Monday, January 11, 2010

Jan 11 CVE-2009-0927 CVE-2008-2992 China and Human Rights from jnfrlews@yahoo.com 2010.01.12 06:24:41 (UTC)




Download ChinaHR.pdf as AAF477AF8CFB73C6BD9945C5BE403FE9-ChinaHR.zip (password protected, please contact me for the password)

Details: AAF477AF8CFB73C6BD9945C5BE403FE9 - ChinaHR.pdf



From: Jennifer Lewis [mailto:jnfrlews@yahoo.com]
Sent: Monday, January 11, 2010 10:32 PM
To: XXXXXXXXXXXX
Subject: China and Human Rights

China's lack of political freedoms
Opinion towards China brings mixed agendas
China's poor attempt to deflect attention
Resentment of Chinese economic policy not benefiting locals
Lack of international unity, despite statements by media and world leaders
China's actions fuels the very thing it says it tries to fight
China and Africa; concerns over rights and exploitation
More information...
File ChinaHR.pdf received on 2010.01.12 06:24:41 (UTC)
The message sender was
    jnfrlews@yahoo.com
The message originating IP was 68.142.206.41 The message recipients were
XXXXXXXXXXXXX
The message was titled China and Human Rights The message date was Mon, 11 Jan 2010 19:31:56 -0800 (PST) The message identifier was <54825.40062.qm@web113916.mail.gq1.yahoo.com>
attach/5963841_3X_PM5_EMS_MA-PDF__ChinaHR.pdf: Infected: Exploit.Win32.Pidief.bxf [AVP]


Virustotal
http://www.virustotal.com/analisis/b0c7da5ae8e22caeed88008c7847927a19fec7dd659746f6a124b08e3f95547b-1263277481

Result: 13/40 (32.5%)
AntiVir    7.9.1.134    2010.01.11    HTML/Silly.Gen
Antiy-AVL    2.0.3.7    2010.01.11    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.01.12    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-ME
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.01.11    PDF.Exploit
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.01.12    Exploit.Win32.Pidief.bxf
McAfee-GW-Edition    6.8.5    2010.01.12    Script.Silly.Gen
Sophos    4.49.0    2010.01.12    Troj/PDFJS-BX
Sunbelt    3.2.1858.2    2010.01.12    Exploit.PDF.Pidief (v)
VirusBuster    5.0.21.0    2010.01.11    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: aaf477af8cfb73c6bd9945c5be403fe9


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=aaf477af8cfb73c6bd9945c5be403fe9&type=js
Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927

Update January 18, 2010 
jsunpack
Even better results were produced and submitted by Blake (thank you, Blake) using his  jsunpack tool - see  http://jsunpack.blogspot.com.  Utilprintf CVE-2008-2992 was detected in addition to CollabgetIcon CVE-2009-0927.
jsunpack-n$ ./jsunpack-n.py ChinaHR.pdf -V
check line 1371
Processing ChinaHR.pdf
[malicious:10] [PDF] ChinaHR.pdf
       info: [decodingLevel=0] found JavaScript
       info: [decodingLevel=0] decoded 6269 bytes (./files/decoding_
257729096ea832ff72e7365e34062d183d69f2fe)
       malicious: Utilprintf CVE-2008-2992 detected
       malicious: CollabgetIcon CVE-2009-0927 detected
       info: [decodingLevel=1] found JavaScript
       info: saved original parsed JavaScript to ./files/veryverbose_
257729096ea832ff72e7365e34062d183d69f2fe
       info: Decoding option app.viewerVersion=8.0,    4012 bytes
       info: Decoding option app.viewerVersion= and app.viewerVersion=9.1,     0 bytes
       info: [decodingLevel=1] decoded 4012 bytes (./files/decoding_
93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d)
       suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 506 //warning CVE-NO-MATCH Shellcode NOP len 297 //warning CVE-NO-MATCH Shellcode NOP len 261833
       malicious: shellcode of length 565/295 (./files/shellcode_
2b5537e1a69fa16a8c625e0087023c9506002d7e)
       malicious: shellcode of length 551/277 (./files/shellcode_
e9f9df40fb0abdc9c6b119423800ca9d0583411c)
       info: [2] no JavaScript
       info: [file] saved ChinaHR.pdf to (./files/original_
074517645ec0b7e50bc788910dda51c0e9dcd889)

[file] created ./files/decoding_
257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/veryverbose_
257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/decoding_
93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d from ChinaHR.pdf
[file] created ./files/shellcode_
2b5537e1a69fa16a8c625e0087023c9506002d7e from ChinaHR.pdf
[file] created ./files/shellcode_
e9f9df40fb0abdc9c6b119423800ca9d0583411c from ChinaHR.pdf
[file] created ./files/original_
074517645ec0b7e50bc788910dda51c0e9dcd889 from ChinaHR.pdf



No comments:

Post a Comment