12345

3/07/2012

[Caution] APT attack about 53rd anniversary of Tibetan Uprising day on March 10

1. Introduction

INCA Internet Emergency Response team detected that malicious files about Tibet uprising day are spreading on March 10. After being invaded by China, more than 1.2 million people were dead and more than 6000 temples were ruined.
The 1959 Tibetan uprising, or 1959 Tibetan Rebellion began on 10 March 1959, when a revolt erupted in Lhasa, the capital of Tibet, which had been under the effective control of the Communist Party of China since the Seventeen Point Agreement in 1951. The anniversary of the uprising is observed by some Tibetan exiles as the Tibetan Uprising Day.



With various security threats in these days, users need to be careful on using internet.
Especially, APT(Advanced Persistent Threat) about Tibet will be booming in these days.

Tibetan Uprising Day (Wikipedia)

2. Spreading path and symptoms of infection

* Case #1

It is disguised as a content of 53rd Tibetan Uprising Day and announcement on March 10 with encrypted PGP(pretty good privacy) message.

Especially, its e-mail domain is @Tibet.net which expected that the sender's mail address can be hijacked in APT.
Sending mail by trustworthy domain will make high possibility on additional malicious attacks.

TItle :
March 10th Statement

Body :
(~~~~)


Please find here attache with the Statement of Kalon Tripa Dr. Lobsang Sangay on the 53rd Anniversary of the Tibetan National Uprising Day.


With Tashi Delek


(~~~~)

Attachment (Malicious file) :
March 10th Statement.doc

 

Executing "March 10th Statement.doc", attached in e-mail, will install and run additional malicious files(svchost.exe, linkinfo.dll) with using security hole.

This doc file has MS10-087(CVE-2010-3333) vulnerability. And we found some tools which can create malicious file using that exploit in China.

Word file contains nothing.

 

Usually, we think the sender made mistake. At the same time, users are being infected with opening doc file.

- C:\Documents and Settings\(login account)\Local Settings\Temp\svchost.exe (hidden properties)

- C:\WINDOWS\linkinfo.dll

 

This kind of malicious file can try to leak personal information on infected PC or try to access certain host and be working infected PC as a "Backdoor".

* Case #2

We found another malicious e-mail which is including malicious doc file and a poster about53rd Tibetan National Uprising Day March 10th 2012.

 

When executing, we can see following poster and malicious files will be installed.



The trend of malicious file is spreading indiscriminately. To be safe from various security threats, maintaining latest security update is the most important and users need to be concerned about Zero-Day attacks.

3. How to prevent

In case of this malicious file is a type of APT(Advanced Persistent Threat) which tries to deceive users with untruth information.

This security hole can be filled by MS Office's latest security update.
http://update.microsoft.com/microsoftupdate/v6/default.aspx


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

1 comment:

  1. Nếu bạn đang cần chuyển hàng từ thái lan về việt nam hãy liên hệ với chúng tôi. Chúng tôi sẽ giúp bạn mua hàng thái lan online một cách dễ dàng. Chỉ cần đưa thông tin sản phẩm bạn cần cho chúng tôi, chúng tôi sẽ mua và vận chuyển về Việt Nam. Khi chỉ là mỗi Thái Lan chúng tôi còn có các dịch vụ khác như: dịch vụ chuyển hàng từ mỹ về việt nam, dịch vụ vận chuyển hàng đi campuchia, dịch vụ đặt hàng quảng châu giá rẻ, .... Nếu bạn cần mua hàng trung quốc giá rẻ hay cần mua hàng trên taobao hãy liên hệ và sử dụng
    dịch vụ order hàng trung quốc của chúng tôi. Chúng tôi sẽ giúp bạn
    chuyển hàng trung quốc về việt nam một cách nhanh chóng và tiện lợi nhất.

    ReplyDelete