Ⅰ. Security Trends - June 2010

Transcription

1

2

3 Ⅰ. Security Trends - June Malicious Code Trend Malicious Code Statistics The table below shows the percentage breakdown of the top 20 malicious code variants reported this month. The table below shows the percentage breakdown of the top 20 malicious codes reported in June [Table 1-2] Top 20 Malicious Code Variant Reports [Table 1-1] Top 20 Malicious Code Reports As of June 2010, TextImage/Autorun is the most reported malicious code, followed by Win32/Induc and Win-Trojan/Overtls , respectively. 5 new malicious codes were reported this month. As of June 2010, Win-Trojan/Agent is the most reported malicious code, representing 15.6% (987,098 reports) of the top 20 reported malicious code variants, followed by Win-Trojan/Onlinegamehack (694,532 reports) and Win-Trojan/Downloader (519,743 reports). The chart below categorizes the top malicious codes reported this month. [Fig. 1-1] Primary Malicious Code Type Breakdown AhnLab Policy Center 4.0 The safest name in the world AhnLab 01

4 As of June 2010, Trojan is the most reported malicious code, representing 48.9% of the top reported malicious codes, followed by Worm (12.5%) and Adware (8.5%). The table below shows the percentage breakdown of the top 20 new malicious codes reported in June [Fig. 1-2] Top Malicious Code Type Comparison Chart Compared to last month, the number of Trojan, worm, adware, downloader and spyware reports increased, whereas, the number of virus, script, dropper and appcare reports dropped. [Table 1-3] Top 20 New Malicious Code Reports As of June 2010, Win-Adware/Rogue.PrivacyScan is the most reported new malicious code, representing 10.1% (97,038 reports) of the top 20 reported new malicious codes, followed by Win-Trojan/Inject (93,837 reports). [Fig. 1-3] Monthly Malicious Code Reports There has been an increase in malicious code reports in June, which increased 829,694 to 12,367,045 from 11,537,351 in May. [Fig. 1-4] New Malicious Code Type Breakdown As of June 2010, Trojan is the most reported new malicious code, representing 69% of the top reported new malicious codes. It is followed by adware (15%) and downloader (6%). Malicious Code Issues Vulnerability in Adobe PDF and SWF files AhnLab V3 MSS A vulnerability has been discovered in SWF files embedded within 02 ASEC Report _ Vol.06

5 a PDF file. A similar vulnerability would be Adobe Reader, Acrobat and Flash Player Remote Code Execution (CVE ). The structure of the malicious PDF document is as below: [Fig. 1-5] Structure of malicious PDF document It runs encrypted executable files and files downloaded from a specific host. The created DLL file changes the normal system file, qmgr.dll, into itself. It sends system information and service and application program installation information to a specific host. With PDF and SWF vulnerabilities detected regularly, security updates for the programs are urgently needed. Users and administrators must be aware of the vulnerabilities, and update the programs they are using. Malicious [Fig.1-7] Spam mail containing executable file reported in May The credit card spam identified this month disguises itself as an electronic credit card bill of a credit card company. If you click the red box in the picture below to check your credit card bill, you will be directed to a host specified by the attacker, not your bill. Spam mail with a malicious HTML file attachment is still distributed in mid June. The malicious is repeatedly distributed with different subject and message. An example is as below: [Fig.1-8] Spam mail containing malicious link reported in June It may also lead you to install a fake anti-keylogger as below: [Fig. 1-9] Installation of fake anti-keylogger [Fig. 1-6] Spam mail If you install the program, the following file will be installed. If you open the attached malicious file, you will be directed to specific websites, such as illegal pharmacy sites. There have also been reports on web pages that download malicious codes, but none has been detected yet. During the World Cup season, there is a rise in malware campaign using World Cup as a theme. You must also be careful of spam mail that contains scripts. There is also another type of malicious disguised as a credit card bill. In mid May, the following type of spam that contains an executable file was also reported. The recently discovered credit card spam mail seems to be another variant of the spam reported in May. The two different types of malicious s are as follows: [Fig. 1-10] Installed malicious file If this file gets installed and executed, the same will be sent from a specific server. In May, there have been reports on spam mail using World Cup as a theme or celebrities. Systems infected by the malicious mail sent in June disguised as a credit card bill send out the same mail to the addresses stored in the server. In other words, an infected system becomes the system that sends out malicious s, and an attacking tool that causes damage to The safest name in the world AhnLab 03

6 other systems and services as it is set to execute DDoS attacks on specific portals. Recently, there has been a rise in malicious codes reported to spread via . has been traditionally used to spread malware. With the recent trend, in Korea, there will be an increase in spam with Korean messages. Users are advised not to open any attached files or click any links, and use an antivirus program and security service or program that blocks malicious websites. Malware distributed via NateOn There is an increase in malware distributed via NateOn. Most of the malware are distributed via instant messaging or memo as follows: [Fig. 1-13] RAR file or password protected file that shows the password The first and second files above were usually sent out in instant messages or memos, but the fast response from V3 products and ASD engine, and feature that scans compressed files are blocking these malicious files, and preventing further spreading of the threats. However, this has brought upon attackers to send out script files, such as vbs file, to bypass real-time scan, or password-protected compressed files, to bypass compressed file scan. [Fig. 1-11] Malware distributed via NateOn Malicious URL links are sent in instant messages or memos for the recipient to click to download malicious files. The types of malicious files are changing lately and the types reported as of today are as below: 1. A file in RAR file format that disguises itself as a folder icon when decompressed, when it actually is an EXE file [Fig. 1-12] Malicious file disguised as folder icon 2. Malicious executable files Types of malware distributed via spam Recently, there have been reports on spam with the following subjects that contains URL links that directs recipients to malicious websites. Amazon.com: Get Ready for Cyber Monday Deals * address* has sent you a birthday ecard. FaceBook message: intense sex therapy Reset your Facebook password Reset your Twitter password FIFA World Cup South Africa... bad news *Domain name* account notification There are more subjects apart from those above. If a recipient clicks the malicious HTML file attachment or URL link, he or she will be directed to specific websites, such as illegal pharmacy sites. 3. A file in RAR file format that decompress into vbs file 4. A file in RAR file format or password protected file that shows the password as below: 04 ASEC Report _ Vol.06

7 [Fig. 1-14] Spam from Canadian Pharmacy that advertises impotence drugs Attackers exploit the vulnerabilities in MDAC (MS06-014), JAVA (CVE ) and Adobe Reader to trick the victim into downloading and executing malicious files. When installed on your system, it will trigger fake alerts claiming your PC has multiple security issues and infections that need to be removed with payment, or send out spam. [Fig. 1-16] Rogue anti-spyware installation program pretending to be update for Windows As it can be seen from Fig above, it takes the form of Windows update users will be tricked into installing it. Antimalware Doctor also looks like Windows Security Center, so users could mistake it as a Windows security feature. It displays fake security alerts and reports false scan results to trick users into purchasing a license for the software. A similar case was reported in Korea where an adware is installed each time Windows starts. [Fig. 1-15] Rogue antivirus It is advisable not to open any from unknown senders, and always install security updates for your Windows OS and main applications, such as Adobe Reader or JRE. Distribution of malware using social-engineering techniques Sijoon Park Antimalware Doctor is a rogue anti-spyware that is installed through the use of Trojans that pretend to be security updates for Windows. [Fig. 1-17] Adware installation pretending to be Windows update When an adware gets installed, the adware runs a download program that takes the form of Windows update to download other adware. There is no button to cancel the update, so users will have no other way, but to install the adware. In other words, users will keep on downloading and installing unwanted adware, which will in the end, compromise their computers. Distributing malware disguised as Windows update that almost everyone trusts is a social-engineering method used by cyber criminals, and one that shows they will develop more sophisticated techniques. Users must take more caution than before when installing programs. The safest name in the world AhnLab 05

8 2. Security Trend Security Statistics number of website intrusions since April 2010, but there has not been much change in the number of malicious code distributors. Microsoft Security Updates- June 2010 Microsoft released 10 security updates in June. [Fig. 2-3] Vulnerabilities Exploited to Distribute Malicious Code [Fig. 2-1] MS Security Updates The chart above shows the statistics of vulnerabilities used to distribute malicious codes in websites exploited this month. Based on this chart, the number of MS is the highest, just like the previous month, followed by MS This month, most of the malicious codes distributed through violated sites were Daonol, GameHack and Patched. [Table 2-1] MS Security Updates for June 2010 A security update (MS10-039) for SharePoint zero-day vulnerability that was announced by Microsoft last month was released this month. Most of the security updates released this month is for vulnerabilities in applications that are widely used, such as Office, Internet Information Services and Internet Explorer. There has not yet been any report on the vulnerabilities being attacked. Malicious Code Intrusion: Website [Fig. 2-4] Reported Types of Malicious Code Security Issues Zero-Day Vulnerability in Adobe Reader & Flash Player (CVE ) A new vulnerability in Adobe Reader (PDF) was reported on June 5. This vulnerability is similar to the Adobe Reader, Acrobat and Flash Player Remote Code Execution Vulnerability (CVE , APSA09-03) that was reported on July [Fig. 2-2] Website Intrusions/Distributors of Malicious Code The chart above shows the number of website intrusions and distributors of malicious codes. There has been a decrease in the This vulnerability exists in Adobe Flash Player and earlier versions, and the authplay.dll component that ships with Adobe Reader. A Flash file (swf) has been observed embedded within speciallycrafted.pdf documents as below: 06 ASEC Report _ Vol.06

9 A remote attacker could exploit this vulnerability using an ASX file containing a HtmlView element specifying an HTML page containing a specially-crafted hcp:// URI in an IFRAME. [Fig. 2-5] PDF with embedded SWF file The PDF document also contains a Javascript object the Javascript is clearly malicious, and has the typical form of heap-spraying code. Shellcode that is different from the ROP (Return-Oriented Programming) shellcode was used. Javascript codes that are executed by cross-site scripting (XSS) vulnerability are used to drop other malwares, such as Dropper/ Selite launchurl.html : Script that executes simple.asx through ASX HtmlView -> simple.asx : ASX file that links to starthelp.htm -> starthelp.htm : Script that causes the vulnerability [Fig. 2-6] Heap spraying Javascript Upon opening the malicious PDF with a vulnerable version of Adobe Acrobat or Adobe Reader software, the JavaScript loads the shellcode in memory. When the Flash object runs, it triggers the vulnerability and runs the shellcode. The shellcode drops an embedded and encrypted executable file as the following: c:\-. exe - detected as Win-Trojan/Downloader DF. Adobe released an update in version Adobe Flash Player to resolve these issues, and will release an update for Adobe Reader on June 29. Users are recommended to update to the latest versions of Adobe Flash Player and Reader. Zero Day Vulnerability in Windows Help and Support Center (helpctr.exe) (CVE ) Microsoft released an advisory on a vulnerability in Windows Help and Support Center on June 11 (Korea time). On June 15 (Korea time), an exploit of the zero-day vulnerability was reported overseas. The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (from HCP option) and execute arbitrary commands via a crafted hcp:// URL. [Fig. 2-8] XSS Javascript There has not been many reports on exploitation of the vulnerability, but attackers can still exploit this vulnerability since Microsoft has yet released an official security update for this vulnerability. Website intrusion case study: Broadcasting stations There have not been any special cases of attackers distributing malware by exploiting existing vulnerabilities this month. But, as it can be seen in Fig. 2-3 below, there have been many cases of malware distribution by exploitation of MS vulnerability. There was a case of an exploiting the MS vulnerability on an intruded broadcasting station site to spread malicious codes. The distribution structure is as below: [Fig. 2-7] Vulnerable script [Fig. 2-9] Malware distribution structure The safest name in the world AhnLab 07

10 The sub-sites were links to the contents needed by the main site, and in this case, a malicious link was embedded in some of the web pages of the main site, therefore affected all the sub-sites. center ) L L L L (CVE , MS10-018) L Monthly Reported Types of Malicious Code [Fig. 3-2] Monthly Reported Types of Malicious Code 3. Web Security Trend Web Security Statistics Web Security Summary As of June 2010, the number of reported types of malicious code remained almost the same. There were 930 reports this month, which is 4 more than the previous month. Monthly Domains with Malicious Code [Table 3-1] Website Security Summary As of June 2010, there were 173,283 reported malicious codes, 897 types of reported malicious code, 818 reported domains with malicious code, and 3,738 reported URLs with malicious code. The types of reported malicious codes and reported domains and URLs with malicious code have decreased from last month, but the number of reported malicious codes increased. [Fig. 3-3] Monthly Domains with Malicious Code As of June 2010, the number of reported domains with malicious code decreased 25% to 818, from 1,084 the previous month. Monthly URLs with Malicious Code Monthly Reported Malicious Codes [Fig. 3-4] Monthly URLs with Malicious Code [Fig. 3-1] ] Monthly Reported Malicious Codes As of June 2010, the number of reported malicious codes decreased 122% to 173,283, from 142,613 the previous month As of June 2010, the number of reported URLs with malicious code decreased 24% to 3,738, from 4,950 the previous month. 08 ASEC Report _ Vol.06

11 Distribution of Malicious Codes by Type Web Security Issues OWASP Top [Table 3-2] Top Distributed Types of Malicious Code OWASP (Open Web Application Security Project) 1 releases OWASP Top 10 2 web application security risks. Their mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. ASEC Report this month will discuss the OWASP Top 10 Web Application Security Risks. 1. Injection A.Threat - Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. - The attacker s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. [Fig. 3-5] Top Distributed Types of Malicious Code Adware is the most distributed type of malicious code representing 61.5% (106,614 reports) of the top distributed type of malicious codes, followed by Trojan that represent 17.9% (31,006 reports). Top 10 Distributed Malicious Codes B. Prevention - Preventing injection requires keeping untrusted data separate from commands and queries. 2. Cross-Site Scripting (XSS) A. Threat - XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and es caping. - XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. B. Prevention - Preventing XSS requires keeping untrusted data separate from active browser content. 3. Broken Authentication and Session Management [Table 3-3] Top 10 Distributed Malicious Codes As of June 2010, Win-Adware/Woowa is the most distributed malicious code, with 22,496 cases reported. 5 new malicious codes, including Win-Adware/Woowa.61440, emerged in the top 10 list this month A. Threat - Application functions related to authentication and session management are often not implemented correctly. This allows attackers to compromise passwords, keys, session tokens, or ex- 1. The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. 2. A high-level document to help focus on the most critical issues The safest name in the world AhnLab 09

12 ploit other implementation flaws to assume other users identities. B. Prevention - The primary recommendation for an organization is to make available to developers:. a single set of strong authentication and session management controls.. Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs 4. Insecure Direct Object References A. Threat - A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. - Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. - A good security strategy requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. - All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application. B. Prevention - A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically. - A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. 7. Insecure Cryptographic Storage B. Prevention - Use per user or session indirect object references. - Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object. 5. Cross-Site Request Forgery (CSRF) A. Threat - A CSRF attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. - This allows the attacker to force the victim s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. B. Prevention - Preventing CSRF requires the inclusion of an unpredictable token in the body or URL of each HTTP request. Such tokens should at a minimum be unique per user session, but can also be unique per request. A. Threat - Many web applications do not properly protect sensitive data, such as credit cards, resident registration numbers, and authenti cation credentials, with appropriate encryption or hashing. - Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. B. Prevention - Consider the threats you plan to protect this data from (e.g., insider attack, external user). - Make sure you encrypt all such data in a manner that defends against these threats, 8. Failure to Restrict URL Access A. Threat - Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed. - Or, attackers will be able to forge URLs to access these hidden pages anyway. 6. Security Misconfiguration A. Threat B. Prevention - Preventing unauthorized URL access requires selecting an approach for requiring proper authentication and proper authori- 10 ASEC Report _ Vol.06

13 zation for each page. Frequently, such protection is provided by one or more components external to the application code. 9. Insufficient Transport Layer Protection A. Threat - Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. - When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. B. Prevention - Require SSL for all sensitive pages. Non-SSL requests to these pages should be redirected to the SSL page. - Set the secure flag on all sensitive cookies. - Configure your SSL provider to only support strong (FIPS c ompliant) algorithms. 10. Unvalidated Redirects and Forwards A. Threat - Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. - Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. B. Prevention - Simply avoid using redirects and forwards. - If used, don t involve user parameters in calculating the destination. - If destination parameters can t be avoided, ensure that the supplied value is valid, and authorized for the user. The OWASP Top 10 Web Application Security Risks have been summarized as above Details on each threat will follow soon. AhnLab V3Net for Windows Server 7.0 The safest name in the world AhnLab 11

14 II. Security Trends- 2Q Malicious Code Trend Malicious Code Statistics The table below shows the percentage breakdown of the top 20 malicious code variants reported this quarter. The table below shows the percentage breakdown of the top 20 malicious codes reported in Q2 of [Table 4-2] Top 20 Malicious Code Variant Reports [Table 4-1] Top 20 Malicious Code Reports As of Q2 2010, TextImage/Autorun is the most reported malicious code, followed by Win32/Induc and JS/Agent, respectively. 6 new malicious codes were reported this month. As of Q2 of 2010, Win-Trojan/Agent is the most reported malicious code, representing 13.7% (2,305,201 reports) of the top 20 reported malicious codes. It is followed by Win-Trojan/OnlineGameHack representing 13.2% (2,228,361 reports), and Win-Trojan/Downloader, representing 10% (1,685,830 reports) of the top 20 reported malicious codes. The chart below categorizes the top malicious codes reported in Q2 of AhnLab SiteGuard Pro & Security Center [Fig. 4-1] Primary Malicious Code Type Breakdown 12 ASEC Report _ Vol.06

15 As of Q1 of 2010, Trojan is the most reported malicious code, representing 46.7% of the top reported malicious codes, followed by Worm (12.8%), and Script (8.6%). [Fig. 4-2] Monthly Malicious Code Reports There has been an increase in malicious code reports in Q2, which increased 2,718,713 to 34,205,361 from 31,486,648 in Q1. The table below shows the percentage breakdown of the top 20 new malicious codes reported in Q2 of [Fig. 4-3] New Malicious Code Type Breakdown As of Q2 of 2010, Trojan is the most reported new malicious code, representing 49% of the top reported new malicious codes. It is followed by worm (11%) and adware (8%). Malicious Code Issues The attacks reported in Q2 of 2010 were mostly based on social issues. There were malware that was distributed via FIFA World Cup s, Windows Mobile malware, and Twitter botnet. Malware PDF spreads via FIFA World Cup s [Table 4-3] Top 20 New Malicious Code Reports As of Q2 of 2010Win-Trojan/Overtls is the most reported new malicious code, representing 7% (466,906 reports) of the top 20 reported new malicious codes, followed by Win-Adware/ Rogue.PrivacyScan (97,038 reports). In April, an exploit that takes advantage of a flaw in the TIFF file parsing in Adobe Reader has been reported. This malware campaign uses a FIFA World Cup 2010 theme, in an attempt to trick end users into executing a malicious PDF file. The attack exploits a recently patched vulnerability in Adobe Reader CVE It takes the form of an containing a malicious PDF attachment. Attackers have removed a number of objects from a clean PDF to reduce the file size, and then inserted a malicious object at the beginning of the file containing the malicious TIFF. All of the shellcode is contained in the TIFF file. The malware creates a directory and two files, and attempts to steal sensitive information. Windows Mobile malware reported in Korea In April, a Windows Mobile (Versions 5.0, 6.1 and 6.5) malware, WinCE/TredDial.a (called 3D Anti Terrorist), was reported in Korea. This malware was found in a game application. Compromised smartphones silently make expensive international calls without user permission. Those calls rack up a hefty bill for users. The game is called, 3D Anti-Terrorist in file named antiterrorist3d.cab. After the antiterrorist3d.cab is executed, the game is installed in Program Files, while the malicious file reg.exe is copied to the system The safest name in the world AhnLab 13

16 directory under the name smart32.exe. This malicious program then makes international phone calls to premium-rate numbers. Malicious Code Intrusion: Website Twitter Botnet In May, a new malicious tool designed to make botnet-based attacks over Twitter has been reported. SNS-based malware usually posts spam messages or links that lead users to malware-infected sites using hacked Twitter account. But, this new tool called TwitterNet Builder steals your Twitter account and creates botnets to carry out a variety of malicous activities, using Twitter as the command and control server for its bots. Botnet attacks can be prevented by deactivating botnets by blocking botnet servers. But, the botnet that uses Twitter as its command and control structure is hard to take down. This means there will be more botnets that exploit similar services. Malicious files hidden in DOC files [Fig. 5-2] Website Intrusions/Distributors of Malicious Code Fig. 5-2 above shows double the number of website intrusion this quarter than Q1. As for the distributed malicious codes, Daonol was the most distributed, followed by OnlineGameHack, AutoRun and Virus, which is similar to Q1. A new malware distribution campaign has been reported in May. Malicious files were hidden inside attached DOC or RTF documents. When opening the attached DOC or RTF files, users are presented with the icon and name of what appears to be a PDF file. A warning message will appear if you click on the icon. If you click OK to proceed, the malware will be executed. Users are advised to exercise increased caution before opening links or attachments in s from unfamiliar addresses. 2. Security Trend Security Statistics Microsoft Security Updates- Q2 of 2010 Microsoft issued 40 security updates this quarter, which is much higher than the previous year. [Fig. 5-3] Vulnerabilities Exploited to Distribute Malicious Code Fig. 5-3 shows the statistics of vulnerabilities used to distribute malicious codes in websites intruded in Q As it can be seen from the chart, the vulnerability in MS has been exploited the most, there is a drop in exploiting MS vulnerability, but the vulnerability in MS has been exploited two times more than Q1. The recently discovered MS vulnerability was exploited a lot this quarter as it was used in Mass SQL Injection attacks. [Fig. 5-1] MS Security Updates AhnLab Online Security ASEC Report _ Vol.06

17 Malware disguised as credit card statement [Fig. 5-4] Websites affected by MS Security Issues Zero-Day Vulnerability in Adobe Acrobat Reader and Flash Player A zero-day vulnerability in Adobe Acrobat Reader (PDF) was reported also in Q2 last year. This vulnerability is exploited via specially crafted PDF files attached to or fake update alerts. The newly reported Adobe Acrobat and Reader authplay.dll code execution (CVE , APSA10-01) vulnerability causes the application to crash. A similar case was reported in Q1 this year. This vulnerability exists in Adobe Flash Player and earlier versions, and the authplay.dll component that ships with Adobe Reader. Twitter used for attacks Twitter, one of the most widely used social networking service, is becoming used to instigate attacks. Last year, Twitter was used by attackers as a command and control server, and in the first half of this year, an automated tool called TwitterNet Builder that simplifies the process of building bots that take orders from specially created Twitter accounts was reported. All it takes is a click to build a bot to start various attacks, including DDoS attack. Also, in the Q2 this year, there were also reports on spam mail containing shortened URL, password reset confirmation spam, and spam containing malware disguised as a follower request mail. With Twitter getting more popular, and people using it for personal and corporate marketing and publicity, there has been an increase in malicious activities. Instead of sending paper credit card statements, banks and credit card companies now offer electronic billing service. With the everincreasing spam that clogs all of our inboxes and spam now originating from trusted domains, we should not trust all the we receive. In Q2, a spam disguised as an electronic bill from a credit card company was reported. In the malware distributed with the spam, traffic to one of the biggest portal sites was detected. The spam has been designed for victims to install a malware instead of a security program when opening the electronic bill. The malware received commands in xml format, and in the commands, we discovered a credit card bill in Korean. As the attacker can freely change the attacking commands, such server/ client attack could start another DDoS attack after transforming into a zombie program. Zero Day Vulnerability in Windows Help and Support Center A new zero-day vulnerability was reported in Q2 as in Q1. The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (from HCP option) and execute arbitrary commands via a crafted hcp:// URL. A remote attacker could exploit this vulnerability using an ASX file containing a HtmlView element specifying an HTML page containing a specially-crafted hcp:// URI in an IFRAME. Microsoft has yet released an official security update for this vulnerability it would be recommend to temporarily use the Hotfix provided by MS. 3. Web Security Trend Web Security Statistics Web Security Summary As of Q2 of 2010, there were 426,941 reported malicious codes, 2,753 types of reported malicious code, 2,930 re- [Table 6-1] Website Security Summary ported domains with malicious code, and 12,586 reported URLs with malicious code. These statistical figures were derived from the data collected by SiteGuard, AhnLab s web security program. The safest name in the world AhnLab 15

18 Reported Malicious Codes Q2 URLs with Malicious Code Q2 [Fig. 6-1] ] Monthly Reported Malicious Codes [Fig. 6-4] Monthly Domains with Malicious Code As of Q2 2010, the number of reported malicious codes decreased 53% to 426,941, from 798,502 the previous quarter. Reported Types of Malicious Code Q2 As of Q2 2010, the number of reported URLs with malicious code increased 3% from 12,214 the previous quarter to 12,586. Distribution of Malicious Codes by Type [Fig. 6-2] Monthly Reported Types of Malicious Code [Table 6-2] Top Distributed Types of Malicious Code As of Q2 2010, there were 2,753 reports this month, which is 54% more than the previous quarter (1,783 reports). Domains with Malicious Code Q2 [Table 6-5] Top Distributed Types of Malicious Code [Fig. 6-3] Monthly Domains with Malicious Code Adware is the most distributed type of malicious code representing 61% (260,330 reports) of the top distributed type of malicious codes, followed by Trojan that represent 13.1% (55,837 reports). As of Q2 2010, the number of reported domains with malicious code increased ever so slightly from 2,917 the previous quarter to 2, ASEC Report _ Vol.06

19 Top 10 Distributed Malicious Codes computer can be hit by a fake anti-virus attack. The malicious web page is designed to trick you into believing you have a serious security problem on your computer. If you download and execute this file, a fake antivirus will be installed to your system, and messages that claim to have detected a virus from your normal files will be displayed. You may fall victim to these attacks and pay to register the fake antivirus software. Google Groups malicious spam campaign [Table 6-3] Top 10 Distributed Malicious Codes Win-Adware/Shortcut.InlivePlayerActiveX.234 is the most distributed malicious code (63,563 reports), followed by Win-Adware/ Woowa (26,514 reports). Web Security Issues In Q2 of 2010, there were the following web security issues: facebook password reset confirmation spam using social engineering technique; distribution of rogue antivirus by exploiting McAfee false-positive problem; and Google Groups malicious spam campaign. Google Groups is one of the Google cloud-computing services that support discussion groups, including many newsgroups, based on common interests. Group members can share files and information with others in their group. In May, there have been reports of spammers using Google Groups to spread malware. This spam is different in that it distributes malware via Google Groups. If you click the link in the message, you will be directed to Google Groups to download a zip file. If you decompress the file, an icon of an executable file will appear. If you run the file, a malware will be installed to your computer. facebook password reset confirmation spam In April, the news that a Russian hacker stole and sold 1.5 million facebook accounts and passwords at 2.5 cents each shocked facebook users. facebook announced that they will work with law enforcement to pursue those responsible. Not long after, this incident was used as another means of attack. Fake s that claimed to be from facebook were sent to users encouraging them to click on an attachment to view their updated password. The file attachment uses an icon similar to MS Word document to lure users into opening the file. V3 diagnoses the file as Win- Trojan/Bredolab B and removes it. Hackers exploit McAfee false-positive problem to distribute fake antivirus by using Blackhat SEO On April 21, a security update issued by McAfee caused its antivirus product to mistakenly detect a harmless Windows file, svchost.exe, as W32/Wecorl.a and caused computers to become inoperable. By using Blackhat SEO techniques, cyber-criminals have managed to get poisoned web pages high in the search rankings if you search for information on the McAfee false-positive. If you click on a dangerous link in the search results, your AhnLab V3 Zip The safest name in the world AhnLab 17

20 III. Overseas Security Trends 1. Malicious Code Trend- China, Q2 Security threat analysis by JiangMin- June On July 7, JiangMin, a Chinese security solutions provider, released a report on the security threats in June. The trend of security threats in June is as follows: 1) 4% decrease in the number of malicious codes than the previous month. 2) 70% of reported malicious codes are Trojan horses. 3) Increase in MS vulnerability, a Microsoft IE vulnerability. The number of malicious codes reported in China in the month of June is as below: [Fig. 7-2] Malicious code breakdown in June - JiangMin The fact that 70% of the reported malicious codes were Trojan horses shows that the trend of malicious codes is the same in China as in Korea and the world. The most exploited vulnerability in June was MS that was announced by Microsoft on March 9. Rising, a Chinese security solutions provider, announced this vulnerability through the Chinese press on April 8. [Fig. 7-1] Malicious codes from January to June JiangMin JiangMin reports increase in malicious codes in April and May, but 5% decrease in June when compared May. But, there is gradual increase in Q (from April to June) when compared to Q Trojan is the most reported malicious code, representing 70% of the top reported malicious codes, followed by Worm (16%), and Backdoor (8%). [Fig. 7-3] MS exploitation - Rising As it can be send from the chart above, there were 18,390,000 cases of exploitation reported from March to April 7, and 3.1 million cases reported on April 7 itself. Apart from this, JiangMin summarized the Top 5 malicious codes in June itself as below: Checker/Autorun Worm/Kido.aeb 18 ASEC Report _ Vol.06

21 Checker/HideFolder VBS/Fineboy.a Exploit.CVE The number of reported autorun and conficker worm (WORM_ DOWNAD) is also high. Two malicious codes that exploit flaws Kido (Win32/Conficker. worm) and MS (JS/CVE ) made it to the Top 5 list. This shows that there are many systems that have not installed security updates. Just like Korea, Autorun worm infection is relatively high in China. Checker/Autorun that is spread through USB flash drive is also in the Top 5 list. [Fig. 8-2] Malicious code reports in Q2 <Source: IPA Japan> 2. Malicious Code Trend- Japan, Q2 The main security issues reported in Q2 of 2010 are as follows: increase in damage caused by website with malicious scripts, and continuous attack by Win32/ Conficker.worm. Attack by malware such as rogue antivirus (Win-Trojan/FakeAV) has continued from the beginning of this year. Malicious code distribution through illegal defacement of websites is a worldwide problem, but this type of attack has been increasing in Japan from last year. The table below shows the Top 10 malicious codes reported in the first half of 2010 by Trend Micro Japan. The above chart shows the number of reported malicious codes in Japan in Q2 by IPA, Japan. There is still continuous distribution of conficker worm. Attacks by conficker worm is continuously occurring when there are not many malicious codes that remotely exploit OS security vulnerabilities to copy itself because of strong propagation of the worm. Attacks by rogue antivirus have been a big issue in Japan from early this year. The following chart shows the number of consultations by IPA regarding rogue antivirus. As it can be seen from the chart, there is a sharp rise from the beginning of this year. [Table 8-1] Malicious codes in first half of 2010 <Source: Trend Micro Japan 1 > As it can be seen in the table above, there have been many reports on scripts, such as onload (JS_ONLOAD) and gumblar (JS_GUM- BLAR). These scripts were illegally embedded to unsecure websites or uploaded onto bulletin boards by attackers. The damage caused by these scripts will be minor, but they are usually used to infect the victim s PC with Trojan horses or other malware, so you still need to be careful. [Fig. 8-3] Consultation on rogue antivirus in Q2 <Source: IPA Japan 2 > 1 Rogue antivirus is spread via various paths, including spam or websites. It is created and changed into various forms, so it is not easy for security programs to block these malicious rogue applications before infecting the victim s PC. Accordingly, users are advised to regularly security updates for their OS and main applications, and also be careful not to open any from unknown senders The safest name in the world AhnLab 19

22 3. Malicious Code Trend- World, Q2 Q2 of 2010 can be summarized as follows: rogue antivirus; target attack; exploitation of zero-day vulnerability in IE and Adobe Reader; and search keyword results linked to malware sites. According to BitDefender 1 the top 10 virus infections in Q2 include, Cookie, autorun.inf created by Autorun worm, malicious code that exploits PDF vulnerabilities and conficker worm. Conficker, autorun.inf created by Autorun worm, and Trojan horse that steals online game accounts are in the Top 10 Threats in Eset s Global threat report. 2 According to statistics by Fortinet 3, redirect script is the most reported malware threat in June, followed by Sasfis botnet. 4 In May, fakealert (a fake security alert program) and autorun worm were reported the most. 5 According to Kapersky s May statistics, 6 conficker worms still ranked high in the first, third and fourth position. Sality virus and Virut virus also ranked high. The number of smartphone and OSX malicious codes is also increasing. What is interesting is that the smartphone malware is included in Chinese games and codecpack. It seems that hackers penetrated the program development process to embed the malware. A protection against OSX/Pinhead.B (HellRTS) was added to OSX released on June Smartphone and OSX malware are not that big a threat, but users should be aware of it. The vulnerabilities of web browsers were still exploited to spread malware. But, SEO (Search Engine Optimization) was also widely used. Malware distributors found the most popular search keywords to poison search results to make infected links appear near the top of the search results, generating a greater number of clicks to malicious websites. Various antivirus statistics are also showing high number in malware spread via USB flash drive. Attackers are also using the method of inserting malicious codes to normal software that is not often used, without the user being aware of it. There were reports on Unreal IRCd , an open source IRC server, containing a backdoor. 7 The backdoor was found on November June_2010.pdf malware_prevention_update_in_mac_os_x_10_6_4.html 20 ASEC Report _ Vol.06

23

24