Ⅰ. Security Trends- January 2011

Transcription

1

2

3 Ⅰ. Security Trends- January Malicious Code Trend Malicious Code Statistics The table below shows the percentage breakdown of the top 20 malicious code variants reported this month. The table below shows the percentage breakdown of the top 20 malicious codes reported in January [Table 1-2] Top 20 Malicious Code Variant Reports [Table 1-1] Top 20 Malicious Code Reports As of January 2011, TextImage/Autorun is the most reported malicious code, followed by JS/Exploit (373,502 reports) and Win32 / Induc (reports), respectively 6 new malicious codes were reported this month. Win-Trojan/Downloader AK that rank 4th was first reported at the end of December 2010 and is increasing fast. As of January 2011, TextImage/Autorun is the most reported malicious code, representing 12.9% (1,234,816 reports) of the top 20 reported malicious code variants, followed by Win-Trojan/Onlinegamehack (1,196,089 reports) and Win-Trojan/Downloader (799,998 reports). The chart below categorizes the top malicious codes reported this month. [Fig. 1-1] Primary Malicious Code Type Breakdown AhnLab Policy Center 4.0 The safest name in the world AhnLab 01

4 As of January 2011, Trojan is the most reported malicious code, representing 50.3% of the top reported malicious codes, followed by Worm (14.2%) and Script (8.7%). The table below shows the percentage breakdown of the top 20 new malicious codes reported in January [Fig. 1-2] Top Malicious Code Type Comparison Chart Compared to last month, the number of Trojan and spyware reports increased, whereas, the number of worm, adware, downloader, virus, script, dropper and appcare reports dropped. [Table 1-3] Top 20 New Malicious Code Reports As of January 2011, Win-Trojan/Downloader AK is the most reported new malicious code, representing 19.9% (272,897 reports) of the top 20 reported new malicious codes, followed by Win-Trojan/Overtls11.Gen (186,291 reports). [Fig. 1-3] Monthly Malicious Code Reports There has been a decrease in malicious code reports in January, which dropped 1,099,871 to 17,304,230 from 18,404,101 in December. [Fig. 1-4] New Malicious Code Type Breakdown As of January 2011, Trojan is the most reported new malicious code, representing 92% of the top reported new malicious codes. It is followed by adware (4%) and dropper (3%). Malicious Code Issues AhnLab V3 MSS DDoS attack 02 ASEC Report _ Vol.13

5 Multiple DDoS (Distributed Denial of Service) codes were reported to have attacked various online forums, and Internet broadcasting, portal and chatting sites this month. A boy in his teens was found to have spread one of the malicious codes via online forums and Internet broadcasting sites just to attract attention. The malicious code that initiated the DDoS attacks was disguised in the form of automatic updates for widely used utilities and video files, and distributed via P2Ps, forums and blogs.attacked sites will get more than 100 packets per second of DDoS traffic. This social engineering technique takes advantage of a social issue with a message, Click the link to download a file to prevent virus attack from a North Korean network. We analyzed the mail header information and found that the account is from a Chinese portal site and sent from the site s server.the link contained a modified file from a Korean antivirus company s server. When installed, the following malicious file is installed along with the antivirus company s Windows patch scanning program. - %PROGRAMFILES%\NVIDIA\[random 2-byte alphabets]ntex.dll - %PROGRAMFILES%\NVIDIA\[random 2-byte alphabets]ntex.ole - %USERPROFILE%\Local Settings\Temp\[random 2-byte alphabets]32. LOG [Fig.1-5] DDoS packets Cache-Control: no-store, must-revalidate option has been added to use up the server system resource as in Fig. 1-5 above.internet users are advised not to download any provocative or attentiongrabbing files, and only download files from official or trusted web sites. Malware scam from security company On January 14, after the DDoS attack against an online community of DC Inside Yeonpyeong Island Shelling By North Korea, and hacking attack on Uriminzokkiri homepage, there was a report on a malware that claimed to be from a security company. When infected, there are attempts to connect to the 6380 port for a Jackpot site, Mania Bada. The damage could have been worse as the was sent from an account of a security company, but it was not as bad as expected, as it was not sent to random people. Changes in malware distributed via NateOn Malicious URL links used to be sent via instant messages or memos for the recipient to click to download malicious files.however, recently, a malware was found to be distributed via a website with malicious scripts inserted. [Fig. 1-7] URL delivered via NateOn memo Most of the websites with malicious scripts used ZeroBoard 4, in which the attacker exploited the vulnerabilities to insert the scripts. In the past, malware did not infect your system when not executed. But, now, your system can get infected just by accessing a vulnerable website. So, be careful not to click on any suspicious URL you receive via NateOn memo or instant messages. Kneber, a Zeus variant, appears as sent by the White House [Fig. 1-6] that claimed to be from a security company An article titled, Malware in fake White House e-card steals data, was reported by CNET on January 5. This alerted the Korean press to report this issue.the appeared to be a holiday greeting from the White House but instead hid a Zeus variant, Kneber, that stole data.trend Micro also mentioned this malware on its blog under the title, Old Zeus Variant Returns for Christmas. The safest name in the world AhnLab 03

6 [Fig. 1-9] IE zero-day vulnerability exploiting scripts This attack was reported in some countries abroad and the number is not increasing, but extra caution is advised. Refer to KrCert s MS IE New Remote Code Execution Vulnerability. V3 detects the malicious script as below: [Fig. 1-8] appearing to be a holiday greeting from the White House The holiday e-greeting prompted recipients to click to view the card, but when the file was opened, malware known as Zeus was downloaded to the computer. Similar attacks that takes advantage of major holidays exist every year. In 2010, Prolaco (Ackantta) variant was distributed via a Christmas e-card, and another malware also spread via a holiday e-greeting in V3 detects this malware as below: - Win-Trojan/Zbot AC - Win-Trojan/Zbot P - Win-Trojan/Agent JS/CVE According to Advance Notification Service for the January 2011 Security Bulletin Release, a security patch has not been included in the January 2011 Security Bulletin. Malware distributed via shortened URL on Twitter On January 21, 2011, a malware that directs victims to rogue antivirus sites was distributed via shortened URL on tweets.this attack was announced on SANS blog under the title, Possible new Twitter worm. As it can be seen below, Google s shortened URLs are used a lot in tweets. MS IE exploits CVE vulnerability On December 22, 2010, Microsoft released a security advisory, Microsoft Security Advisory ( ) Vulnerability in Internet Explorer Could Allow Remote Code Execution. This zero-day vulnerability was attacked in some countries abroad in the morning of January 7, 2011.This zero-day vulnerability is a remote code execution vulnerability caused by heap-spray in IE s mshtml.dll. MS IE 6, 7 and 8 are affected. AhnLab SiteGuard Pro 04 ASEC Report _ Vol.13

7 45 virus from your normal files will be displayed. [Fig. 1-13] Warning that infections have been found [Fig. 1-10] Tweets with Google s shortened URLs The malicious URL works as below. Three redirections will lead to a malicious website that distributes the rogue antivirus. If you click Remove all threats now, you will be asked to pay $79.95 (approx. KRW 23,000) for a lifetime licence and support. [Fig. 1 11] Exploitation of Google s shortened URL in 3 stages [Fig. 1-14] Payment page for lifetime license and support The malicious URL will lead victims to a malicious website that distributes rogue antivirus. When installated, the following message will appear. Extra caution is needed as there are multiple variants for this rogue antivirus. V3 detects this malware as below: - Win-Trojan/Fakeav AC Malware that bypasses cloud antivirus [Fig. 1-12] Message that rogue antivirus has been installled If you download and execute this file, a fake antivirus will be installed to your system, and messages that claim to have detected On January 18, 2010, Microsoft Malware Protection Center posted Bohu Takes Aim at the Cloud about a malware that bypasses detection by cloud antivirus. The malware was made to bypass detection by cloud antivirus developed by a Chinese security company to steal user information from a Chinese portal site. The malware is an installation file created with Nullsoft PiMP, and is disguised as an installation file for a Chinese video player, Suyu. The safest name in the world AhnLab 05

8 Among all the created files, siglow.sys (17,024 byte) file is the file that bypasses detection by cloud antivirus. This driver file hooks network packets that are loaded on the system in the NDIS (Network Driver Interface Specification) stage. As for the outbound packets, when the network address of the cloud antivirus software created by the Chinese security company is included as below, connection to the address gets blocked. [Fig. 1-15] Malware disguised as video player installation file When installed, the following files will be created and executed on the system. - C:\Program Files\baidu\msfsg.exe (369,664 byte) - C:\Program Files\baidu\uninst18.exe The created file, msfsg.exe (369,664 byte), runs maliciously and creates the following files to bypass detection by the cloud antivirus. - C:\Program Files\baidu\spass.dll (710,656 byte) - C:\Program Files\baidu\siglow.sys (17,024 byte) - C:\Program Files\baidu\siglow.dll (37,888 byte) msfsg.exe (369,664 byte) loads all the above files to the memory, and then gets deleted from the local system and shows the following video player, to trick the victim into believing he/she has downloaded a video player. [Fig. 1-17] Blocked cloud antivirus servers In order to bypass detection, the malware exploits the fact that the cloud antivirus sends diagnosis information to the network and blocks transmission of information to the servers. V3 detects this malware as below: - Win-Trojan/Bohu Win-Trojan/Bohu Win-Trojan/Bohu Win-Trojan/Bohu Bohu Trojan horse is noteworthy since it is the first anti-cloud. Usually, when a new malware with a new infection technique is found, antivirus companies act by developing new detection and response techniques. However, the creator of Bohu Trojan horse has analyzed the way cloud antivirus works and found the method to bypass it. Such bypassing techniques will keep on developing to create new malware to bypass cloud antivirus. [Fig. 1-16] Fake video player 06 ASEC Report _ Vol.13

9 Facebook password reset scam On January 26, 2011, a Facebook password reset scam was reported. A similar scam was also found on April 2010, so extra caution is required. The scam found this month contained the following message and was sent under the subjects below: will open to show a Facebook login ID and password.this file is a normal Word file downloaded from a system in Russia. [Fig. 1-19] Normal file shown by the malware [Fig. 1-18] Facebook password reset scam The message for the scam was the same, but the subject was different as below: - Facebook Support. A new password has been changed. ID<3- digit number> - Facebook Service. Your account has been blocked! ID<3-digit number> - Facebook Service. Your password is changed. ID<3-digit num ber> - Your facebook password has been changed. NR<4-digit num ber> - Facebook. The new password to your account. NR<5-digit nu mber> - Facebook Service. A new Password is sent you! ID<4-digit nu mber> - Facebook Office. Personal data has been changed! ID<5-digit number> The scam contains the message, This is a post notification. A spam is sent from your Facebook account. Your password has been changed for safety. A compressed zip file, such as Facebook_details_ID<5-digit number>.zip (20,699 byte) is attached to the scam. When decompressed, Facebook_details.exe (24,576 byte) will be created. When the file is opened, the following document.doc The Facebook_details.exe (24,576 byte) works as below: 1. It executes svchost.exe, a normal system file on Windows, an d overwrites the memory of the file with its code. 2. It creates 1B.tmp (78,848 byte) and 1D.tmp (62,976 byte) on the user account s temp folder. 3. 1B.tmp (78,848byte) creates aspimgr.exe (64,512 byte) that s ends with the actual malware attachment on the Wind ows system folder (C:\Windows\Sytem32). 4. It registers the aspimgr.exe (64,512 byte) file as a Windows s ervice, Microsoft ASPI Manager, to automatically run at star tups. 5. It overwrites the memory of spoolsv.exe, a normal file on Wi ndows system, with its own code, to delete explorer.exe and winlogon.exe, and create another set of files with the same n ame. 6. If there are FTP server address and login information on add itionally infected systems, it gathers this information and sen ds it to a system in Russia. V3 detects this as below: - Win-Trojan/Zbot Win32/Danmec.worm The safest name in the world AhnLab 07

10 2. Security Trend Malicious Code Intrusion: Website Security Statistics Microsoft Security Updates- January 2011 Microsoft released 2 security updates this month. [Fig. 2-2] Monthly malicious code intrusion: website [Fig. 2-1] MS Security Updates Fig. 2-2 above shows the monthly malicious code intrusion of websites. The number of intrusion rose slightly from the previous month For further details, please refer to 3. Web Security Trend. Security Issues Vulnerability in Windows Graphics Rendering Engine (CVE ) Table 2-1] MS Security Updates for January 2011 Two security updates were released this month. MS11-01 vulnerability could allow remote code execution if a user opens a legitimate Windows Backup Manager file that is located in the same network directory as a specially crafted library file. MS11-02 vulnerabilities could allow remote code execution if a user views a specially crafted Web page. Microsoft had seen examples of proof of concept code published publicly. It is recommended for you to download the patch to fix the vulnerability. The patches for CVE (vulnerability in IE CSS) and CVE (vulnerability in MS graphic engine) are not yet available. Exploitation of a stack-based buffer overflow in the handling of thumbnails by Windows Graphics Rendering Engine (Shimgvw. dll) could cause remote code execution. [Fig. 2-3] Vulnerability in Windows Graphic Rendering Engine Moti and Xu Hao reported this vulnerability during POC The vulnerability has not yet been exploited, but caution should still be taken. The vulnerable code will only be triggered if you enable Thumbnails view. Disable it if possible Storm Worm botnet AhnLab V3Net for Windows Server 7.0 Storm worm was first reported on January 17, 2007, and spread fast from January 19 to infect 8% of computers worldwide. This virus disguises itself as an news alert on the weather and 08 ASEC Report _ Vol.13

11 urges recipients to download and run an executable file. Another Storm worm attack disguised as FBI vs FaceBook spread in This type of worm that spread using an message with a subject line about a social issue is dubbed Storm worm or Wale Dac. There was a spam during the year-end holidays on December 30, Steven Adair considers it to be Waledac 2.0 or Storm Worm 3.0. Clicking and downloading the link or file attachment on the scam will infect your system. Infected systems will send out spam to other computers. When the worm regularly accesses a hacked web page or server, data that starts with will always be included in the 33 byte or 417 byte payload. exploitable bug he found in IE with the fuzzer. He was able to confirm that there were no downloads or discoveries of the tool. But on Dec. 30, an IP address in China queried keywords included in one of the indexed cross_fuzz files, specifically two DLL functions, BreakAASpecial and BreakCircularMemoryReferences, associated with and unique to the zero-day IE flaw he found with the fuzzer. In the summer of 2010, Zalewski notified IE, Mozilla and Opera browser makers about the flaws, and they have been patched, except IE. The flaws in IE are identified as CVE and CVE Caution still needs to be taken as the vulnerability has not yet been patched. 3. Web Security Trend Web Security Statistics [Fig. 2-4] Storm Worm payload The number of such worm is on the rise and they usually spread via . Users are advised to exercise increased caution before opening links or attachments in s from unfamiliar addresses. Google s computer security expert unleashes browser fuzzing tool Web Security Summary This month, SiteGuard (AhnLab s web browser security service) blocked 78,911 websites that distributed malicious [Table 3-1] Website Security Summary codes. There were 885 types of reported malicious code, 883 reported domains with malicious code, and 3,463 reported URLs with malicious code. The number of reported domains with malicious code was the same as the previous month, where as the number of reported URLs with malicious, types of reported malicious code and number of blocked malicious URLs increased. Monthly Blocked Malicious URLs [Fig. 2-5] Michal Zalewski s blog On January 2011, Michal Zalewski, Google s computer security expert, unleashed cross fuzz, a browser fuzzing tool. Zalewski says an accidental leak of the address of the fuzzer prior to its release helped reveal some unexpected intelligence, namely that third parties in China apparently also know about an unpatched and [Fig. 3-1] ] Monthly Blocked Malicious URLs As of January, the number of blocked malicious URLs increased 91% to 78,911, from 41,313 the previous month. The safest name in the world AhnLab 09

12 Monthly Reported Types of Malicious Code Distribution of Malicious Codes by Type [Table 3-2] Top Distributed Types of Malicious Code [Fig. 3-2] Monthly Reported Types of Malicious Code As of January 2011, the number of reported types of malicious code increased 8% from 819 the previous month to 885. Monthly Domains with Malicious Code [Fig. 3-5] Top Distributed Types of Malicious Code As of January 2011, adware is the top distributed type of malicious code with 22,371 cases reported (28.3%), followed by dropper with 22,183 cases reported (28.1%). [Fig. 3-3] Monthly Domains with Malicious Code Top 10 Distributed Malicious Codes As of January 2011, the number of domains with malicious code remained the same this month. Monthly URLs with Malicious Code [Table 3-3] Top 10 Distributed Malicious Codes [Fig. 3-4] Monthly URLs with Malicious Code As of January 2011, Win-Adware/Shortcut.InlivePlayerActiveX.234 is the most distributed malicious code, with 13,938 cases reported. 8 new malicious codes, including Win32/Virut.D, emerged in the top 10 list this month. As of January 2011, the number of reported URLs with malicious code increased 11% from 3,122 the previous month to 3, ASEC Report _ Vol.13

13 Web Security Issues January 2011 Malicious Code Intrusion: Website [Fig. 2-2] of 2. Security Trend shows the monthly malicious code intrusion of websites. 175 cases were reported in January, and they were mostly Win-Trojan/Onlinegamehack that steals online game account information. The cases above show that no matter how impeccably you prevent your website from external attacks and clear your websites from vulnerabilities, your website can still be used to distribute malware. The reason most of the distributed malicious codes was Win-Trojan/Onlinegamehack is based on the following article: * Growth spurt in Korean online game industry to reap KRW 10 trillion in Id= [Table 3-4] Top 10 Malicious Code Intrusion of Websites The online game industry is expected to reap approximately 7 trillion won in The diversity of online games will increase users and sales. This will cause a rise in real-money transaction to buy and sell items and cyber money. With this, malicious hackers will try to earn money by hacking online game sites with Win-Trojan/ Onlinegamehack to steal account information. Win-Trojan/Onlinegamehack could cause serious damages. It could cause one of the biggest damages by leaking account information to a specific website as below: The table above shows the top 10 malicious code intrusion of websites. The malicious codes were distributed the most on the weekends. Most of the malicious codes were distributed via banner advertisements that contained malicious scripts on websites Some of the sites had subsites, and these subsites also had banner advertisements that were used to distribute the malicious codes. - Case 1: Portal site -> Inserted URL: - Case 2: Online broadcasting site -> Inserted URL: - Case 3: Online storage site -> Inserted URL: - Case 4: Image site -> Inserted URL: [Fig. 3-6] Account information leaked by Win-Trojan/Onlinegamehack Take note of CODE that is highlighted by the red box. Win-Trojan/ Onlinegamehack may encrypt stolen account information (ID and password) to hide the information during transmission.what is the difference between a computer that often gets attacked by malicious codes and one that never gets attacked? The only difference is that the user. The user of the computer that never gets attacked by malicious codes regularly updates his or her computer with the latest security updates. The user of the computer that is often infected by malicious codes is unconcerned about getting security updates and highly dependant on his/her antivirus software. What is the point of installing a burglar alarm when you open your gates or front door wide? The fundamental problem must be solved you should not just rely on your security system. Updating your computer with the latest security updates will not make your computer 100% safe from attacks by malicious codes. However, most attacks will be prevented in advance. The safest name in the world AhnLab 11

14

15