Monday, December 28, 2009

Dec. 28 CVE-2009-4324 Adobe 0-day "consumer welfare table" from gwsm01@gwsm.gov.tw Mon, 28 Dec 2009 22:08:05 +0800



Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

Details: 99年(春節)消費者福利表.pdf -  c61c231d93d3bd690dd04b6de7350abb


From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!

詳情登陸國防部福利總處 http://www.gwsm.gov.tw/

服務專線: (02)2392-2377
地址:臺北市信義路一段3號
郵政信箱:台北郵政90036號信箱
網頁維護:綜合資訊組 分機:709




Terrible machine translation
From: National Ministry of Defense Office [mailto: gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: XXXX
Subject: Inspection Department, National Ministry of Defense to send New Year gift of consumer welfare table file, please see attached!

Details of the visit National Ministry of Defense Office http://www.gwsm.gov.tw

Service hotline: (02) 2392-2377
Address: Xinyi Road, Taipei, No. 3,
PO Box: Taipei Post Office Box No. 90036
Web Maintenance: Integrated Information Unit Ext: 709
Headers
Received: from gwsm (61-219-229-222.HINET-IP.hinet.net [61.219.229.222])
    by msr15.hinet.net (8.9.3/8.9.3) with ESMTP id WAA17650
    for xxxxxxxx
    ; Mon, 28 Dec 2009 22:08:05 +0800 (CST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@gwsm01212af2ce2>
From: "°ê¨¾³¡ºÖ§QÁ`³B"
To: xxxxxxxxx
Subject: =?big5?B?wMuwZbDqqL6zobrWp1HBYLNCOTmmfiisS7hgKa74tk+qzLrWp1Gq7aTlpfOkQQ==?=
    =?big5?B?pfcsvdCsZLfTIQ==?=
Date: Mon, 28 Dec 2009 21:02:36 +0800

X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

 Virustotal
http://www.virustotal.com/analisis/6bb20b347d5f07c42450c07719acfe156346b46e9de3477d198d803f7b367b27-1262030725

File 99_____________________________.p received on 2009.12.28 20:05:25 (UTC)
Result: 5/41 (12.20%)
nProtect     2009.1.8.0     2009.12.28     Exploit.PDF-JS.Gen.C02
PCTools     7.0.3.5     2009.12.28     HeurEngine.MaliciousExploit
Sophos     4.49.0     2009.12.28     Troj/PDFJs-B
Sunbelt     3.2.1858.2     2009.12.28     Exploit.PDF-JS.Gen (v)
Symantec     1.4.4.12     2009.12.28     Bloodhound.Exploit.288
-
Additional information
File size: 127728 bytes
MD5   : c61c231d93d3bd690dd04b6de7350abb

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c61c231d93d3bd690dd04b6de7350abb&type=js

Analysis report for 99年(春節)消費者�利表.pdf
File    99å¹´(春節)消費者ç¦�利表.pdf
MD5    c61c231d93d3bd690dd04b6de7350abb
Analysis Started    2009-12-28 12:22:07
Report Generated    2009-12-28 12:22:12
Jsand 1.03.02    malicious
Exploits
Name    Description    Reference
doc.media.newPlayer    Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2    CVE-2009-4324

Sender 61.219.229.222
 Hostname:61-219-229-222.hinet-ip.hinet.net
ISP:CHTD, Chunghwa Telecom Co., Ltd.
Organization:Ung Tzeng Co., Ltd.
Geo-Location Information
Country:Taiwan
State/Region:03
City:Taipei
Latitude:25.0392
Longitude:121.525


http://www.robtex.com/ip/61.219.229.222.html#graph


inetnum:      61.216.0.0 - 61.219.255.255
netname:      HINET-TW
descr:        CHTD, Chunghwa Telecom Co.,Ltd.
descr:        Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
descr:        Taipei Taiwan 100
country:      TW
admin-c:      HN27-AP
tech-c:       HN28-AP
remarks:      Delegated to HiNet for ADSL subscriber.
remarks:      This information has been partially mirrored by APNIC from
remarks:      TWNIC. To obtain more specific information, please use the
remarks:      TWNIC whois server at whois.twnic.net.
mnt-by:       MAINT-TW-TWNIC
changed:      **********@twnic.net 20010117
status:       ALLOCATED PORTABLE
source:       APNIC

person:       HINET Network-Adm
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
address:      Taipei Taiwan 100
country:      TW
phone:        +886 2 2322 3495
phone:        +886 2 2322 3442
phone:        +886 2 2344 3007
fax-no:       +886 2 2344 2513
fax-no:       +886 2 2395 5671
e-mail:       ***********@hinet.net
nic-hdl:      HN27-AP
remarks:      same as TWNIC nic-handle HN184-TW
mnt-by:       MAINT-TW-TWNIC
changed:      **********@twnic.net 20000721
source:       APNIC

person:       HINET Network-Center
address:      CHTD, Chunghwa Telecom Co., Ltd.
address:      Data-Bldg. 6F,  No. 21, Sec. 21, Hsin-Yi Rd.,
address:      Taipei Taiwan 100
country:      TW
phone:        +886 2 2322 3495
phone:        +886 2 2322 3442
phone:        +886 2 2344 3007
fax-no:       +886 2 2344 2513
fax-no:       +886 2 2395 5671
e-mail:       **************@hinet.net
nic-hdl:      HN28-AP
remarks:      same as TWNIC nic-handle HN185-TW
mnt-by:       MAINT-TW-TWNIC
changed:      **********@twnic.net 20000721
source:       APNIC
inetnum:      61.219.229.216 - 61.219.229.223
netname:      UNG-TZENG-CO-TP-NET
descr:        Ung Tzeng Co., Ltd.
descr:        Taipei Taiwan
country:      TW
admin-c:      MLW26-TW
tech-c:       MLW26-TW
mnt-by:       MAINT-TW-TWNIC
remarks:      This information has been partially mirrored by APNIC from
remarks:      TWNIC. To obtain more specific information, please use the
remarks:      TWNIC whois server at whois.twnic.net.
changed:      ***********@hinet.net 20010417
status:       ASSIGNED NON-PORTABLE
source:       TWNIC
person:       Mei Ling Wang
address:      Ung Tzeng Co., Ltd.
address:      Taipei Taiwan
e-mail:       **********@hn.hinet.net
nic-hdl:      MLW26-TW
changed:      **********@twnic.net.tw20010814
source:       TWNIC

Check out http://extraexploit.blogspot.com/2009/12/adobe-cve-2009-4324-in-wild-0day-part_1766.html  for a detailed pdf analysis.

Note:
When opened, it gives an error that the file is corrupt but opens it a second later anyway, displaying the text below. It drops at least four additional files in
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
  • AcrRd32.exe  - generates all files below
 http://anubis.iseclab.org/?action=result&task_id=1e4a6629a536efd74b580b153dc2ba7f0

http://www.virustotal.com/analisis/e2e3b1bd9b5d3fd8aa4b73d3393e4f00dc6c17ee92ee8cb00471ae0c73db680b-1262068818
  • 99¦~(¬K¸`)®ø¶OªÌºÖ§Qªí.pdf - which is the pdf file you will see, it is generated by AcrRd32.exe to make you think there is nothing wrong with the original pdf.
119bab77d4f2915ee353684160676835
http://www.virustotal.com/analisis/03118aa30820f247c2d0f751ee1a3740241a096cce4f75720fa0ccf35b727463-1262090020

  • wuweb.exe - gets generated by AcrRd32.exe
http://anubis.iseclab.org/?action=result&task_id=1124c35d261c97314818c2da58598d359&format=html,

http://www.virustotal.com/analisis/e2e3b1bd9b5d3fd8aa4b73d3393e4f00dc6c17ee92ee8cb00471ae0c73db680b-1262068818 , which generates

  • conime.exe   in C:\windows\addins
http://anubis.iseclab.org/?action=result&task_id=1018b323d0753e5a47165ff418656cf91&format=html

http://www.virustotal.com/analisis/9c55786d595c14662f24d670235ca374e71b1c99c42916c0b6ecf210cb531506-1262091203 








 
and generates traffic to
140.136.148.42:80
140.136.202.49:80

 Please come back for more information later or check out what extraexploit already found.


text of the pdf

主旨:配合99年(春節)消費者需求,統供品供應商自願免費加裝禮盒供應者,


請依附件格式提出申請。
說明:


一、99 年(春節2 月13 日),本總處預定自99年1月1日起至99 年2 月28 日止


供應禮盒。


二、免費加裝禮盒供應,請注意品質,衛生、安全及檢視方便之需求;並依(附


件1)格式(各檢附4 乘6 彩色照片1 張,背面註明條碼、品名)填送乙份,於


98 年12 月15 日前寄本總處,俾便辦理公告,逾期不予受理。


三、加裝禮盒內容為原議進之單品者,條碼及售價不變,惟單品集合後之加裝禮


盒,須有集合條碼,售價應為量販價並標示「不拆零販售」,禮盒內容及規格,


請參考範例(附件2)詳實填寫,否則不予辦理。


四、凡加裝禮盒之貨品,其檢驗、申配、付款等均按現行規定辦理。


詳情登陸國防部福利總處http://www.gwsm.gov.tw/


PDF 文 

No comments:

Post a Comment