iklan

Friday, March 28, 2014

MA-381.032014 : MyCERT Alert - Malware Related to Missing Malaysia Airlines MH370 Plane

MA-381.032014 : MyCERT Alert - Malware Related to Missing Malaysia Airlines MH370 Plane
Date Published: 24 March 2014
1.0 Introduction
In regards to the recent media news related to the missing Malaysia Airlines MH370, MyCERT had observed a Facebook Apps, hosted on a malicious domain, which once clicked on the Apps, will infect user's computers. This malware uses Malaysia Airlines Flight 370 as its social engineering to lure potential victims.
The malware is a Backdoor and known as BKDR_OTOPROXY.WR by Trend Micro. Other names for the malware are:
  • Trojan:Win32/Small.gen!AG(Microsoft)
  • Trojan.Swisyn(Symantec)
  • Troj/Mdrop-FWE(Sophos)
2.0 Affected Systems
The malware will infect the below platforms:
  • Windows 2000
  • Windows Server 2003
  • Windows XP (32-bit, 64-bit)
  • Windows Vista (32-bit, 64-bit)
  • Windows 7 (32-bit, 64-bit)
3.0 Impact
The infected computer allow attacker to remotely control the computer to do various command. The malware gathers information about the IP address and hostname of the infected computers.
4.0 Technical Details
The malware itself have C&C capabilities which is able to take control of computer victims. The backdoor have the following remote capabilities:
  • Check installed plug-in
  • Download plug-in
  • Register plug-in
The backdoor will drop multiple files such as the following:
  • %User Temp%\des.z - encrypted exe file(2nd layer), deleted after afterwards
  • %User Temp%\big.t - encrypted exe file(1st layer), deleted after afterwards
  • %User Temp%\~norry{digit} - decrypted exe file, deleted afterwards
  • %User Temp%\cfg.ax - deleted afterwards
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
Some dropped files will execute the following files:
  • %User Temp%\svchost.exe - also detected as BKDR_OTOPROXY.WR (for Windows XP and lower operating system versions)

  • %Program Data%\iexplore.exe - also detected as BKDR_OTOPROXY.WR (for Windows Vista and later operating system versions)
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)
The malware will also have autostart capabilities to run everytime Windows starts. The Windows Registry has been programmed to perform the following technique:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
serrvice = "%System Root%\programdata\iexplore.exe -help "
The backdoor would try to connect to the following domain:
  • www.dpmc.{BLOCKED}ssl.com via port 80 and 443
5.0 Recommendation
MyCERT would like to recommend and advise Internet users:
  • Not to believe and pass around any hoax messages related to the Missing MH 370 Plane that contains attachment. Internet users must disregard and ignore such messages.

  • Users are also advised not to click or open any pictures or videos claiming to be video of the missing Malaysia Airlines MH370 as it may redirect to malicious websites.

  • MyCERT also advises users to install the latest security update and virus definition.

  • Users who received suspicious emails, videos, attachment or URL can forward them to MyCERT for further analysis.

  • If you have shared the post about the fake hijacker video image at Facebook, it is advised that immediate action to delete the video from your Facebook wall or "unlike" it. It is also recommended that Facebook users remove newly installed applications from your Facebook account relating to the missing MH370 plane. It is also recommended to delete any instances of the post from your Facebook wall and "unlike" it.

  • Make sure you're logged into your Facebook account and go to your Facebook application settings page. The page will list all the applications that users had granted access to their Facebook, Go down and click the "X" on the right side of the app in the list in order to remove it. Some of the fake scam apps use names like "CNN," "Fox News," "Plane", "MH370" or "YouTube" to trick users.
6.0 References

Reactions:

0 komenentar: