12345

4/30/2012

[Information] Continuous threats of Android malicious files


1. Information

In this year, the quality and quantity of Android malicious applications are extremely higher.
Phone's device information, SMS, and GPS were collected so far, though, those collected information begins to combine. In case of certain applications made for general purpose, if those applications contain suspicious code which has even a bit of possibility of danger, those can be categorized as "Malicious application".



The number of "Malicious application" is getting higher in Android communities.
Besides, just collecting personal information and leaking it can be the proof of being categorized as a malicious app.

INCA Internet response team extends its monitoring range to response various kind of security threats.

2. Update status of nProtect Mobile for Android 

Following figure shows the number of update samples of 1Q of 2012.

Status on Jan


Status on Feb


Status on Mar


With this statistical table, we can check the number of malicious applications.
Spreading Android malicious files is no more news, and we need to be careful on downloading APK file.

3. Summary

Recently, various kind of malicious application including certain APK doesn't contain its run icon are emerging. This is the key feature against previous malicious applications. And it contains various vulnerability and works as a bot.

[Issue] Zombie phone on calling for Korean user? 

[Information] Android applications without run icon 

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

[Caution] Malicious files disguising as sent logistics services companies


1. Introduction


INCA Internet response team found malicious file disguised as sent from UPS(United Parcel Service).
The contents of e-mail is disguised as an invoice though, it actually delivered 2 malicious files.
Users need to careful on spreading malicious attachment on e-mail or similar security threats.



2. Spreading cases

[Caution] Spreading malicious file with modulated Zeus bot Unicode

[Caution] Detected malicious files disguised as online hotel reservation

Attackers are precisely manipulating to induce users.
Sender, title of email, the name of attachment on e-mail, and its body are being looked like real.


Attached "UPS-Delivery-Confirmation-Alert_April-2012_T2AD5RZR98.zip" contains malicious files.


It contains 2 malicious Zbot Trojans. Once infected, various damage cases can be happen including leaking personal information or being infected by additional malicious files.

3. Summary

Users need to be careful on checking mail box. Especially, executable file(EXE, SCR, COM)s and document files(DOC, TXT, PDF, HWP, XLS, PPT) have great possibility of malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

4/25/2012

[Issue] Several APT attacks on Taipei with time interval


1. Information


INCA Internet response team detected APT attack for 行政院衛生署(Department of Health (Republic of China)). Department of Health of the Republic of China (Traditional Chinese: 衛生署 Pinyin: Wèishēng Shǔ) is an executive agency of the Executive Yuan responsible for the administration of the public health system, affordable and universal health care, hospitals, pharmaceutical, immunization programs, disease prevention, supervision and coordination of local health agencies in Taiwan.
Since this kind of attack using time difference in a very short time is exotic, we want to share details. When a target gets wind of attacker's plan, attacker will attack consistently. This action is like a stalking.

[Warning] APT malicious files for Geographical Survey Institute of Ministry of Land, Infrastructure, Transport and Tourism
http://en-erteam.nprotect.com/2012/03/warning-apt-malicious-file-for.html

[Caution] APT attack about 53rd anniversary of Tibetan Uprising day on March 10
http://en-erteam.nprotect.com/2012/03/caution-apt-attack-about-53rd.html

CVE-2012-0158(MS12-027) exploit was used to APT attack to Korean company.

2. Real cases

This case is based on INCA Internet response team's management and traces system and collected data from overseas. Furthermore, unopened e-mail, which overcame spam filtering, can be shown.

a. E-mail on April 13, 2012 17:20

It is disguised as military secrets of formal governor of Democratic Progressive Party in the Republic of China on Taiwan.


"蘇貞昌涉軍黑資料.doc" contains CVE-2010-3333(MS10-087) exploit. This can be treated by latest office security update.

INCA Internet response team set this APT attack level 2.

The level of APT(Advanced persistent threat)

These contents can use URL link including the body of e-mail and its attachment. Both multi-language and C&C can be used.

- Level 01 (Basic) : 
Using social engineering, simple Spam, and Phishing and using extension(EXE/SCR/COM) based malicious file.

- Level 02 (Intermediate) : 
Using various kinds of document files(HWP, PDF, DOC, XLS, PPT) and disguising its contents and inducing user to click malicious link.

- Level 03 (Advanced) : 
Using Zero-Day Attack and highly sophisticated technique for bypass antivirus SWs via USB, XSS and so on

Each level is a kind of technical analysis. Based on these levels, attacker can use advance attack. Thus, when sender's mail address is relative as same domain as receivers', the possibility of success attack will be higher. That's why attackers are trying to collect information of victims.

b. E-mail on April 18, 2012 11:21

This secondary e-mail has another contents and attachment. Attacker changed to use exploit from 2010's to 2012's.


This e-mail is disguised as a children's education subsidy. "子女教育補助費101新版.doc" uses CVE-2012-0158(MS12-027) exploit. CVE-2012-0158(MS12-027) is popular on APT attack in these days.

c. E-mail on April 23, 2012 10:46

This e-mail is disguised as sent from 中華郵政 股份有限公司(the official postal service of the Republic of China (ROC)). It contains WebATM, e-mail and E-Bill.


"Email線上電子對帳單.doc" also uses variant of CVE-2012-0158(MS12-027) exploit.

d. E-mail on April 23, 2012 11:08

It seems to attacker tried to attack consistently after failure.


The title of e-mail is "Project progress report". "表1b_306.doc" also uses CVE-2012-0158(MS12-027) exploit. We can assume that attacker has generating malicious tool using CVE-2012-0158(MS12-027).

e. E-mail on April 23, 2012 11:47

This e-mail is disguised as sent from CAAPS(Chinese American Academic and Professional Society) and contains DOC and PDF files. "Final CAAAPS_CAll_for_paper_news_release.pdf" is normal PDF document. "instruction of abstract format.doc" contains CVE-2012-0158(MS12-027) exploit.


f. E-mail on April 23, 2012 12:40

This e-mail is disguised as related alumni and sent by another part of Taiwan government(trts.dorts.gov.tw). "活動安排及部份同學通訊錄.doc" contains CVE-2012-0158(MS12-027) exploit.


g. E-mail on April 23, 2012 12:45

This e-mail is disguised as charity concert. "崇她存摺.doc" contains CVE-2012-0158(MS12-027) exploit.


h. E-mail on April 25, 2012 09:24

This e-mail is disguised as failure of sending e-mail


3. Summary

Various APT attackers are shown in these days. Especially, using CVE-2010-3333(MS10-087) and CVE-2012-0158(MS12-027) exploit is popular. These vulnerabilities can be detected by MS office's latest security update.
Therefore, users need to maintain latest security update from being infected malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

[Information] Android applications without run icon


1. Introduction


Generally, to run app, we click shortcut button, however; some malicious apps doesn't include its run icon.
In this case, users can't recognize when this app run. For malicious app creators, hiding run icon is booming. Therefore, we have to check whether this application has its run icon or not after install applications.
This malicious application doesn't intend to be created for malicious way though, it doesn't have its run icon.

[Issue] Zombie phone on calling for Korean user? 
http://en-erteam.nprotect.com/2012/04/issue-zombie-phone-on-calling-for.html

2. Spreading cases and symptom of infection

In case of this malicious application, APK file spreads via file-sharing site and web page.
We can download malicious application and manual on creator's web page.


Install

This malicious application needs permissions as following.


Permissions

- android:name="android.permission.GET_TASKS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.INTERNET"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.READ_PHONE_STATE"
- android:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.VIBRATE"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"

After installation, it doesn't create run icon. So, user can find installation status on "settings" -> "application" -> "management".




Malicious function analysis

Malicious functions

- Monitor SMS
- Collect GPS information
- Collect call history
- Collect internet usage information
- Collect information(IMEI, Android OS SDK)
- Collect account information(ID/PW)
- Try to send information to external server
- Other symptoms(battery drains)

To perform malicious functions, users have to sign in on certain web site. Mobile site is as following.


Creating account is easy to make.

This malicious application uses client activation with registering several broadcast receiver. At this time, certain calling number(#123456*) will be followed when detecting "phone calling event". To meet condition, calling to certain number(#123456*) will activate malicious application and create DB file(SPYOO.db).


At the same time, this malicious application shows setting page.


Fill the blank and click "Login", this malicious application will execute malicious service in its inside. Due to these malicious services, all leaked information will be redirected to creator's webpage. Following figure shows processes information on running malicious service.


Besides, this malicious application can customize in Setting menu. Following elements can be modified.


As you can see in "Setting", you can change various settings.


In case of GPS, detail settings can be modified. Clicking "Exit" after modified setting will make receiver and service run on background. After activating process of this malicious application,  it will collect SMS, GPS, call history, internet usage, IMEI, SDK versions.


Following image is DB status.

 

Collected information will be recorded in DB and leaked external site with following code.


Following figure is debugging screen on leaking.


Collected information can be found on creator's home page.


Not only GPS information, SMS, call history, and internet usage information can be searched. But SMS, call history, and internet usage can be seen after payment.

Main effects of this malicious application are collecting and leaking information and battery drain. This malicious application use WakeLock for using on background. To be safe from battery drain, users need to release acquire().

3. How to prevent

These 3 reasons "Needs simple information for make account", "Needs short time to authenticate" and "Has no run icon" are proof of its malicious file. To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

4/18/2012

[Issue] Zombie phone on calling for Korean user?


1. Introduction


INCA Internet response team announced malicious file report about containing bot function.
Damage case of this kind of Android malicious files hasn't been reported so far, though; this malicious file can work as a Zombie phone which can perform data breach and remote control.
Especially, this malicious file can check Korean APN(Access Point Name) and has a possibility of spreading its infection range to Korea.


- Check Korean APN
- Zombie phone can breach your data
- DDoS Attack, Spreading malicious spam, Record voice call

[Caution] Real case of spreading Android malicious file
http://en-erteam.nprotect.com/2012/04/caution-real-case-of-spreading-android.html

[Information] Automatic detection and analysis system of malicious Android application 
http://en-erteam.nprotect.com/2011/12/information-automatic-detection-and.html

2. Spreading cases and symptom of infection

Android malicious applications are spreading via 3rd party market, various black markets, and even on Google official market. Opened platform is a merit of Android, however; various security threats can be menace. In case of this malicious application was come from Chinese unofficial Android market.



Install phase

This malicious application needs various permissions as following.



Permissions

- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.MODIFY_PHONE_STATE"
- android:name="android.permission.CALL_PHONE"
- android:name="android.permission.PROCESS_OUTGOING_CALLS"
- android:name="android.permission.RECORD_AUDIO"
- android:name="android.permission.CAMERA"
- android:name="android.permission.MODIFY_AUDIO_SETTINGS"
- android:name="android.permission.READ_CONTACTS"
- android:name="android.permission.WRITE_CONTACTS"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.SEND_SMS"
- android:name="android.permission.RECEIVE_SMS"
- android:name="android.permission.READ_SMS"
- android:name="android.permission.WRITE_SMS"
- android:name="android.permission.INTERNET"
- android:name="android.permission.ACCESS_COARSE_LOCATION"
- android:name="android.permission.ACCESS_FINE_LOCATION"
- android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS"
- android:name="android.permission.ACCESS_MOCK_LOCATION"
- android:name="android.permission.UPDATE_DEVICE_STATS"
- android:name="android.permission.WAKE_LOCK"
- android:name="android.permission.DEVICE_POWER"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="android.permission.DISABLE_KEYGUARD"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.KILL_BACKGROUND_PROCESSES"
- android:name="android.permission.RESTART_PACKAGES"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.WRITE_APN_SETTINGS"
- android:name="android.permission.BLUETOOTH"

This malicious application uses its main icon as same as Google's. It doesn't have its executing icon, however;

We can find on "Settings" -> "app" -> "manage"

 



Analysis of malicious function

This malicious application doesn't have its run icon and only runs on background.

Malicious functions


- Perform as a Bot
- Monitor SMS
- Collect information(IMEI, IMSI, GPS)
- Sends SMS to attacker(Premium service)
- Record voice call
- Capture screen
- Check APN(Access Point Name)
- Try to quit certain package
- Try to reboot on condition

- Perform as a Bot and Monitor SMS

In case of Bot function, it can be performed on certain condition(string).


When certain SMS is received, code will work and check condition and perform malicious function..

- Collects information

This malicious file collects IMEI, IMSI, and GPS with following code.


Besides, collected information will be sent to certain site after being XML parsed.

- Sends SMS to attacker

This malicious application sends SMS including collected information and run status of code.


With this code above, it removes send history itself. User can't recognize its sending status.

- Record voice call

This malicious application check voice call status with listener after being infected, and it records voice call on certain condition as a .amr file.


- Capture screen

This malicious application registers malicious service and tries to capture screen as a .jpg.


- Check APN(Access Point Name)

This malicious application checks APN and settings with following code.

APN(Access Point Name)

- Access Point Name (APN) is a configurable network identifier used by a mobile device when connecting to a GSM carrier. The carrier will then examine this identifier to determine what type of network connection should be created, for example: what IP addresses should be assigned to the wireless device, what security methods should be used, and how or if, it should be connected to some private customer network.


Parsed XML contains various APNs including Korean APN(web.sktelecom.com, ktfwing.com).

APN address on this app

[China]
- http://mmsc.monternet.com
- http://mmsc.myuni.com
- http://www.wo.com.cn
- http://mmsc.vnet.mobi
- http://mms.emome.net

[Taiwan]
- http://mms.catch.net.tw
- http://mms.kgtmms.net.tw/mms/wapenc

[Hongkong]
- http://mms.peoples.com.hk
- http://mobile.three.com.hk
- http://3gmms.pccwmobile.com
- http://mms.smartone-vodafone.com

[Korea]
- http://always.ktfwing.com
- http://mmsc.ktfwing.com
- web.sktelecom.com
- smart.nate.com
- http://omms.nate.com


- Try to quit certain package

This malicious application can kill on certain application with this following code.


However, this API works on SDK 2.1 or lower version.

- Try to reboot on condition

To work completely, this malicious application needs to be rebooted. "android.permission.REBOOT" can work rooted phone only.


3. How to prevent

This malicious application tested on Android phone in Korea. But it didn't perform all malicious functions.

Test environment

- GalaxyS (Gingerbread or higher)
- GalaxyS2 (Gingerbread or higher)
- Nexus one (Gingerbread or higher)

To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with "nProtect Mobile for Android" for mobile such as malicious file stated above and runs responding system against various security threats.

4/17/2012

[Caution] APT detected as a Seoul Nuclear Security Summit Communique


1. Information


INCA Internet response team detected 4 malicious files about The 2012 Nuclear Security Summit held in Seoul, South Korea, on March 26 and 27, 2012. Its spreading case of 3 or more countries seems to be as a APT for multiple countries.
Especially, since this document is registered in UN's official web site, spreading malicious file with using this document can be worked as a aggressive malicious file.



Samuel J. Locklear, United States Navy four-star admiral who currently serves as Commander, U.S. Pacific Command,  said that we will strongly respond when North Korea will try to 3rd nuclear test on April 14 at Korea-U.S CFC .
The rumor has that there are lots of possibility of North Korea's 3rd nuclear test after failure of Kwangmyongsong-3.

- Whether to proceed with North Korea's 3rd nuclear test
- Precisive strikes on bases when North Korea tried nuclear test.
- Launch Kwangmyongsong-3, unreasonable tactics
- United Nations Security Council will strongly pressure to North Korea.
- APT(advanced persistent threat) with using PDF exploit

Malicious files can be spread with social engineering, especially on APT for multiple countries.


[Caution] Malicious file about Agni-V is an intercontinental ballistic missile from India 
http://en-erteam.nprotect.com/2012/04/caution-malicious-file-about-agni-v-is.html

[Caution] Malicious file about North Korea's nuclear test 
http://en-erteam.nprotect.com/2012/04/caution-malicious-file-about-north.html

2. Details

Original file, Seoul_Communique.pdf, is on UN's official web site, however, the name of malicious file is Seoul Communique_FINAL.pdf and was founded in Canada, France, Belgium and India.
  

Original file : http://www.un.org/disarmament/content/spotlight/docs/Seoul_Communique.pdf (about 70KB)
Malicious file's size is 258KB.


When malicious file is executed, it will create Adobe.pdf which is a normal file on Temp folder.


When user is vulnerable PDF exploit, it will create malicious "wininit32.exe", "wininit.dll" (hidden type) on following folder.

C:\Documents and Settings\[User account]\Local Settings\Application Data\Microsoft


Malicious wininit.dll will run as injected on normal explorer.exe and try to access certain host on China.



Various damages including remote control are being expected.

3. Summary

Advanced persistent threat for multiple countries can be sentive issue for the country. China is one of most famous for sources of malicious files though, various countries can be attacked. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.
파일
명사: 파일, 줄, 철, 서류철, 열, 오, 세로줄, 빈틈없는 사람
동사: 제기하다, 철하다, 전송하다, 선청하다, 줄로 자르다, 열을 지어 행진하다, 도야하다, 더럽히다