INCA Internet response team detected malicious e-mail disguised as personal message of LinkedIn, one of SNS services. LinkedIn is a professional social networking website. Founded in December 2002 and launched in May 2003, it is mainly used for professional networking. As of 9 February 2012, LinkedIn reports more than 150 million registered users in more than 200 countries and territories. Malicious e-mails disguised as sent by LinkedIn have been found several times with Ads for Viagra.
This malicious file installs additional malicious files with using various security exploit including Adobe Reader(PDF), Java(JAR)
2. Spreading cases and symptom of infection
There were various malicious e-mails with using SNS. ▶ Notice on Twitter or Facebook ▶ Attached malicious files on notice for changing personal information ▶ Disguised as adding friends.
The most recent case of being found is disguised as a message sent by LinkedIn Classmate. Of course, it contains malicious links.
If accessing malicious web site, follow figure will be shown. It shows such as invitation of Classmate, however; malicious script code will be executed.
"addon.html" contains both LinkedIn related words and certain scripts.
After working script, it will redirect to another site and execute "main.php".
"main.php" will execute "ap2.php", "Edu.jar" and run Adobe Reader Exploit Code Java Applet Exploit Code(CVE-2012-0507).
- hxxp://h(~)lub.net/data/ap2.php : a9513.pdf (file name consists 1-digit alphabet and 4 digits random numbers)
Upon executed exploit code, it will download additional malicious executable file and will make its clone on Application Data folder.
It can access on certain host and can be damaged by additional attack command of attacker after being infected.
With the growth of SNS users, malicious file creators and distributors are trying to deceive users. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.