Click here to load reader

Asec report vol.16_kor

  • View
    1.264

  • Download
    0

Embed Size (px)

DESCRIPTION

안철수 연구소에서 5월 월간 보안 현황리포트 배포 내용

Text of Asec report vol.16_kor

  • 1. ASECDisclosure to or reproductionfor others without the specificwritten authorization of AhnLab isprohibited.REPORTCopyright (c) AhnLab, Inc.All rights reserved. VOL.16 | 2011.5 - MBR Infector : Smitnyl

2. AhnLabASEC (AhnLab Security Emergency response Center) CONTENTSSecurity . Emergency ASEC , response . 01. 02. Center(www.ahnlab.com) . a. 05 a. 28 - Top 20- 4 - Top 20 - b. 29 - - - LizaMoon SQL - Top 20 - APT RSA - - 7,700 b. 10 03. - imm32.dll a. 32 - imm32.dll - BitDefender - - UPS - URL - - - - - - URL - - - , - c. 17 b. 35 - MBR Infector : Smitnyl - 2011 04 3. ASEC REPORT Malicious Code Trend56Vol.16Security TrendWeb Security Trend01. a. Top 20 Top 202011 4 . 2011 4 Textimage/Autorun 1 , Win-Trojan/Overtls27.Gen JS/Redirect 2 3 . Top20. 2011 4 Win-Trojan/Onlinegamehack 1,781,690 Top20 8. Top 20 16.7% 1 , Win-Trojan/Winsoft 1,385,102 2, Textimage/Autorun 1,148,775 3 . 1 Textimage/Autorun1,148,610 26.2 % 1 Win-Trojan/Onlinegamehack1,781,690 16.7 %2NEW Win-Trojan/Overtls27.Gen540,65212.3 % 25Win-Trojan/Winsoft 1,385,102 13.0 %3 1 JS/Redirect 471,01110.7 % 31Textimage/Autorun1,148,775 10.8 %4 2 JS/Agent429,722 9.8 % 42Win-Trojan/Downloader 825,243 7.7 %5 Win32/Induc 224,589 5.1 % 52Win-Trojan/Agent770,719 7.2 %6NEW Win-Trojan/Winsoft.46080.BR 188,926 4.3 % 6 NEWWin-Trojan/Overtls27540,652 5.1 %7 Win32/Palevo1.worm.Gen156,080 3.6 % 76JS/Redirect 471,011 4.4 %8NEW Win-Trojan/Winsoft.78981.CIB126,814 2.9 % 811 Dropper/Malware 470,453 4.4 %93 Win32/Conficker.worm.Gen121,739 2.8 % 91JS/Agent429,723 4.0 %10 3 Win32/Olala.worm111,065 2.5 % 10 Win32/Conficker 410,871 3.9 %112 Win32/Parite102,528 2.3 % 11 2Win32/Autorun.worm408,925 3.8 %12 NEW Dropper/Malware.94432.B94,972 2.2 % 12 Win32/Virut 302,494 2.8 %136 Win32/Virut.f93,421 2.1 % 13 8Win-Trojan/Adload 272,959 2.6 %144 VBS/Solow.Gen87,282 2.0 % 140Win32/Kido260,927 2.4 %15 NEW Win32/Flystudio.worm.Gen 86,516 2.0 % 15 9Win-Adware/Koradware260,233 2.4 %161 JS/Exploit 85,943 2.0 % 16 Win32/Induc 224,724 2.1 %173 VBS/Autorun82,326 1.9 % 17 1Dropper/Onlinegamehack184,186 1.7 %18 NEW Win32/Virut80,306 1.8 % 18NEWVBS/Solow 183,263 1.7 %19 NEW Win-Trojan/Winsoft.46080.AR76,276 1.7 % 19NEWWin32/Palevo178,027 1.7 %20 NEW Win-Trojan/Fosniw.7577673,389 1.7 % 20NEWWin32/Palevo1 156,080 1.5 %4,382,167 100 % 10,666,057 100 % [ 1-1] Top 20[ 1-2] Top 20 4. ASEC REPORT Malicious Code Trend 78Vol.16Security TrendWeb Security Trend . 2011 4 4 17,531,396 3 (TROJAN) 50.3% , 18,626,994 1,095,598 .(WORM) 12.3%, (SCRIPT) 10.9% .18,626,994 20,000,000 +10.3% 17,531,396 Trojan 50.3%-5.9% 18,000,000 Worm12.3%18,013,021 Script10.9%+10.4% ETC9.6% 16,000,000 Dropper5.2% Adware 4.9% 14,000,000 Virus4.6% Downloader 1% Spyware0.7% 12,000,000 Appcare0.5% 0 2011.02 2011.03 2011.04 [ 1-1] [ 1-3] , , (DROPPER), (VIRUS), 4 79% 1 . 10%, (SPYWARE) , (ADWARE), 6% .(DOWNLOADER), (APPCARE) . 52.8% 50.3% 50%Dropper 10%Trojan 25%Adware 6%79% 11.2% 12.3% 9.9% 10.9%8.9% 9.6% 4.5% 4.6%Downloader 1%6.5% 4.9%1.8% 1%3.6% 5.2% Spyware 1%0.6% 0.5% 0% 0% 0.4% 0.7%0% 0%Script 1%Worm 1%Ad ApClik DoDro ETCExp Scr Sp TroVir Woware pcare er wnloapp der erloitiptyw are janus rm ETC 1% [ 1-2] [ 1-4] 5. ASEC REPORT Malicious Code Trend 910Vol.16Security TrendWeb Security Trend Top 20 01. 4 Top 20. 4b. Top 20 Win-Trojan/Overtls27.Gen 540,652 33.4% 1 , Win-Trojan/Winsoft.46080.BR 188,926 2 . 1Win-Trojan/Overtls27.Gen540,652 33.4 %2Win-Trojan/Winsoft.46080.BR 188,926 11.7 % imm32.dll [ 1-7] 3Win-Trojan/Winsoft.78981.CIB126,8147.8 %4Dropper/Malware.94432.B94,9725.9 %3 2 ASEC 5Win-Trojan/Fosniw.7577673,3894.5 % V3 6Win-Trojan/Bho.21321669,7424.3 % . 7Win-Trojan/Winsoft.78085.B 67,9854.2 % imm32.dll 8Win-Trojan/Winsoft.75776.D 54,3823.4 % ASEC . 29JS/Ms10-01844,1252.7 % 3 imm32.dll 10 Win-Trojan/Winsoft.78089 38,0982.4 %[ 1-5] imm32.dll (Export) 11 Win-Spyware/BHO.233984 37,5812.3 %12 Win-Trojan/Downloader.75776.X36,1142.2 % .13 Dropper/Malware.235520.CF34,0642.1 % [ 1-5] 14 Win-Adware/ColorSoft.49053033,4132.1 %15 Win-Trojan/Winsoft.78125 33,0042.0 %16 Win-Trojan/Winsoft.78109 32,3392.0 %17 Win-Trojan/Onlinegamehack.115200.Y 30,0691.9 %18 Win-Adware/KorAdware.98304.F 30,0141.9 %19 Win-Trojan/Onlinegamehack.122880.AM27,8871.7 %20 HTLM/Downloader26,7231.6 % 1,620,293 100 % [ 1-6] [ 1-3] Top 20imm32.dll (Export) . .[ 1-6] [ 1-8] SUB imm32A.dll imm32.dll imm32.dll [ 1-7] PUSH CALL .[ 1-7] CALL SUB imm32A.dll . imm32.dll 6. ASEC REPORTMalicious Code Trend 11 12Vol.16 Security Trend Web Security Trend- Win-Trojan/PatchedImm.Gen PC [ 1-4]UPS 1 [ 1-12] PC United Parcel Service notification BitDefender . Dear customer.1 31 ASEC [ 1-12] The parcel was sent your home address. And it will arrive within 3 business day. AVG AVG Anti-Virus 2011 More information and the tracking number are . attached in document below.v (SoftWin) Thank you. ? 1994-2011 United Parcel Service of America, (BitDefender) Inc.. - UPS.zip[ 1-10] - UPS-tracking.zip , UPS.zip UPS.exe(18,944 . ( )imm32.dll V3) UPS-tracking.zip . UPS-tracking.exe(18,432 ) . [ 1-10] V3 - Win-Trojan/PatchedImm.Gen .- Win-Trojan/PatchedImm2.Gen - Win-Trojan/Fakeav.1243656[ 1-5]UPS 2 - Win-Trojan/Fakeav.1242632 - UPS Packageimm32.dll - UPS: Your Package imm32.dll - Your Tracking Number [ 1-9] imm32.dll - United Postal Service Tracking Nr. . Good day, . We were not able to deliver parcel you sent on the ksuser.dll, , 19nd March in time because the recipients address is not correct.midimap.dll comres.dll . Please print out the invoice copy attached and (Adobe) . collect the package at our office. - UPS_TRACKING_NR_.zip. PC .[ 1-11] UPS_TRACKING_NR_.zip imm32.dll V3 ( ) PC UPS_TRACKING_NR____.DOC.exe (546,304 ) . . 3 24 UPS(United Parcel Service) . [ 1-9] [ 1-11] UPS 2 . [ 1-13] svchost.exe [ 1-12] . [ 1-14] XP Home Security . 7. ASEC REPORT Malicious Code Trend1314Vol.16Security TrendWeb Security Trend [ 1-14] XP Home Security (Register) [ 1-17] [ 1-18] 3 22 .Spam from your Facebook account Spam from your account(Ransomware) . . [ 1-17] [ 1-18] . 3 13 . [ 1-19] . . . [ 1-15] . . [ 1-6] [ 1-19] [ 1-15] Your password is changed Dear Customer . Spam is sent from your FaceBook account. V3 . Your password has been changed for safety.- Win-Trojan/Chepvil.18432- Win-Trojan/Chepvil.18944.B Information regarding your account and a new password is attached to the letter.- Win-Trojan/Fakeav.143872.H Read this information thoroughly and change the- Win-Trojan/Fakeav.143872.I password to complicated one.- Win-Trojan/Fakeav.64008 Please do not reply to this email, its automatic mail- Win-Trojan/Fakealert.546304 notification!- Win-Trojan/Agent.33928.B - Win-Trojan/Agent.33928.C Thank you for your attention. [ 1-16] Your Facebook![ 1-20] . - FacebookP[6 ].zip (23,586 ) [ 1-16] FacebookPassword.exe2011 1 4 (Social Network (26,624 ) . Service) (Facebook) ( ) . . V3 . . . .- 2010 6 - Win-Trojan/Bredo.27136- 2010 8 - Win-Trojan/Agent.30808- 2010 10 USPS - Win-Trojan/Bredolab.26624.AY- 2010 10 DHL UPS - Win-Trojan/Oficla.108032 8. ASEC REPORT Malicious Code Trend1516Vol.16Security TrendWeb Security Trend [ 1-20] [ 1-22] aaa.exe , . DLL , DLL svchost.exe (iPhone) (iPad) (Injection) [ 1-24] (Keylogger) . .. iOS [ 1-23] DLL . (JailBreak) . V3 . . ( ) URL - Win-Trojan/Fakeav.320000.AT . [ 1-26] - Win-Trojan/Serubsit.145920 [ 1-24] URL . . , . [ 1-21] PC . . , , , (JailBreak) 2009 11 . (JailBreak) . [ 1-25] V3 Lite v3lite.exe . . [ 1-25] v3 lite (aaa.exe) . [ 1-22] PC . 9. ASEC REPORT Malicious Code Trend 17 18Vol.16Security TrendWeb Security Trend01. C. MBR Infector : Smitnyl [ 1-29] MBR (Master Boot Record) , . MBR PE (Portable Executable) . . MBR Smitnyl Bootkit .1. Smitnyl Bootkit MBR . userinit.exe . [ 1-27] [ 1-28] MBR . [ 1-29] [ 1-27] MBR [ 1-28] MBR . . 1. MBR5 2. (Name=71)userinit.exeinfectorpayload39 3. (Name=72)45 4. (Name=6E)46 45,460x7FXORDownloader 5. (Name=70)0x200(512byte)MBR 6. (Name=70)0x200(512byte)(MBRInfectorRoutine) 32 (Dropper/Smitnyl.37076) [ 1-29] . MBR , userinit.exe payload userinit.exe MBR userinit.exe 2 . WFP (Windows File Protection) . 10. ASEC REPORT Malicious Code Trend 19 20Vol.16Security TrendWeb Security Trend2. B. MBR 2.1 (Dropper/Smitnyl.37076) MBR MBR 5 CreateFileA APIDropper/Smitnyl.37076 [ 1-30] . F