12345

6/05/2012

[Warning] Malicious personal message from fake LinkedIn friend


1. Information

INCA Internet response team detected malicious e-mail disguised as personal message of LinkedIn, one of SNS services. LinkedIn is a professional social networking website. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 9 February 2012, LinkedIn reports more than 150 million registered users in more than 200 countries and territories. Malicious e-mails disguised as sent by LinkedIn have been found several times with Ads for Viagra.



This malicious file installs additional malicious files with using various security exploit including Adobe Reader(PDF), Java(JAR)
 
2. Spreading cases and symptom of infection

[Warning] Malicious file about portrait infringement 

There were various malicious e-mails with using SNS. ▶ Notice on Twitter or Facebook ▶ Attached malicious files on notice for changing personal information ▶ Disguised as adding friends. 


The most recent case of being found is disguised as a message sent by LinkedIn Classmate. Of course, it contains malicious links.


These links will direct to certain Bulgarian web site. When user clicks URL to addon.html, malicious script code will be executed.

If accessing malicious web site, follow figure will be shown. It shows such as invitation of Classmate, however; malicious script code will be executed.


"addon.html" contains both LinkedIn related words and certain scripts.


After working script, it will redirect to another site and execute "main.php".

- hxxp://h(~)lub.net/main.php?page=d72ac4be16dd8476

"main.php" will execute "ap2.php", "Edu.jar" and run Adobe Reader Exploit Code Java Applet Exploit Code(CVE-2012-0507).

- hxxp://h(~)lub.net/data/ap2.php : a9513.pdf (file name consists 1-digit alphabet and 4 digits random numbers)
- hxxp://h(~)lub.net/Edu.jar

Upon executed exploit code, it will download additional malicious executable file and will make its clone on Application Data folder.


It can access on certain host and can be damaged by additional attack command of attacker after being infected.


3. Summary

With the growth of SNS users, malicious file creators and distributors are trying to deceive users. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function.
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

No comments:

Post a Comment