Wednesday, December 30, 2009

Dec. 29 CVE-2008-3005 / MS08-043 Darkmoon RAT Excel Russia Foreign Minister Meeting from spoofed daisuke_hasegawa@mofa.go.jp Dec 2009 06:50:10 -0000


Download the infected Excel file 1229.xls plus extracted bin files as 1229+bin files.zip (password protected archive, you need to contact me for the password)

            


This message was received from a spoofed email address of an official at the Foreign Ministry of Japan. The message came from China, it is crafted to install a remote administration tool known as Darkmoon (similar to  ProRAT). I will post more details as soon as I can.

  12月28日、岡田大臣は、モスクワにおいて、ラヴロフ外務大臣と日露外相会談を行うと共に、ナルィシュキン大統領府長官と会談したところ、結果概要は以下のとおり。

      【ポイント】

    ●外相会談において、岡田大臣から、鳩山政権として政治と経済を車の両輪のように前進させたい、日露行動計画に基づき日露関係が進む一方、領土の帰属の問題について目に見える進展がない、領土問題について具体的な前進が図れるよう外相レベルでも努力しなくてはならない、ロシア側に帰属の問題について日本の立場を踏まえる形での対応を求めたい旨発言。

    ●ラヴロフ外相は、ロシア外交にとって日本との外交は優先事項であると説明しつつ、領土問題に関し、人為的に解決を遅らせるつもりはない、国際法及び第2次大戦の結果を踏まえる必要があると述べつつ、ロシア側の原則的立場を説明。


....................... see the full text in the end of the post. The text is actually copied from the website of the Foreign Ministry of Japan (here is the page from the Google cache)
         ------------------------------------------------
    Daisuke HASEGAWA
    International Counter-Terrorism Cooperation Division Foreign Policy Bureau, Ministry of Foreign Affairs
    TEL: 03-5501-8000 ext.4180, FAX: 03-5501-8205 daisuke_hasegawa@mofa.go.jp



Monday, December 28, 2009

Dec. 28 CVE-2009-4324 Adobe 0-day "consumer welfare table" from gwsm01@gwsm.gov.tw Mon, 28 Dec 2009 22:08:05 +0800



Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

Details: 99年(春節)消費者福利表.pdf -  c61c231d93d3bd690dd04b6de7350abb


From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!

詳情登陸國防部福利總處 http://www.gwsm.gov.tw/

服務專線: (02)2392-2377
地址:臺北市信義路一段3號
郵政信箱:台北郵政90036號信箱
網頁維護:綜合資訊組 分機:709


Dec. 28 CVE-2009-4324 Adobe 0 Day best wishes from delaney955@yahoo.com Mon, 28 Dec 2009 22:28:01 PST




Download CVE-2009-4324 samples. (Password protected archive. Use the same password you used on the CVE-2009-4324 samples or contact me for the password)

Details: best wishes.pdf - 4661f1f3553899edd953e448bcab3078

There are many poorly written postcards for this zero day CVE-2009-4324, here is one more and probably the last one.


From: Delaney Kay [mailto:delaney955@yahoo.com]
Sent: Tuesday, December 29, 2009 1:28 AM
To: delaney955@yahoo.com
Subject: Subject: best wishes

   Wishing  you  and  your family a happy and safe
 holiday seasion  and productivein 2010. Keep in turch. 




Saturday, December 26, 2009

Dec.26 CVE-2009-4324 Adobe 0 Day Christmas Greetings from H.H. the Dalai Lama from test01@humanright-watch.org Sat, 26 Dec 2009 20:58:47 +0800


Download CVE-2009-4324 files (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Details: Greetings.pdf -2a7b8180da2906c9889f13fa912df6a0 

From: test01@humanright-watch.org on behalf of Kate Saunders [kates@ictibet.org]
Sent: Sat 12/26/2009 8:02 AM
To:
Subject Christmas Greetings from H.H. the Dalai Lama
Attachment Greetings.pdf (81 KB)

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama.
Tashi Delek!

Kate Saunders.ICT
1852 Jefferson Place NW
Washington, DC 20036
Tel 1-202-580-6716
Cell:1-202-375-4398
emai1:kates@ictibet.org
www.savetibet.org


 Sender(see header in the end of the post) Sat, 26 Dec 2009 20:58:47 +0800 (CST)
Received: from krilwftlv (203186054193.static.ctinets.com [203.186.54.193]


Hostname:203186054193.static.ctinets.com
ISP:City Telecom (H.K.) Ltd.
Organization:FIRST NETWORK COMMUNICATIONS LTD - FAVOR INDUSTRIA
Country:Hong Kong
Central District

Wednesday, December 23, 2009

Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone



Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 




File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
 http://www.virustotal.com/analisis/c78f02f1de087a0ce91be1ca68ffb1995f392a063fc8abb7fd700896f050ed68-1261548318
Result: 11/40 (27.5%)
a-squared    4.5.0.43    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2.0.3.7    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    9.120.0.1004    2009.12.23    Expl_ShellCodeSM
VirusBuster    5.0.21.0    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828


Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=bc11e11405b7f9ba104451ecd40e3840&type=js
File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

===========================================

The message sender was
    takahino_ninomiya@yahoo.co.jp

The message originating IP was 124.83.212.88 The message recipients were
    XXXXXXXX

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Virustotal
http://www.virustotal.com/analisis/dadcb65ec1057baa543a34bfe92144a30fde84cf85db9199b3873f819df6e79c-1261548993
 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=0ac635c06b571ad340b115f3d744f951&type=js
File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 



Tuesday, December 22, 2009

Software informer. Adware / Malware - most likely

Software informer.
This information was sent by a reader. I am posting it here with minimal editions. If you would like to download, test it, and resolve the controversy, the link is below. Thank you for your help.

There seem to be a lot of controversy on whether a Russian made software piece called Software Informer is malware/adware or not. http://aroundsap.blogspot.com/2007/08/remove-software-informer-system.html

I believe it is an adware and must be avoided - like anything associated with RBN. If you search for software updates, you often run into links poisoned by their ads like this
hxxp://aventail-access-manager.software.informer.com/download/
or this
hxxp://camera-assistant-software.software.informer.com/
 
"IP range (208.88.224.0/24) from files.informer.com (IP = 208.88.224.211) is in the RBN block rules.

http://www.emergingthreats.net/rules/emerging-rbn-BLOCK.rules

The domains in this range are not trustworthy
http://www.robtex.com/cnet/208.88.224.html
 


Download the file --> hxxp://files.informer.com/siinst.exe (MD5: f81ccc88fe9c73d54a3bbc72e760265b / Size: 744'538 Bytes)


Dec. 22 Attack of the Day Trojan.SWF.HeapSpray.B 2010 Congressional, Political and Holiday Schedule from Council for a Livable World from jdsaacs@clw.org




Download infected schedule 2010.pdf (password protected archive. Please contact me if you need the password) - 4875fc26b1507b0f70770253c1bfd3a9



 From: John Isaacs [mailto:jdsaacs@clw.org]
Sent: Tuesday, December 22, 2009 3:37 AM
To: "Undisclosed-Recipient:;"
Subject: 2010 Congressional, Political and Holiday Schedule from Council for a Livable World


    2010 Congressional, Political, Cultural and Holiday Schedule
    Items highlighted in yellow related to Congress
   

    January

    Friday, Jan. 1: New Year’s Day (federal holiday)
    Tuesday, Jan. 5 - Second session of Congress reconvenes in a pro forma session
    Thursday, Jan. 7: BCS college football championship game - Alabama vs. Texas
    Tuesday, Jan. 12: House reconvenes for legislative business
    Monday, Jan. 18: Martin Luther King, Jr. Day (federal holiday)
    Tuesday, Jan. 19: Senate reconvenes for legislative business
    Tuesday, Jan. 19: Mass. special Senate election - Martha Coakley (D) vs. Scott Brown (R)
    Late Jan.:  President Obama’s State of the Union address
    February



Dec. 22. Adobe 0 Day. Attack of the Day. 報告書(排出権取引に関する記述) from XXXREDACTED@mofa.go.jp Tue, 22 Dec 2009 09:36:20 +0800


Update Dec 22 7:40 am: Several new variants of  CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.


--------------------------------------

Somehow I doubt that the Ministry of Foreign Affairs of Japan http://www.mofa.go.jp/ joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "mofa.go.jp 117.11.119.251" is not really mofa.go.jp (Updated Dec.22 7:30 am).


Update. Dec 22 15:30
The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japanese and are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)


The message sender was

XXXREDACTED@mofa.go.jp
The message originating IP was 117.11.119.251 The message recipients were
XXX@XXX.XXX
The message was titled 報告書(排出権取引に関する記述)
The message date was Tue, 22 Dec 2009 09:36:20 +0800 The message identifier was (empty) The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913605_1000X_PA2_APDF__pdf_obj_42_0.js'. Heuristics score: 251


Dec 22 Exploit/Zordle.gen Attack of the Day US China Statement from spoofed sender Tue, 22 Dec 2009 22:26:45



Download infected US China Statement.pdf (Password protected archive, please contact me if you need the password) 




The message sender was
    Spoofed
 message recipients were
    XXX@XXX.XXX
The message was titled US China Statement.
The message date was Tue, 22 Dec 2009 22:26:45 +0800 The message identifier was <08db01ca8312$f3b7a7f0$9301a8c0@testacb8580da5>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Zordle.gen' found in
>>> '5964330_4X_PM6_EMS_MA-OCTET=2DSTREAM__US=20China=20Statement.pdf'.
>>> Heuristics score: 201



Monday, December 21, 2009

Dec. 21 Adobe 0 Day CVE-2009-4324 PDF Attack of the Day SEF preparatory discussions list 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單 from macnews@mac.gov.tw Mon, 21 Dec 2009 20:37:15 +0800


Download infected pdf 海基會協商代表團預備性磋商名單.pdf as SEFdiscussionsm.zip. Password protected, please use the same as on other CVE-2009-4324 files or contact me for the password

Yawn.  Here is one more. 



From: macnews [mailto:macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單

您好,附件為本次協商海基會、海協會代表團預備性磋商名單,提供給您參考,謝謝。

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4707 (20091221) __________The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Here is a terrible machine translation but it is easy to understand that the mailing is fueled by the recent news, namely, the talks between the ARATS  (Association for Relations Across the Taiwan Straits) and SEF (Straits Exchange Foundation)  in Taichung tomorrow, December 22, 2009.


From: macnews [mailto: macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: MAC forwarding SEF and ARATS consultations, the delegation of the list of preliminary consultations
Hello, see attached third Consultative SEF and ARATS delegation of the list of preliminary consultations provided for your reference, thank you. 



Nov 30 -- Dec 21 CVE-2009-4324 Summary of posts with samples




Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

  1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
  2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
  3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
  4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
  5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf --renamed to crazyphoto.zip 8950bbedf4a7f1d518e859f9800f9347  
  6. See post with CVE-2009-4324 Sample #5 (Dec 21, 2009) 海基會協商代表團預備性磋商名單.pdf renamed to SEFdiscussionsm.zip.0ab2fd3b6c385049f9eb4a559dbdc8a6 ---New





Dec 21 Attack of the Day.Exploit/Zordle.gen Information on the forum invitation from Yenfei.Su@gmail.com Tue, 22 Dec 2009 11:08:24 +0800


Download infected pdf as ForumInvitation.zip (Password protected, please contact me if you need it)


The message sender was
Yenfei.Su@gmail.com
The message originating IP was 168.95.4.116 The message recipients were
XXX@XXX.XXX
The message was titled 座談會邀請資料
The message date was Tue, 22 Dec 2009 11:08:24 +0800 The message identifier was
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Zordle.gen' found in
>>> '5963899_4X_PM5_EMS_MA-OCTET=2DSTREAM__=A5=C9=A4s=B1M=C3D3=AD=D7.pdf
>>> '. Heuristics score: 201


Headers
 Received: from msr32.hinet.net (HELO msr32.hinet.net) (168.95.4.132)
  by XXXXXX SMTP; 22 Dec 2009 03:07:58 -0000
Received: from IBM-62979760B13 (61-218-117-75.HINET-IP.hinet.net [61.218.117.75])
    by msr32.hinet.net (8.9.3/8.9.3) with ESMTP id LAA19335
    for XXXXXXXX: Yenfei.Su@gmail.com
From: "Yen-fei Su"
To: XXXXXXXXXXX
Subject: =?BIG5?B?rnm9zbd8wdy90LjqrsY=?=
Date: Tue, 22 Dec 2009 11:07:38 +0800
Message-Id:
MIME-Version: 1.0
Content-Type: multipart/mixed;     boundary="----=_NextPart_09122211024143786257804_000"
X-Priority: 3
X-Mailer: DreamMail 4.5.0.0Received: (qmail 8043 invoked from network); 22 Dec 2009 03:07:58 -0000




Saturday, December 19, 2009

[2009-12-19] Analysis of CVE-2009-4324 samples by extraexploit

Please see analysis of CVE-2009-4324 samples kindly provided by extraexploit.

Samples from Dec 18 



Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas

Samples from Nov.30, Dec 11, and Dec 13
Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down
Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
Adobe CVE-2009-4324 in the wild - (0day) - part 0



Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#5) merry christmas from uyghurhunova@yahoo.com Fri, 18 Dec 2009 11:11:27 -0800



 Download infected merry_christmas.pdf (password protected, please contact me or use the same password as you used on other CVE-2009-4324 samples)


Adobe is taking their sweet time to fix the problem while new variants show up. You don't need  ESP to predict that Christmas cards will be followed by New Year's invites and IRS forms before most people receive and install the updates. I was surprised that Symantec, being the CVE-2009-4324 pack leader in the past few days, did not detect it.  Tip of the hat to Messagelabs for catching it again.





From: Uyghur Hunova uyghurhunova@yahoo.com
Subject: merry christmas
Sent: Fri 12/18/2009 2:09 PM
My dear friend
Merry Christmas


 The message sender was
 uyghurhunova@yahoo.com
The message originating IP was 98.137.27.222 The message recipients were
    XXX@XXX.XXX
The message was titled merry christmas
The message date was Fri, 18 Dec 2009 11:11:27 -0800 (PST) The message identifier was <474701.46814.qm@web112506.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044614_1000X_PA3_APDF__pdf_obj_31_0.js'. Heuristics score: 401

Friday, December 18, 2009

Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#4) 女兵脫衣比中指 拍照PO上網 from gpwbinfo@mna.gpwb.gov.tw Sat, 19 Dec 2009 10:22:01 +0800

 



This message is targeted but not perfect - not all recipients of that message can read Chinese. I posted the machine translation in the end of the post, it is about some alleged recent strip photo scandal in the People's Liberation Army.

This message shows that detection of the new threat remains tricky. Messagelabs apparently used Symantec scanners to stop and tag the threat yet Symantec did not detect it when it was scanned on Virustotal. Not to mention a distressingly low overall detection rate -  7 out of 41.

The message sender was
    gpwbinfo@mna.gpwb.gov.tw
The message originating IP was 203.252.1.122 The message recipients were
    XXX@XXX.XXX
The message was titled 女兵脫衣比中指 拍照PO上網
The message date was Sat, 19 Dec 2009 10:22:01 +0800 The message identifier was  1975e5623c$23fce32a$0ae1d8b4@gpwbinfo212af2ce2>
The virus or unauthorised code identified in the email is:
Trojan.Pidief.H -- Symantec definitiions :)




From: 軍聞社 [mailto:gpwbinfo@mna.gpwb.gov.tw]
Sent: Friday, December 18, 2009 9:22 PM
To: XXXXXXXXX
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...
 (See the full text in the end of the post.)
 .....
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com    -


Virustotal
http://www.virustotal.com/analisis/55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73de-1261202919
File ________________________.pdf received on 2009.12.19 06:08:39 (UTC)
Result: 7/41 (17.08%)
BitDefender    7.2    2009.12.19    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.19    Exploit.PDF-JS.Gen
GData    19    2009.12.19    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2009.12.19    Exploit.Win32.Pidief.cxi
McAfee-GW-Edition    6.8.5    2009.12.18    Heuristic.BehavesLike.PDF.Suspicious.Z
PCTools    7.0.3.5    2009.12.19    Trojan.Pidief
Symantec    1.4.4.12    2009.12.18 --Ok, Symantec, what happened here?
Sunbelt    3.2.1858.2    2009.12.19    Exploit.PDF-JS.Gen (v)

Additional information
File size: 51822 bytes
MD5...: 8950bbedf4a7f1d518e859f9800f9347
SHA1..: e4d30ecbe13765c4448e0b140db2569c58aa39f8
SHA256:
55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73dessdeep: 768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3Uscazp
XM25EZepG


Wepawet Analysis
http://wepawet.cs.ucsb.edu/view.php?hash=8950bbedf4a7f1d518e859f9800f9347&type=jsAnalysis report for 「寶�悶�瘋狂照.pdf
File 「寶�悶�瘋狂照.pdf
MD5 8950bbedf4a7f1d518e859f9800f9347
Analysis Started 2009-12-18 20:10:54
Report Generated 2009-12-18 20:10:58
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324


Tuesday, December 15, 2009

Dec.13-Dec.11-Nov.30 Adobe CVE-2009-4324 posts with infected samples.



Download all together with the binary that it downloads from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Note: A few people reported problems with unzipping the files - use 7Zip http://www.7-zip.org if you do. Please email the name of the file or provide a link when asking for a password.

See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6



Nov.30 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#0) This is the very first we received. FW: reference from chrisanderson58@hotmail.com Mon, 30 Nov 2009 06:56:23


This message shows that Adobe zero day exploit has been in the wild and actively exploited by attackers since at least November 30, 2009 not December 11 or 14, 2009  Note the name of the file note200911.pdf is slightly different from Dec. 11, 2009 note_20091210.pdf  but it is the same MD5 61baabd6fc12e01ff73ceacc07c84f9a


From: Chris Anderson [mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
________________________________________
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack



Virustotal
results of Dec. 15 2009
File note200911.pdf received on 2009.12.15 16:20:58 (UTC)
http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260894058
Result: 13/41 (31.71%)

a-squared 4.5.0.43 2009.12.15 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2009.12.15 PDF/CVE-2009-4324
AntiVir 7.9.1.108 2009.12.15 HTML/Malicious.PDF.Gen
Comodo 3254 2009.12.15 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.15 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.15 Exploit:W32/AdobeReader.UZ
Ikarus T3.1.1.74.0 2009.12.15 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.12.15 Exploit.JS.Pdfka.atq
McAfee-GW-Edition 6.8.5 2009.12.15 Script.Malicious.PDF.Gen
Microsoft 1.5302 2009.12.15 Exploit:Win32/Pdfjsc.CO
NOD32 4690 2009.12.15 PDF/Exploit.Gen
PCTools 7.0.3.5 2009.12.15 Trojan.Pidief
Symantec 1.4.4.12 2009.12.15 Trojan.Pidief.H

File size: 400918 bytes
MD5...: 61baabd6fc12e01ff73ceacc07c84f9a
SHA1..: 0805d0ae62f5358b9a3f4c1868d552f5c3561b17
SHA256: 27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa
ssdeep: 1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8V


Messagelabs was catching it on November 30, 2009.

The message sender was
chrisanderson58@hotmail.com
 

The message was titled FW: reference
The message date was Mon, 30 Nov 2009 06:56:23 +0000 The message identifier was
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
5963825_1001X_PA4_APDF__pdf_obj_110_0.js'. Heuristics score: 650



See post with CVE-2009-4324 sample #2
See post with CVE-2009-4324 sample #1

Dec.13 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#2) Interview Request from fureer.angelica@gmail.com Sun, 13 Dec 2009 14:13:46



Download "Outline of interview" infected pdf. (password protected archive. Contact me for the password. If you got the first verison of the adobe zero day of Fri, Dec 11, the password is the same) 
Note: A few people reported problems with unzipping the files - use 7Zip http://www.7-zip.org if you do. Please email the name of the file or provide a link when asking for a password.

New Adobe zero day exploit message (#2)  See #1 here

From: Fureer Angelica [mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Messagelabs detects it easily
The message sender was
fureer.angelica@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
XXX@XXX.XXX

The message was titled Interview Request The message date was Sun, 13 Dec 2009 14:13:46 +0900 The message identifier was <9c3b16360912122113s2a953d1dqfdb5a6ddb8f35c5a@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
'5963838_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651



Adobe 0-day analysis by F-secure

F-Secure folks (thanks mikkohypponen) released their analysis of Adobe 0 day - as mentioned in the post by Extraexploit, it attempts to download ab.exe from hxxxp://foruminspace.com/documents/dprk/ab.exe

Adobe zero day quick analysis by Extraexploit

UPDATE
More technical details from extraexploit http://extraexploit.blogspot.com/2009/12/adobe-cve-2009-4324-in-wild.html


As this updated post of December 11, 2009 shows, a new Adobe zero day vulnerability is currently in the wild. If you are a malware analyst, grab your copy in the post and contact me for the infected pdf archive password.

Extraexploit analyzed his sample and reports that it drops ab.exe (download it from his blog or here and email for the pass). Apparently, ab.exe generates traffic to 124.217.238.101

Virustotal analysis of ab.exe 686738eb5bb8027c524303751117e8a9
File ab.exe received on 2009.12.15 12:38:33 (UTC)
Result: 8/40 (20%)
Antivirus Version Last Update Result
AntiVir 7.9.1.108 2009.12.15 TR/Drop.Agent.DT
Avast 4.8.1351.0 2009.12.15 Win32:Rootkit-DC
GData 19 2009.12.15 Win32:Rootkit-DC
McAfee+Artemis 5832 2009.12.14 Artemis!686738EB5BB8
Panda 10.0.2.2 2009.12.14 Suspicious file
PCTools 7.0.3.5 2009.12.15 Trojan.Dropper
Sophos 4.48.0 2009.12.15 Mal/Behav-027
Symantec 1.4.4.12 2009.12.15 Trojan.Dropper
Additional information
File size: 386016 bytes
MD5...: 686738eb5bb8027c524303751117e8a9
SHA1..: ad2ebe58b0ae2322b3ca6590f617c5a8ecc7b411
SHA256: d6afb2a2e7f2afe6ca150c1fade0ea87d9b18a8e77edd7784986df55a93db985
ssdeep: 6144:53Gcbn2gnsuwtasAlbkdIiXb8K/hYcZVnHIbNwJBBp5:JbwtasAV+xffZ5X

Threatexpert report on 686738eb5bb8027c524303751117e8a9

Sunbelt analysis of 686738eb5bb8027c524303751117e8a9