12345

4/16/2012

[Caution] Spreading malicious file with modulated Zeus bot Unicode

1. Information


INCA Internet response team detected that malicious files called as Zeus Bot(Zbot) are spreading as a Wire Transfer cancellation mail. Zeus and Spyeye targeting for online banking have been found frequently. And they are categorized as one of cyber threats malicious files. Especially, this malicious file uses modulated Unicode extension exploit to induce users as normal PDF file. Therefore, users need to be careful on using this malicious file.



- Spreading ZeuS & Spyeye targeting for online banking user
- Modulating EXE file to document files (PDF, DOC, TXT, XLS)
- Using classical technique including as an attachment on email and inducing user to click.

[Caution] Detected malicious files disguised as online hotel reservation
http://en-erteam.nprotect.com/2012/04/caution-detected-maliciuos-files.html

2. Spreading cases

This malicious file is sent to anonymous users as a cancellation notice of Wire Transfer.


Its title and the body of the message consisted of cancellation notice of Wire Transfer and induce to download its attachment (Report.zip).

WinZip v8.1 an old version can't extract this file.


WinZip v16.0 can extract this file, however; PDF file shows its Type as executable program.


So, if user checked 'Do not show hidden files and folders' of Hidden files and folders in Folder Options, executable file will hide its extension.



Report.zip contains .exe file by its code. Besides, to hide its extension, it uses Unicode Character 'RIGHT-TO-LEFT OVERRIDE' (U+202E).

http://viruslab.tistory.com/2249
http://www.fileformat.info/info/unicode/char/202E/index.htm
http://nedbatchelder.com/blog/200504/phishing_fun_with_unicode.html
http://dl.packetstormsecurity.net/papers/general/righttoleften-override.pdf

 

Here's detail of Hex Code(E2 80 AE).


This technique is used for APT including various issues. At that time, the name of the file was NKorea demands its own probe into ship sinking.RAR, and after extracting .DOC file was created(Actually this file was malicious .SCR )

This malicious file, modified by Unicode modulation, has .exe and has wrong spell from PDF to FDP.


Except this case, various modulated cases have been found.

3. Summary

Changing extension technique from EXE, SCR, or COM to TXT, PDF, DOC, XLS, or HWP have been found in these years.
This technique can be used for APT. Besides, including executable files on e-mail must be suspicious from being infected by malicious files. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment