows Mobile), Linux, Unix, Mac OS X, Android, and other modern operating systems.



2. Attacking tools and code

About MS12-020(CVE-2012-0002) security hole, various PoC(Proof of Concept)s has been revealed in overseas countries including China.
Besides, MS12-020 PoC were leaked on purpose by Luigi Auriemma who officially reported this vulnerability.


 

In China, various attacking tools have been generated including IP/PORT scanning functions. If those files are spread as worm files, it can make additional damage cases.

INCA Internet response team is monitoring both CLI(Command Line Interface) based and GUI(Graphical User Interface) based attacking tools. Among those tools, we found some tools from China which can attack easily with just inputting target IP address.





Users won't be damaged by when malicious attacker just using tool, however, users need to maintain latest security update from being infected. 


MS12-020 attacking tools from China are easy to handle to malicious attack. INCA Internet response team detected that this tool can terminate remote PCs which are vulnerable in RDP.

When remote desktop connection is available, we can use this tool by inputting IP address of target PC and clicking attack button. Remote PC will appear BSoD and be rebooted.
In this procedure, "shutdown event tracker" can appear and waiting booting procedure which needs to be clicking OK button. Sudden reboot can occur unexpected damages.





3. How to prevent

This vulnerability can be protected by MS12-020 security update. Therefore, Windows OS users need to maintain the latest security update.
On using computer, security update is not selectable but essential. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

3/15/2012

Microsoft Security Bulletin Summary for March 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for March 2012.
Users who use MS OS strongly recommended update to be safe from Vulnerability in DNS Server, Vulnerability in Windows Kernel-Mode Drivers, Vulnerability in DirectWrite, Vulnerabilities in Remote Desktop, Vulnerability in Visual Studio, and Vulnerability in Expression Design.



2. Update details

[Important]
[MS12-017] Vulnerability in DNS Server Could Allow Denial of Service (2647170)

Vulnerability: DNS Denial of Service Vulnerability- CVE-2012-0006

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if a remote unauthenticated attacker sends a specially crafted DNS query to the target DNS server.

Affected Softwares

- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based SP2
- Windows Server 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium SP2
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-017



[Important]
[MS12-018] Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2641653)

Vulnerability: PostMessage Function Vulnerability- CVE-2012-0157

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP1
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-018



[Moderate]
[MS12-019] Vulnerability in DirectWrite Could Allow Denial of Service (2665364)

Vulnerability: DirectWrite Application Denial of Service Vulnerability- CVE-2012-0156

This security update resolves a publicly disclosed vulnerability in Windows DirectWrite. In an Instant Messenger-based attack scenario, the vulnerability could allow denial of service if an attacker sends a specially crafted sequence of Unicode characters directly to an Instant Messenger client. The target application could become unresponsive when DirectWrite renders the specially crafted sequence of Unicode characters.

Affected Softwares

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP1
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-019



[Critical]
[MS12-020] Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387)

Vulnerability: Remote Desktop Protocol Vulnerability- CVE-2012-0002
Terminal Server Denial of Service Vulnerability- CVE-2012-0152

This security update resolves two privately reported vulnerabilities in the Remote Desktop Protocol. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based SP2
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP1
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP1
- Windows Server 2008 for Itanium SP2

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-020



[Important]
[MS12-021] Vulnerability in Visual Studio Could Allow Elevation of Privilege (2651019)

Vulnerability: Visual Studio Add-In Vulnerability- CVE-2012-0008

This security update resolves one privately reported vulnerability in Visual Studio. The vulnerability could allow elevation of privilege if an attacker places a specially crafted add-in in the path used by Visual Studio and convinces a user with higher privileges to start Visual Studio. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Affected Softwares

- Microsoft Visual Studio 2008 SP1
- Microsoft Visual Studio 2010
- Microsoft Visual Studio 2010 SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-021



[Important]
[MS12-022] Vulnerability in Expression Design Could Allow Remote Code Execution (2651018)

Vulnerability: Expression Design Insecure Library Loading Vulnerability- CVE-2012-0016

This security update resolves one privately reported vulnerability in Microsoft Expression Design. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .xpr or .DESIGN file) that is located in the same network directory as a specially crafted dynamic link library (DLL) file. Then, while opening the legitimate file, Microsoft Expression Design could attempt to load the DLL file and execute any code it contained. For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a legitimate file (such as an .xpr or .DESIGN file) from this location that is then loaded by a vulnerable application.

Affected Softwares

- Microsoft Expression Design
- Microsoft Expression Design SP1
- Microsoft Expression Design 2
- Microsoft Expression Design 3
- Microsoft Expression Design 4

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-022

3/07/2012

[Caution] APT attack about 53rd anniversary of Tibetan Uprising day on March 10

1. Introduction

INCA Internet Emergency Response team detected that malicious files about Tibet uprising day are spreading on March 10. After being invaded by China, more than 1.2 million people were dead and more than 6000 temples were ruined.
The 1959 Tibetan uprising, or 1959 Tibetan Rebellion began on 10 March 1959, when a revolt erupted in Lhasa, the capital of Tibet, which had been under the effective control of the Communist Party of China since the Seventeen Point Agreement in 1951. The anniversary of the uprising is observed by some Tibetan exiles as the Tibetan Uprising Day.



With various security threats in these days, users need to be careful on using internet.
Especially, APT(Advanced Persistent Threat) about Tibet will be booming in these days.

Tibetan Uprising Day (Wikipedia)

2. Spreading path and symptoms of infection

* Case #1

It is disguised as a content of 53rd Tibetan Uprising Day and announcement on March 10 with encrypted PGP(pretty good privacy) message.

Especially, its e-mail domain is @Tibet.net which expected that the sender's mail address can be hijacked in APT.
Sending mail by trustworthy domain will make high possibility on additional malicious attacks.

TItle :
March 10th Statement

Body :
(~~~~)


Please find here attache with the Statement of Kalon Tripa Dr. Lobsang Sangay on the 53rd Anniversary of the Tibetan National Uprising Day.


With Tashi Delek


(~~~~)

Attachment (Malicious file) :
March 10th Statement.doc

 

Executing "March 10th Statement.doc", attached in e-mail, will install and run additional malicious files(svchost.exe, linkinfo.dll) with using security hole.

This doc file has MS10-087(CVE-2010-3333) vulnerability. And we found some tools which can create malicious file using that exploit in China.

Word file contains nothing.

 

Usually, we think the sender made mistake. At the same time, users are being infected with opening doc file.

- C:\Documents and Settings\(login account)\Local Settings\Temp\svchost.exe (hidden properties)

- C:\WINDOWS\linkinfo.dll

 

This kind of malicious file can try to leak personal information on infected PC or try to access certain host and be working infected PC as a "Backdoor".

* Case #2

We found another malicious e-mail which is including malicious doc file and a poster about53rd Tibetan National Uprising Day March 10th 2012.

 

When executing, we can see following poster and malicious files will be installed.



The trend of malicious file is spreading indiscriminately. To be safe from various security threats, maintaining latest security update is the most important and users need to be concerned about Zero-Day attacks.

3. How to prevent

In case of this malicious file is a type of APT(Advanced Persistent Threat) which tries to deceive users with untruth information.

This security hole can be filled by MS Office's latest security update.
http://update.microsoft.com/microsoftupdate/v6/default.aspx


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

3/06/2012

[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism

1. Introduction

 
INCA Internet Emergency Response Team detected that malicious APT files which use CVE-2012-0745 vulnerability are sent to certain users of Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism on March 2, 2012.
Its spreading type is e-mail containing malicious Excel files which were coded with the vulnerability of Adobe Flash Player. When users are executing those attachments without Anti-virus software, they can be infected by malicious files.



In case of this kind of attack is very sneaky and needs to strong concentration on security from being infected.

A lot of document files using CVE-2012-0754 vulnerability in these days; therefore, users need to be careful on executing attachment. Following list is document files using same vulnerability mentioned above.



CVE-2012-0754 Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0754

2. Spreading path and symptoms of infection

Malicious files were sent to certain user of Japanese officials with containing malicious xls file, "地域デザイン学会の名簿.xls". Sender is introduced as a student of department of economics on Tokai univ. And additional file lists seemed to be regional design society.



Translation is as following.

Title :
About the list of regional design society

Body :
This is *** of Tokai university.
I'm sending the member list of regional design society.
This month, I was told that accepting new member isn't necessary.
*** professor shared how to share the list of members.
Since it hasn't set how to share, I will let you know when he come back on his business trip.
I feel really sorry to say that I have some business trip schedules on March. So I can't check my mail box.
Therefore I give you our list.
Attachment :
Regional design society members' list.xls

When a user who are vulnerable to MS Office executing malicious attachment, 地域デザイン学会の名簿.xls, following flash-like image can be shown.



At the same time, malicious file access to certain web site and download and execute syoukai.mp4 which contains CVE-2012-0754 vulnerability. Then, malicious file, Bladex_reg.exe, will be created on Temp folder and executed.


After then, plugin_containor.exe will be created as a hidden property and executed.


Path : C:\Documents and Settings\(User name)\Application Data\Microsoft

Name : plugin_containor.exe



plugin_containor.exe will try to access to certain C&C site consistently and wait for additional command of attacker. Once exposed by this malicious file, user's private information can be leaked by Backdoor and remote control.


3. How to prevent

In case of this malicious file uses APT(Advanced Persistent Threat).

This security hole can be filled by installing the latest Adobe Flash Player.
http://get.adobe.com/kr/flashplayer/

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.