Nov.30 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#0) This is the very first we received. FW: reference from chrisanderson58@hotmail.com Mon, 30 Nov 2009 06:56:23

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download the infected note200911.pdf  (password protected archive note200911m.zip. Contact me for the password. If you downloaded adobe zero day pdfs #1 and #2, use the same password)

• Details: 61baabd6fc12e01ff73ceacc07c84f9a - note200911.pdf

This message shows that Adobe zero day exploit has been in the wild and actively exploited by attackers since at least November 30, 2009 not December 11 or 14, 2009  Note the name of the file note200911.pdf is slightly different from Dec. 11, 2009 note_20091210.pdf  but it is the same MD5 61baabd6fc12e01ff73ceacc07c84f9a

From: Chris Anderson [mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
________________________________________
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack

Virustotal
results of Dec. 15 2009
File note200911.pdf received on 2009.12.15 16:20:58 (UTC)
http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260894058
Result: 13/41 (31.71%)

a-squared 4.5.0.43 2009.12.15 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2009.12.15 PDF/CVE-2009-4324
AntiVir 7.9.1.108 2009.12.15 HTML/Malicious.PDF.Gen
Comodo 3254 2009.12.15 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.15 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.15 Exploit:W32/AdobeReader.UZ
Ikarus T3.1.1.74.0 2009.12.15 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.12.15 Exploit.JS.Pdfka.atq
McAfee-GW-Edition 6.8.5 2009.12.15 Script.Malicious.PDF.Gen
Microsoft 1.5302 2009.12.15 Exploit:Win32/Pdfjsc.CO
NOD32 4690 2009.12.15 PDF/Exploit.Gen
PCTools 7.0.3.5 2009.12.15 Trojan.Pidief
Symantec 1.4.4.12 2009.12.15 Trojan.Pidief.H

File size: 400918 bytes
MD5...: 61baabd6fc12e01ff73ceacc07c84f9a
SHA1..: 0805d0ae62f5358b9a3f4c1868d552f5c3561b17
SHA256: 27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa
ssdeep: 1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8V


Messagelabs was catching it on November 30, 2009.

The message sender was
chrisanderson58@hotmail.com
 

The message was titled FW: reference
The message date was Mon, 30 Nov 2009 06:56:23 +0000 The message identifier was
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
5963825_1001X_PA4_APDF__pdf_obj_110_0.js'. Heuristics score: 650

See post with CVE-2009-4324 sample #2
See post with CVE-2009-4324 sample #1