Monday, November 23, 2009

Nov.23 PDF attack. The three undisclosed secret in President Obama Tours Asia Nov 23, 2009 11:23 AM from jenniferf.carlson@yahoo.com

Download the malicious PDF (password protected, you have to contact me for the password)
http://www.mediafire.com/?0ozfmnnegnh


The three undisclosed secret in President Obama Tours Asia

Sent: Mon 11/23/2009 11:23 AM
From: Jennifer F. Carlson [jenniferf.carlson@yahoo.com]

fyi.

The three undisclosed secret in President Obama Tours Asia.


The message sender was
    jenniferf.carlson@yahoo.com

The message originating IP was 68.142.206.162 The message recipients were
    ouruser@ourdomain.xxx

The message was titled The three undisclosed secret in President Obama Tours Asia The message date was Mon, 23 Nov 2009 08:22:38 -0800 (PST) The message identifier was <881116.55087.qm@web111811.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Mon Nov 23 16:22:42 2009 Database version: 2009-11-23_10

attach/5963917_3X_PM5_EMS_MA-PDF__ObamaAndAsia.pdf: Infected: Exploit.SWF.Agent.ci [AVP]



Virustotal analysis

File ObamaAndAsia.pdf received on 2009.11.25 06:39:38 (UTC)

Result: 5/41 (12.2%)

Antivirus Version Last Update Result

BitDefender 7.2 2009.11.25 Trojan.SWF.HeapSpray.B
F-Secure 9.0.15370.0 2009.11.24 Trojan.SWF.HeapSpray.B
Kaspersky 7.0.0.125 2009.11.25 Exploit.SWF.Agent.ci
GData 19 2009.11.25 Trojan.SWF.HeapSpray.B
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)

Additional information
File size: 309603 bytes
MD5...: fbfdca61bad8d93d71981dc41c78d211

Updated December 27. Virustotal
 File ObamaAndAsia.pdf received on 2009.12.28 05:36:08 (UTC)
Result: 12/41 (29.27%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.43    2009.12.28    Exploit.SWF.Agent!IK
AntiVir    7.9.1.122    2009.12.28    SWF/EXP.772
BitDefender    7.2    2009.12.28    Trojan.SWF.HeapSpray.B
ClamAV    0.94.1    2009.12.28    Exploit.PDF-2432
Comodo    3390    2009.12.28    UnclassifiedMalware
F-Secure    9.0.15370.0    2009.12.28    Trojan.SWF.HeapSpray.B
GData    19    2009.12.26    Trojan.SWF.HeapSpray.B
Ikarus    T3.1.1.79.0    2009.12.28    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2009.12.28    Exploit.SWF.Agent.ci
McAfee-GW-Edition    6.8.5    2009.12.28    SWF.EXP.772
Microsoft    1.5302    2009.12.26    Trojan:Win32/Swif.J
Sunbelt    3.2.1858.2    2009.12.27    Exploit.PDF-JS.Gen (v)

Additional information
File size: 309603 bytes
MD5...: fbfdca61bad8d93d71981dc41c78d211


SHA1..: 7653b3713a724d689629f1355a8b191801fa9cf7
SHA256: 40f5258d33ba661d83b94ac7fede8ccc6a12523158e346bee15df5e6f95d695b
ssdeep: 3072:l9E1q0/4nyGNQMeNdRMpRkaJZ21PZbjMszf9NPZ+hfwlcvMvAvV+HdzH10E
a3gcp:lG4xyGiNdcy7fvL+hol3KKa3NWERJJ0a




Reading materials on the subject




Excerpt
FireEye Malware Intelligence Lab
Julia Wolf @ FireEye Malware Intelligence Lab




Heap Spraying with Actionscript

Why turning off Javascript won't help this time
 Introduction


As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.


Background Summary


Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.


But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll” files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]


Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. More
II. http://www.avertlabs.com/research/blog/index.php/2009/09/14/from-targeted-pdf-attack-to-backdoor-in-five-stages/

McAfee Labs Blog
Excerpt
          From Targeted PDF Attack to Backdoor in Five Stages
          Monday September 14, 2009 at 12:33 pm CST
          Posted by Dennis Elser

 As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.


The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection. More

No comments:

Post a Comment