Clicky

Pages

Friday, December 18, 2009

Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#4) 女兵脫衣比中指 拍照PO上網 from gpwbinfo@mna.gpwb.gov.tw Sat, 19 Dec 2009 10:22:01 +0800

 



This message is targeted but not perfect - not all recipients of that message can read Chinese. I posted the machine translation in the end of the post, it is about some alleged recent strip photo scandal in the People's Liberation Army.

This message shows that detection of the new threat remains tricky. Messagelabs apparently used Symantec scanners to stop and tag the threat yet Symantec did not detect it when it was scanned on Virustotal. Not to mention a distressingly low overall detection rate -  7 out of 41.

The message sender was
    gpwbinfo@mna.gpwb.gov.tw
The message originating IP was 203.252.1.122 The message recipients were
    XXX@XXX.XXX
The message was titled 女兵脫衣比中指 拍照PO上網
The message date was Sat, 19 Dec 2009 10:22:01 +0800 The message identifier was  1975e5623c$23fce32a$0ae1d8b4@gpwbinfo212af2ce2>
The virus or unauthorised code identified in the email is:
Trojan.Pidief.H -- Symantec definitiions :)




From: 軍聞社 [mailto:gpwbinfo@mna.gpwb.gov.tw]
Sent: Friday, December 18, 2009 9:22 PM
To: XXXXXXXXX
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...
 (See the full text in the end of the post.)
 .....
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com    -


Virustotal
http://www.virustotal.com/analisis/55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73de-1261202919
File ________________________.pdf received on 2009.12.19 06:08:39 (UTC)
Result: 7/41 (17.08%)
BitDefender    7.2    2009.12.19    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.19    Exploit.PDF-JS.Gen
GData    19    2009.12.19    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2009.12.19    Exploit.Win32.Pidief.cxi
McAfee-GW-Edition    6.8.5    2009.12.18    Heuristic.BehavesLike.PDF.Suspicious.Z
PCTools    7.0.3.5    2009.12.19    Trojan.Pidief
Symantec    1.4.4.12    2009.12.18 --Ok, Symantec, what happened here?
Sunbelt    3.2.1858.2    2009.12.19    Exploit.PDF-JS.Gen (v)

Additional information
File size: 51822 bytes
MD5...: 8950bbedf4a7f1d518e859f9800f9347
SHA1..: e4d30ecbe13765c4448e0b140db2569c58aa39f8
SHA256:
55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73dessdeep: 768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3Uscazp
XM25EZepG


Wepawet Analysis
http://wepawet.cs.ucsb.edu/view.php?hash=8950bbedf4a7f1d518e859f9800f9347&type=jsAnalysis report for 「寶�悶�瘋狂照.pdf
File 「寶�悶�瘋狂照.pdf
MD5 8950bbedf4a7f1d518e859f9800f9347
Analysis Started 2009-12-18 20:10:54
Report Generated 2009-12-18 20:10:58
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324






From: 軍聞社 [mailto:gpwbinfo@mna.gpwb.gov.tw]
Sent: Friday, December 18, 2009 9:22 PM
To: XXXXXXXXX
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中 部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...

     對於軍中首度鬧出女兵大拍脫衣照的醜聞,國防部長高華柱昨晚得知後直搖頭,感到不可思議,隨即指示聯勤依規定懲處。聯勤研究後坦承,目前只能依軍中不得 攜帶照相器材的保密規定懲處,嚴重者可以法辦;至於在女兵在軍中脫衣拍照,因無前例,軍方一度找不到法條可管,後來又表示,可依嚴重影響軍譽記過處分。
 
     密碼遭破解 女中士隱私照外流
 
     經軍方調查指出,今年才二十二歲的陳學葳坦承,這些照片是和同學「瘋狂一下」所拍,但她不是自拍,相機也不是她的,同時她只是覺得好玩把這組脫衣照張貼在自己位於無名小站中特別加密的部落格中,未料密碼遭到破解,這批個人隱私照才不慎流傳。
 
     昨晚軍方找上她時,陳學葳自己還不知道這組不雅照已在網路上曝光爆紅,相當後悔自己鬧過頭。
 
     過去在網路上頻繁流傳美國、英國和以色列各國女兵的軍中嬉鬧脫衣甚至露點照,不過國軍出現這種震驚軍中女兵的脫衣照還是第一遭!
 
         整組照片還包括陳學葳在寢室裡趴著看電視、內務櫃中滿滿的化妝品保養品,軍用卡車照、電腦教室中的軍用模擬軟體、軍用通信器材的內部構造等照片,軍方稱這 些照片已經涉嫌洩密。這組不雅照片昨晚在軍方介入調查後,陳學葳的部落格已經關閉,隨即撤掉相關照片。
 
     聯勤司令部政戰部副主任劉志堅少將今天針對所屬五支部女性士官自拍案,損害國軍女性官士兵形象,代表聯勤向社會公開道歉,並強調將加強官兵法紀教育及資安保密規定,以貫徹國軍軍風紀要求。
     
        劉志堅少將指出,聯勤司令部經查證後依「國軍資訊安全獎懲基準規定」及「陸海空軍懲罰法」,以違反通資安全和有損軍譽等情節,予以適法懲處。
     
        劉志堅少將強調,針對該案例,該部將要求各級加強宣導全體官兵「落實資安保密」規定,貫徹國軍軍風紀要求,以確保國軍軍譽。
     
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com    -


Machine translation of the text - horrible but understandable.
From: Jun Wen Society [mailto: gpwbinfo@mna.gpwb.gov.tw]
Sent: Friday, December 18, 2009 9:22 PM
To: XXXXXXXXXXX
Subject: female strip pictures than the middle finger PO Internet

        A group of circulating the Internet called "Baby boring" female strip according to the national army, as an unprecedented act of daring, which immediately caused a sensation; originally thought it was fake pictures outside, then, through investigation, Liao Yi photos protagonist was actually present Joint Logistics Command Central Transport Battalion of a squadron of the Chen administration with disabilities luxuriant female sergeant. Photographs came to light, Chen luxuriant to the military acknowledges that this is the end of last year, in February, when back-school training, with classmates to celebrate the "crazy portrait."

    For the first time in the military sudden, large female strip photo shoot scandal, Defense Minister Gao Hua-chu, learned last night, after his head and felt incredible, immediately instructed the joint logistics in accordance with the provisions of punishment. Joint logistics study admits that at present only the armed forces shall not be carried in accordance with provisions on confidentiality in photographic equipment, punishment can be severe justice; As for the female in the military strip camera, because no precedent, the military can not find the law may come a time tube, and later said Ke Yi serious impact on the military reputation demerit.

    Password has been cracked photo female sergeant Privacy outflow

    
The Army survey found that only 22 years old this year, Chen luxuriant admits the photos are and students "crazy look" of the film, but she is not a self-timer, the camera is not her, and she just feel that this group of fun strip photos Posted at Wretch in his blog specifically encrypted, the password is not expected to have been cracked, this group was accidentally spread according to personal privacy.

    Last night, the military turned to her, Chen luxuriant himself did not know this group of indecent exposure photos are already online explosion of red, a considerable regret uttered his head.

    
Circulating on the Internet frequently in the past the United States, British and Israeli women soldiers in the armed forces of States or the dew point according to frolic strip, but the military shock occurs according to the military or the first female strip was!

         
The entire group of photos also include Chen luxuriant watching television in the bedroom, tummy, the House cabinet full of cosmetics skin care products, military trucks, according to the computer classroom in the military simulation software for military communications equipment of the internal structure of the photos, the military said the photos has been suspected leak. This group of indecent pictures last night at the military involved in the investigation, Chen luxuriant blog has been closed, then removed the relevant photos.

    
Joint Logistics Command, the Department of political warfare, Major General Liu Zhijian, deputy director of the five branches of today's female non-commissioned officers for their respective self-timer case, the damage to the national army soldiers in the image of women officers, on behalf of the joint logistics to the public apology and said they would strengthen the education and information security officers and men of the law provisions on confidentiality Junjun discipline in order to implement the State requirements.
    
        
Liu Zhijian Major General pointed out that the Joint Logistics Command, subject to verification according to the "National Army Information Security incentive benchmark requirements" and "army navy air force to punish France" in order to violate the security and undermine the military-pass funding the circumstances of reputation, be punished suitable method.
    

        
Liu Zhijian Major General stressed that in light of this case, the Department will require all officers and men at all levels actively promote "the implementation of information security confidentiality" provisions implementing the State Junjun discipline requirements in order to ensure that the reputation of the country Junjun.


  1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
  2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
  3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
  4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
  5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf  ----renamed to crazyphoto.zip 8950bbedf4a7f1d518e859f9800f9347



Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

No comments:

Post a Comment