Академический Документы
Профессиональный Документы
Культура Документы
REPORT
VOL.28 | 2012.05 AhnLab Monthly Security Report
Disclosure to or reproduction
for others without the specific
written authorization of AhnLab
is prohibited.
2012. This is a decrease of 2,410,844 from the 13,820,206 reported in the previous month. The most 1 — Trojan/Win32.adh 870,167 20.1%
2 NEW Mov/Cve-2012-0754 415,052 9.6%
frequently reported malicious code was Trojan/Win32.ad, followed by Mov/Cve-2012-0754 and
3 — Trojan/Win32.Gen 401,819 9.3%
Trojan/Win32.Gen. 8 new malicious codes were reported this month.
4 ▲1 Malware/Win32.generic 399,827 9.2%
5 1 Textimage/Autorun 347,538 8.0%
20,000,000
6 NEW Trojan/Win32.bho 267,854 6.2%
7 ▲2 Trojan/Win32.agent 203,137 4.7%
18,000,000 8 2 Adware/Win32.korad 156,582 3.6%
9 7 JS/Agent 143,487 3.3%
16,000,000
13,663,774 10 NEW Downloader/Win32.opentab 129,989 3.0%
-2.1%
13,820,206
+1.1% 11 NEW Als/Bursted 118,022 2.7%
14,000,000 +156,432
11,409,362 12 ▲5 Downloader/Win32.agent 116,779 2.7%
-2,410,844 -17.4%
12,000,000 13 6 Trojan/Win32.hdc 111,681 2.6%
14 ▲1 Java/Agent 108,113 2.5%
0
15 2 Trojan/Win32.genome 98,377 2.3%
16 6 Trojan/Win32.fakeav 96,753 2.2%
2012.02 2012.03 2012.04
17 NEW Backdoor/Win32.trojan 91,578 2.1%
18 NEW Win-Trojan/Rootkit.28928.D 87,708 2.0%
[Fig. 1-1] Monthly Malicious Code Reports 19 NEW Adware/Win32.bho 84,628 2.0%
20 NEW ASD.PREVENTION 82,889 1.9%
4,331,980 100.0%
[Table 1-1] Top 20 Malicious Code Reports
ASEC REPORT Malicious Code Trend 7 8
Vol.28 Security Trend
Web Security Trend
this month. For April 2012, Trojan/Win32 was the most reported malicious code, representing this month. Win-Trojan/Korad.229376 was the most frequently reported new malicious code,
33.6% (2,611,473 reports) of the top 20 malicious code variants, followed by Adware/Win32 (531,968 representing 11.3% (43,537 reports) of the top 20 new malicious codes, followed by Win-Trojan/
Ranking ↑↓ Malicious Code Reports Percentage Ranking ↑↓ Malicious Code Reports Percentage
Breakdown of Primary Malicious Code Types Breakdown of New Malicious Code Types
The chart below categorizes the top malicious codes reported this month. For April 2012, Trojan For April 2012, Trojan was the most reported new malicious code, representing 88% of the top
was the most reported malicious code, representing 48.3% of the top reported malicious codes, reported new malicious codes, followed by adware (6%) and dropper (3%).
0 10 20 30 40 50%
SPYWARE 0.3%
OTHER
39.5%
TROJAN 48.3%
VIRUS 2.8%
WORM 7.3%
the number of script, adware, downloader and appcare decreased. The number of dropper and
In the most recent case, we spotted an email claiming to offer attached Microsoft Word document titled, 'North Korea', 'North
tickets for the London 2012 Olympic Games. The attached .doc Korea satellite launch' and 'North Korea nuclear test'.
[Fig. 1-5] Structure of malicious DOC file The attack works as below:
[Fig. 1-10] Malware infection by fabricated DOC file
1. North Korea.doc This malware hooks keyboard and mouse events and gets interesting, and increase the chance of recipients clicking links The malicious PDF file icon is manipulated to look like an Adobe
The SWF flash script loads to open a web page (hxxp://gis. commands from a C&C server. and opening files. Reader icon. If you open the malicious PDF file, it creates the
usda.****.com/) on Internet Explorer. As you can see below, the following files:
The Java zero-day vulnerability is identified as CVE-2012-0507. [Fig. 1-17] Wor.doc and WORD.exe file located in the same folder
fabricated DOC file looks legit when opened.
A security update has not yet been released for the zero-day Created files:
[Fig. 1-11] Legitimate-looking DOC file vulnerability, so do not open any suspicious file. - 'C:\Documents and Settings\Administrator\Local Settings\
Temp\Winword.js'
2. Sorean intelligence officials say North Korea may be Contains malicious scripts that create and remove malicious files
preparing for nuclear test.doc - 'C:\Documents and Settings\Administrator\Local Settings\
This malicious file exploits an MS office vulnerability identified as Temp\Adobe.pdf'
CVE-2010-3333 to create wor.doc. Normal PDF file
- 'C:\Documents and Settings\Administrator\Local Settings\
[Fig. 1-15] Wor.doc file
Application Data\Microsoft\wininit.dll
When the malicious web page opens, the codes below will be Malicious file
Both files are located in C:\Documents and Settings\ We found a malicious PDF file disguised as the Seoul
Administrator\Local Settings\Temp\. Communique file.
Mmalware is usually distributed randomly via an email [Fig. 1-19] Malicious PDF file
attachment. By relating emails to widely-celebrated holidays The file you will actually see is the Adobe.pdf file in the %Temp%
and current events, spammers can make their messages more folder:
ASEC REPORT Malicious Code Trend 15 16
Vol.28 Security Trend
Web Security Trend
[Fig. 1-21] Legitimate PDF file included with malicious files malware that includes the exploit code for CVE-2012-0507 has [Table 1-4] Malware targeting Mac - 'file.***.**/v*******l/2*****R/img.jar' <-- URL to download file
infected approximately 550,000 Mac OS X users. Threat Description on Windows
- 'file.***.**/v*******l/2*****R//ref.jar' <-- URL to download file
Samsung and Apple have 50% of the smartphone market. First discovered in 2011, this Trojan horse, masquerades
Flashback Malware as an installer for Adobe Flash and spreads via SNS. on Mac OS
550,000 Macs have been infected by this variant.
[Fig. 1-24] 2012 smartphone market
[Fig. 1-27] ref.jar header
This Trojan horse exploits a vulnerability in MS Word and
Sabpab Malware
spreads via email attachments.
This Trojan horse, disguised as a PDF file, has a backdoor for Windows or Mac OS, granting hackers access to the same
Trojan - Dropper:OSX.
attackers can use for remote acesss. It spreads via email
Revir.A
attachments.
C&C server. Both backdoors upload and download files and
navigate through files and directories in the affected system for
This Fake antivirus tricks victims into paying for the
The malicious PDF file creates the following malware: MacDefender Fake AV service. data exfiltration.
It spreads via search engine optimization or SNS.
[Fig. 1-22] Malware created You are advised to deactivate Java to prevent the Flashback
This bug is found when viewing PDF file on Safari
PDF Bug in Safari
web browser. If the attacker successfully exploits the Trojan malware vulnerability.
vulnerability, he/she can remotely control your iPhone,
iPad or iPod.
V3 detects this malware as:
The wininit.dll file gets loaded on the explorer.exe process and Weyland-Yutani Robot
This malware kit is distributed via black markets. - Dropper/Agent.25088.CA
Kit
attempts to connect to an IP address P(58.**.2**.24). - MacOS_X/Olyx
Microsoft's Windows has 90% of the operating system market.
- EXP/Cve-2011-3544
[Fig. 1-23] Network connection information [Fig. 1-25] Operating system market Multi-Platform Malware Targets Both Windows and
- JAVA/Cve-2012-0507
Mac OS
A Tibetan-themed malware campaign titled, ‘Invitation for There are two versions of the SabPub information-stealing Trojan
Tibetan Films’, targeting both Windows and Mac that seeks to – one uses MS Word documents that exploit the CVE-2009-0563
steal sensitive information has been uncovered. vulnerability, and the other uses the same CVE-2012-0507 Java
vulnerability the Flashback Trojan used to infect Macs.
[Fig. 1-26] Comparison of OS routines
The Trojan creates com.apple.PubSabAgent.pfile in the Users/
Library/Preferences folder.
You can see that the file attempted to connect to the IP address
(58.**.2**.24) to get specific information. The file is a 32-bit Mach-O executable.
Samsung’s and MS’ share of the smartphone and OS market
V3 detects this malware as: surpasses that of Apple. [Fig. 1-29] Mach-O file format
- PDF/Exploit-downloader(V3, 2012.04.19.00)
The following threats against Apple products were found:
- Win-Trojan/Agent.44032.VC(V3, 2012.04.18.03) It also creates com.apple.PubSabAgent.plist in the Users/
- Trojan/Win32.Cosmu(AhnLab, 2012.04.16.05) The number of malware targeted towards Mac OS is increasing. Users clicking on the link included in the email will be led Library/LaunchAgents folder.
This is caused by the growing market share of Apple's OS. The to a site which determines whether they are on a Mac or
[Fig. 1-30] plist created
Mac Malware Threats Increase widespread malware proves that Mac OS is no longer safe. You Windows system, subsequently loading a Java applet, exploiting
are advised to always update your application programs, such as vulnerability in the Java Runtime Environment component.
Apple's operating system is increasingly becoming a target for
MS Word, Flash Player and Java, to the latest versions.
hackers and malware authors. The recent advent of flashback
ASEC REPORT Malicious Code Trend 17 18
Vol.28 Security Trend
Web Security Trend
[Fig. 1-31] com.apple.PubSabAgent.plist ensure it is executed whenever the current user logs in. online bank accounts. [Fig. 1-40] Geographical location of SpyEye C&C servers
- /Library/LaunchAgents/com.apple.dockActions.plist
SpyEye is a malicious toolkit for creating and managing botnets.
[Fig. 1-35] plist to execute copied file It is designed primarily for stealing banking credentials and other
confidential information from infected systems. ASEC analyzed
the SpyEye samples collected over Q1 of 2012 to find the targets
of this Trojan.
The malware connects to a C&C server to receive commands. The According to extracted data, 41% of all SpyEye targets were found
C&C server was no longer active when we analyzed the malware. to be located in Germany, followed by US at 32%, and Canada at
According to SpyEye-relevant host data extracted by the AhnLab
14%.
[Fig. 1-32] Attempt to connect to C&C server Packet Center, most of the SpyEye domains were found to be
[Fig. 1-38] Geographical location of SpyEye targets
located in the US, followed by Russia and Ukraine. Fortunately,
To patch this vulnerability, click the Apple logo on the top-left of Korean financial institutions were not included on the list of
Attacks will continue until the security vulnerabilities are
your desktop, and then click "Software Update...". targets. When using online banking services with foreign banks
updated, so you must always update the software you are using
outside Korea, you must exercise caution.
on a regular basis. [Fig. 1-36] Mac OS X update
(mylogo.jpg) in the assets folder of the app to perform the V3 detects this malware as:
following malicious activities: - Android-Exploit/Rootor.TC
02. Security Trend
- Steal smartphone information a. Security Statistics
- Attempt root access
- Communicate with the C&C server to execute commands
(e.g.: install program)
[Fig. 1-43] JPG file with the hidden malicious ELF file
2011.04 - 2012.04
4
5
[Fig. 1-44] Binary code of ELF file in JPG file
6
7
8
9
10
11
12
1
[Fig. 1-45] Codes to steal smartphone information 2
3
4
Threat
Vulnerability
Level
Critical .NET Vulnerability in .NET Framework Could Allow Remote Code Execution (MS12-025)
Critical Vulnerability in Windows Common Controls Could Allow Remote Code Execution (MS12-027)
Important Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (MS12-026)
Important Vulnerability in Windows Office Could Allow Remote Code Execution (MS12-028)
An RTF file that exploits the CVE-2012-0158 vulnerability [Fig. 2-5] Malicious file included in the document
in Windows Common Controls was found this month. The
malicious file is similar to the file that exploited the CVE-2010-
3333 vulnerability in MS Word in 2010, and spreads via email
attachment.
[Fig. 2-2] Malicious file named Inside Information.doc
A Word file was created with a PE file. The IP addresses the malware tries to access are located in the
US and China.
[Fig. 2-6] Word file included in the document
[Fig. 2-10] IP information
The malicious zl5.exe file created by the Word file used a digital
signature.
1,000
400
Website Security Summary 200
This month, SiteGuard (AhnLab’s web browser security service) blocked 19,925 websites that
0
distributed malicious codes. 556 types of malicious code, 366 domains with malicious code and 1,967
URLs with malicious code were found. The overall numbers have slightly decreased from the last 2012.02 2012.03 2012.04
month. [Fig. 3-2] Monthly Change in the Number of Reported Malicious Code Types
750
403
-41.5%
19,925 malicious URLs were blocked in April 2012, a 23% fall from the 25,873 blocked in the
Monthly Change in URLs with Malicious Code
previous month.
1,967 URLs were found with malicious codes in April 2012, a 8% fall from the 2,137 found in the
previous month.
100,000
73,746
+79.1% 10,000
75,000
7,500
-47,873 5,079
50,000 -55.9%
25,873
-64.9% 19,925 5,000
1,967
-23.0% -2,942 2,137
25,000 -5,948
2,500
-57.9% -8.0%
-170
0 0
ETC
5,040 The chart above shows the number of websites intruded to
6,000
ADWARE distribute malicious codes. The overall number decreased this
3,599
month, but the number of malicious codes distributed via P2P
DOWNLOADER
2,621 4,000
sites increased.
DROPPER
1,766
ADWARE
228 APPCARE 2,000 Top 10 malicious codes distributed via websites
133 JOKE
SPYWARE
93
57
[Table 3-4] Top 10 malicious codes distributed via websites
0
Ranking Threat URL
[Table 3-5] Top Distributed Types of Malicious Code
1 Win-Trojan/Onlinegamehack.54784.BC 20
Top 10 Distributed Malicious Codes 2 Win-Trojan/Onlinegamehack.102400.DX 20
For April 2012, Win-Adware/ToolBar.Cashon.308224 was the top distributed malicious code with 3 Win-Trojan/Onlinegamehack.212992.S 15
1,754 cases reported, followed by Downloader/Win32.Korad with 1,255 cases reported. 4 Win-Trojan/Onlinegamehack.53248.KA 15
5 Win-Trojan/Onlinegamehack.140493.B 14
Ranking ↑↓ Malicious Code Reports Percentage 6 Win-Trojan/Onlinegamehack.112640.P 12
7 Win-Trojan/Onlinegamehack.38912.BJ 12
1 — Win-Adware/ToolBar.Cashon.308224 1,754 20.6%
8 Win-Trojan/Onlinegamehack.38400.BA 11
2 ▲1 Downloader/Win32.Korad 1,255 14.7%
9 Win-Trojan/Onlinegamehack.73216.AI 11
3 1 Dropper/Small.Gen 961 11.3%
10 Win-Trojan/Agent.9344.L 10
4 ▲1 Downloader/Win32.Totoran 845 9.9%
5 ▲4 Trojan/Win32.HDC 680 8.0%
6 NEW Trojan/Win32.ADH 679 8.0% The table above shows the top 10 malicious codes distributed
7 NEW ALS/Bursted 675 7.9% via websites this month. Win-Trojan/Onlinegamehack.54784.BC
8 — Unwanted/Win32.WinKeyfinder 574 6.7% (hereafter Onlinegamehack.54784.BC) was the most frequently
9 3 Adware/Win32.KorAd 570 6.6%
distributed malicious code, and the identified distribution
10 3 Unwanted/Win32.WinKeygen 542 6.3%
channels were 20 domestic websites.
8,535 100.0%
[Table 3-3] Top 10 Distributed Malicious Codes
ASEC REPORT 27
Vol.28
VOL. 28
ASEC REPORT Contributors
Contributors
Senior Researcher Dong-hyun Kang
Senior Researcher Chang-yong Ahn
Senior Researcher Young-jun Chang
Assistant Research Young-jo Mun
Assistant Research Jeong-woo Park
Research Jae-hong Kim
Executive Editor
Senior Researcher Hyung-bong Ahn
Reviewer
CTO Si-haeng Cho
Disclosure to or reproduction
for others without the specific
written authorization of AhnLab is
prohibited.