2011년 페이스북(facebook) 사용자가 10억명을 넘어설 것이라는 예측이 나오는 가운데, 악성코드 제작자가악성코드를 유포를 위해  엄청난 사용자를 확보한 페이스북을 사칭하여 이를 악용하는데 최적의 소재이다.

이미 페이스북을 사칭하여 악성코드를 첨부한 스팸메일이 지속적으로 발견되고 있으며 이는 단연 페이스북 뿐만 아니라 트워터, 마이스페이스 등도 악성코드 제작자에 의해 악성코드 유포에 악용되고 있다.

참고로 블로그를 통해 포스팅하였던 페이스북을 위장하여 악성코드를 첨부한 스팸메일 관련 글은 아래와 같다.



이번에 발견된 페이스북을 위장한 악성 스팸메일의 제목과 본문은 아래와 같다.

메일제목 : Your password is changed

메일본문
Good afternoon
Spam is sent from your FaceBook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Please do not reply to this email, it's automatic mail notification!
Thank you for using our services.
FaceBook Service.
Of course, Halls success led to an immediate recrudescence of the efforts to extract artemisium from the Syx ore, and, equally of course, every such attempt failed.Hall, while keeping his own secret, did all he could to discourage the experiments, but they naturally believed that he must have made the very discovery which was the subject of their dreams, and he could not, without betraying himself, and upsetting the finances of the planet, directly undeceive them. The consequence was that fortunes were wasted in hopeless experimentation, and, with Halls achievement dazzling their eyes, the deluded fortune-seekers kept on in the face of endless disappointments and disaster. And presently there came another tragedy. The Syx mill was blown up! The accident--although many people refused to regard it as an accident, and asserted that the doctor himself, in his chagrin, had applied the match--the explosion, then, occurred about sundown, and its effects w ere awful.


메일제목 : Spam from your Facebook account

메일본문
Good afternoon.
Spam is sent from your FaceBook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Please do not reply to this email, it's automatic mail notification!
Thank you for attention.
Your Facebook!
About the room and in and out of her shop moved Edith, going softly and quietly.A light began to come into her eyes and colour into her cheeks. She did not talk but new and daring thoughts visited her mind and a thrill of reawakened life ran through her body. With gentle insistence she did not let her dreams express themselves in words and almost hoped that she might be able to go on forever thus, having this strong man come into her presence and sit absorbed in his own affairs within the walls of her house. Sometimes she wanted him to talk and wished that she had the power to lead him into the telling of little facts of his life. She wanted to be told of his mother and father, of his boyhood in the Pennsylvania town, of his dreams and his desires but for the most part she was content to wait and only hoped that nothing would happen to bring an end to her waiting.


첨부파일은 이전과 동일하게 아이콘이 word 문서인 것처럼 보이나 실제로 확장명을 보면 word 문서 파일이 아닌 exe 실행파일임을 알 수 있다.

파일명 : Attached_SedurityCode.exe (두 스팸메일에 첨부된 파일명은 동일함.)


[그림1] 첨부된 악성코드


사용자가 악성코드를 실행하게 되면 문서파일인 것처럼 위장하기 위해 워드파일을 드랍 후 파일을 열기 때문에 사용자는 의심을 덜하게 된다.


[그림2] 사용자를 속이기 위해 열려진 워드문서 파일


현재 V3에서는 아래와 같은 진단명으로 진단/치료가 가능하다.

Attached_SecurityCode.exe 
 - Win-Trojan/Fakeav.51712.V (51,712 bytes)
Attached_SecurityCode.exe 
 - Win-Trojan/Agent.33792.AAJ (33,792 bytes)



스팸메일을 통해 유포되는 악성코드의 위험으로 부터 예방하기 위해 아래와 같은 사항들을 준수한다.

1. 발신인이 불분명한 메일일 경우 가급적 메일을 확인하지 않는다.
2. 안티바이러스(백신) 프로그램을 설치하여 항상 최신 엔진을 유지하며, 실시간 감시 기능을 사용한다.
3. 메일 내에 포함된 첨부파일에 대해 안티바이러스(백신) 프로그램으로 검사를 한 후 열람한다.
4. 메일 본문에 포함된 URL은 가급적 접속을 하지 않는다.







 

신고
Posted by 비회원