Tuesday, December 22, 2009

Dec. 22. Adobe 0 Day. Attack of the Day. 報告書(排出権取引に関する記述) from XXXREDACTED@mofa.go.jp Tue, 22 Dec 2009 09:36:20 +0800


Update Dec 22 7:40 am: Several new variants of  CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.


--------------------------------------

Somehow I doubt that the Ministry of Foreign Affairs of Japan http://www.mofa.go.jp/ joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "mofa.go.jp 117.11.119.251" is not really mofa.go.jp (Updated Dec.22 7:30 am).


Update. Dec 22 15:30
The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japanese and are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)


The message sender was

XXXREDACTED@mofa.go.jp
The message originating IP was 117.11.119.251 The message recipients were
XXX@XXX.XXX
The message was titled 報告書(排出権取引に関する記述)
The message date was Tue, 22 Dec 2009 09:36:20 +0800 The message identifier was (empty) The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913605_1000X_PA2_APDF__pdf_obj_42_0.js'. Heuristics score: 251





Received: (qmail 19855 invoked from network); 22 Dec 2009 01:36:22 -0000
Received: from unknown (HELO mofa.go.jp) (117.11.119.251)   --- ok that is 117.11.119.251 from China pretending to be mofa.go.jp (Updated Dec.22 7:30 am).
by server-4.tower-37.messagelabs.com with SMTP; 22 Dec 2009 01:36:22 -0000
Received: from SSSSSS-2F0F04F3[192.168.1.121] by mofa.go.jp
  with SMTP id 4FFDC9B3; Tue, 22 Dec 2009 09:36:11 +0800
From: "XXXREDACTED@mofa.go.jp" <XXXTEMPORARILYREDACTED@mofa.go.jp>
Subject: =?ISO-2022-JP?B?GyRCSnM5cD1xIUpHUz1QOCI8aDB6JEs0WCQ5JGs1LT1SIUsbKEI=?=
To: XXX@XXX.XXX
Content-Type: multipart/mixed;
 boundary="=_NextPart_2rfkindysadvnqw3nerasdf";
    charset="iso-2022-jp"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To:XXXREDACTED@mofa.go.jp
Date: Tue, 22 Dec 2009 09:36:20 +0800
X-Priority: 2
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
Virustotal

http://www.virustotal.com/analisis/e78a7c6f6a607763f98d842c856b7adb778fabac4fc394a1236912d489fd1f62-1261458289

File 091222________________________.pd received on 2009.12.22 05:04:49 (UTC)

Result: 3/40 (7.5%)
McAfee-GW-Edition 6.8.5 2009.12.21 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32 4707 2009.12.21 PDF/Exploit.Gen
Sophos 4.49.0 2009.12.22 Troj/PDFJs-B
Additional information
File size: 872962 bytes
MD5...: fa1ceda2f4efbf3c3b1936be2221be31

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=fa1ceda2f4efbf3c3b1936be2221be31&type=js
MD5 fa1ceda2f4efbf3c3b1936be2221be31
Analysis Started 2009-12-21 21:24:33
Report Generated 2009-12-21 21:24:40

Jsand 1.03.02 malicious
Exploits doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 

Hostname: 117.11.119.251
ISP: CNC Group Tianjin province network
Organization: CNC Group Tianjin province network
Type: Cable/DSL
Country: China  
State/Region: 28
City: Tianjin


Before the test machine crashed, it generated traffic to China. It was too late last night to look much into it but hope to post the pdf soon.(Dec 22, 7:50 am)


Hostname: 119.167.225.48
ISP: CNCGROUP Shandong province network
Organization: CNCGROUP Shandong province network
Proxy: None detected
Type: Cable/DSL
Country: China  
State/Region: 25
City: Jinan

The end.


2 comments:

  1. The IP the message originated from doesn't really tell us much - other than the fact that the message came from China - not Japan!

    Both Trusted source and Ironport give this IP a poor reputation - perhaps this isn't the only thing to be sent.

    ReplyDelete
  2. Good point. did not check 117.11.119.251, it was pretty late last night. Which means the sample might be coming soon.

    ReplyDelete