애플 타블렛 발표에 따른 악성코드 발견(Apple Tablet Announcement January 2010)

반응형
728x90



2010년 1월 28일 애플사에서 애플 타블렛을 발표 하였다.
하지만 이에 따라 악성코드 제작자들도 애플 타블렛 발표를 타겟으로 FakeAlert 설치를 유도하고 있다.
정말 발빠른 제작자들이다;;
다행스러운 점은 아직까지 한글(애플 타블렛)에 대한 링크는 없다는 것이다.
개인적으로 애플 타블렛이 나온지 몇 시간만에 사회공학기법을 이용하려는 제작자들에게 존경의 박수를 보내고 싶다.

- 사회 공학(Social Engineering) 기법
사회적 이슈에 해당하는 인물, 사건, 기사등으로 사람의 심리를 이용한 기법

현재 Google에서 Apple Tablet에 대해서 검색 시 많은 허위 사이트들이 존재하고 있음을 확인했다.
이 내용은 트랜드마이크로에서 처음 발표하였다.

트렌드마이크로 기사보기 : 

(그림 1. Google에서 Apple Tablet Announcement에 대한 검색 내용)

사용자가 링크를 클릭 하는 순간 Redirection에 의해 악의적인 사이트로 이동된다.
(그림 2. 허위로 바이러스의 공격을 받고 있다는 메시지를 사용자에게 보여준다)

(그림 3. 사용자에게 허위탐지 목록을 보여준 후, 삭제하도록 유도한다)

(그림 4. 삭제를 위해 Live PC Care Setup 프로그램을 설치 한다)

- Live PC Care 프로그램의 정보
1. 파일정보
C:\Documents and Settings\All Users\Application Data\1d33dbd(랜덤폴더명)\LP1d33.exe
C:\Documents and Settings\All Users\Application Data\1d33dbd(랜덤폴더명)\22.mof
C:\Documents and Settings\All Users\Application Data\1d33dbd(랜덤폴더명)\112.mof
C:\Documents and Settings\All Users\Application Data\1d33dbd(랜덤폴더명)\5784.mof
C:\Documents and Settings\UserName\바탕 화면\Live PC Care.lnk
C:\Documents and Settings\UserName\Application Data\Microsoft\Internet Explorer\Quick Launch\Live PC Care.lnk
C:\Documents and Settings\UserName\시작 메뉴\\Live PC Care.lnk
C:\Documents and Settings\UserName\시작 메뉴\프로그램\Programs\Live PC Care.lnk


2. 레지스트리 정보
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Live PC Care" = "C:\Documents and Settings\All Users\Application Data\1d33dbd\LP1d33.exe /s /d"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
옵션에 약 70개의 프로그램이 저장된다.

[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe ]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~1.exe]
"Debugger"="svchost.exe"
[HLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe]
"Debugger"="svchost.exe"


반응형

댓글(2)

  • 알 수 없는 사용자
    2010.01.28 15:01

    흑 위험한 세상이네요 !
    막 보지 말고 조심히 봐야겠어요.

Designed by JB FACTORY