Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#5) merry christmas from uyghurhunova@yahoo.com Fri, 18 Dec 2009 11:11:27 -0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

 Download infected merry_christmas.pdf (password protected, please contact me or use the same password as you used on other CVE-2009-4324 samples)


Adobe is taking their sweet time to fix the problem while new variants show up. You don't need  ESP to predict that Christmas cards will be followed by New Year's invites and IRS forms before most people receive and install the updates. I was surprised that Symantec, being the CVE-2009-4324 pack leader in the past few days, did not detect it.  Tip of the hat to Messagelabs for catching it again.

From: Uyghur Hunova uyghurhunova@yahoo.com

Subject: merry christmas

Sent: Fri 12/18/2009 2:09 PM

My dear friend

Merry Christmas

 The message sender was
 uyghurhunova@yahoo.com
The message originating IP was 98.137.27.222 The message recipients were
    XXX@XXX.XXX
The message was titled merry christmas
The message date was Fri, 18 Dec 2009 11:11:27 -0800 (PST) The message identifier was <474701.46814.qm@web112506.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044614_1000X_PA3_APDF__pdf_obj_31_0.js'. Heuristics score: 401

Virustotal
http://www.virustotal.com/analisis/8ccc882c18d927b57a33f8c6bae4d0eec3290ac7ab1d1157725918feab76ec01-1261197266 File merry_christmas.pdf received on 2009.12.19 04:34:26 (UTC)
Result: 12/41 (29.27%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.43     2009.12.18     Exploit.Win32.ShellCode!IK
AntiVir     7.9.1.114     2009.12.18     HTML/Shellcode.Gen
BitDefender     7.2     2009.12.19     Exploit.PDF-JS.Gen
ClamAV     0.94.1     2009.12.18     Exploit.PDF-4797
F-Secure     9.0.15370.0     2009.12.19     Exploit.PDF-JS.Gen
GData     19     2009.12.19     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.79.0     2009.12.18     Exploit.Win32.ShellCode
McAfee-GW-Edition     6.8.5     2009.12.18     Script.Shellcode.Gen
Microsoft     1.5302     2009.12.18     Exploit:Win32/ShellCode.A
Norman     6.04.03     2009.12.18     JS/ShellCode.M
Sophos     4.49.0     2009.12.19     Troj/PDFJs-FV
VirusBuster     5.0.21.0     2009.12.18     JS.Shellcode.Gen
Additional information
File size: 1226811 bytes
MD5   : 955bade419a9ba9e5650ccb3dda88844
SHA1  : b17eda55b10d1c19fee06e1bdc2afa561adadb20
SHA256: 8ccc882c18d927b57a33f8c6bae4d0eec3290ac7ab1d1157725918feab76ec01

Symantec - no luck this time :(

Look, someone analyzed it before me

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=955bade419a9ba9e5650ccb3dda88844&type=js


Analysis report for merry_christmas.pdf  MD5 955bade419a9ba9e5650ccb3dda88844
Analysis Started 2009-12-18 20:51:32  Report Generated 2009-12-18 20:51:37
Jsand 1.03.02 malicious
Exploits
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324
Deobfuscation results
Evals
•ETMFqgIYhOocVWjRVnMtBeDMyEZbpYdlXRebZbfgklOFzlZcfpkCyMTAfndFS.substring(0, 32768 -
xBHsHLbqHkdJLgRdCzSYKCHsKBRQdjpEKVoPZtyMrgFVfLqWvLwNMZPRRShZImxFycvSUa.length)
(repeated 1 time)
•new Array()   (repeated 1 time)
Writes No writes.
Network Activity Requests
URL  file://merry_christmas.pdf

ActiveX controls AcrobatJavaScript   Name Arg0 Arg1 Count  Methods media.newPlayer (null)  1
util.printd 1.345678901.345678901.3456 : 1.31.34 Fri Dec 18 2009 20:51:36 GMT-0800 (PST) 3
  

1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf 8950bbedf4a7f1d518e859f9800f9347

Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)