Wednesday, January 6, 2010

Jan 4 CVE-2009-4324 with Backdoor:Win32/Bifrose.gen!E 研討會]2010 Being Global and Local研討會 from politic@ntu.edu.tw Mon, 4 Jan 2010 15:57:28


Most likely CVE-2009-1862. Carries Backdoor:Win32/Bifrose.gen!E

After a bit of playing with pdf-parser.py, I think it is CVE-2009-4324. Maybe something else,  you are welcome to check :)  I thought it was CVE-2009-1862 first just based on how some antivirus providers detected it but I was wrong. Wepawet did not detect it as malicious, same situation as Bojan had -see Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

I also first got the same error



I think the screenshot below shows that it is CVE-2009-4324


 






















The message sender was politic@ntu.edu.tw
The message was titled [研討會]2010 Being Global and Local研討會
The message date was Mon, 4 Jan 2010 15:57:28 +0800 The message identifier was

Virustotal
http://www.virustotal.com/analisis/6341588926166ce800a238d1a669d27f45ec6b193f8f620c169c54c4e1fa3ca3-1262718161
File Being_Global_and_Local_Conference received on 2010.01.05 19:02:41 (UTC)
Result: 7/41 (17.07%)
Antivirus     Version     Last Update     Result
BitDefender     7.2     2010.01.05     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.01.05     Exploit.PDF-JS.Gen
GData     19     2010.01.05     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.01.05     Exploit.JS.Pdfka.adn
McAfee-GW-Edition     6.8.5     2010.01.05     Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft     1.5302     2010.01.05     Exploit:JS/Heapspray
nProtect     2009.1.8.0     2010.01.05     Exploit.PDF-JS.Gen.C02
Additional information
File size: 222161 bytes
MD5   : 08b89c0b7949b1d2017356b1bbb75f6a

Wepawet
http://wepawet.iseclab.org/view.php?hash=08b89c0b7949b1d2017356b1bbb75f6a&type=js
File    Being Global and Local_Conference Agenda.pdf
MD5    08b89c0b7949b1d2017356b1bbb75f6a
Analysis Started    2010-01-05 11:21:59
Report Generated    2010-01-05 11:22:32
Jsand 1.03.02    benign :(

PDF contents



Payload
desktop.exe


Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{11CDF7EC-651B-76AA-AD69-4005FE080DE8}\stubpath" (created) :
New entry was set to

Registry entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{11CDF7EC-651B-76AA-AD69-4005FE080DE8}\stubpath" (created) :
New entry was set to

Process iexplore.exe :
Number of running instances during logon time changed: 1 instead of 0

Process desktop.exe :
Process detected for the first time (2 instances)


Anubis test
http://anubis.iseclab.org/?action=result&task_id=191c487ec1f466e04017de7fcf8b3167c&format=html 
Analysis Reason:
desktop.exe wrote to the virtual memory of this process
Filename:
Explorer.EXE
MD5:
12896823fb95bfb3dc9b46bcaedc9923
SHA-1:
9d2bf84874abc5b6e9a2744b7865c193c08d362f
File Size:
1033728 Bytes
Command Line:
C:\WINDOWS\Explorer.EXE

- DNS Queries:

Name
Query Type
Query Result
Successful
Protocol
chipone.1dumb.com
DNS_TYPE_A
0.0.0.0
1

chiptwo.myFTP.info
DNS_TYPE_A
0.0.0.0
1

dtone.3d-game.com
DNS_TYPE_A
64.156.29.35
1


  Unknown TCP Traffic:     
from ANUBIS:1038 to 64.156.29.35:443
State: Normal establishment and termination - Transferred outbound Bytes: 65 - Transferred inbound Bytes: 0
Data sent:
3d00 0000 91e3 1c11 82bd cab6 9241 f6b8    =............A..
33df b1a6 5914 3f01 d09c 3303 032c e943    3...Y.?...3..,.C
1580 1f9c 2dfe 808b 1182 de4d 0187 6a10    ....-......M..j.


  TCP Connection Attempts:
from ANUBIS:1038 to 64.156.29.35:443

 
http://www.threatexpert.com/report.aspx?md5=1fc67927ab4588cc21f71bda010cbd4a 

Headers
....
Received: from microsoft72cc5 (60-248-102-9.HINET-IP.hinet.net [60.248.102.9])
    by msr18.hinet.net (8.9.3/8.9.3) with ESMTP id PAA02138;
    Mon, 4 Jan 2010 15:57:37 +0800 (CST)
Message-ID:
From: =?big5?B?pXikaqxGqna+x6h0?=
To:
Subject: =?big5?B?W6zjsFG3fF0yMDEwIEJlaW5nIEdsb2JhbCBhbmQgTG9jYWys47BRt3w=?=
Date: Mon, 4 Jan 2010 15:57:28 +0800

Hostname: 60-248-102-9.hinet-ip.hinet.net
ISP: CHTD, Chunghwa Telecom Co., Ltd.
Organization: Jia Teng System Co., Ltd.
Country: Taiwan  
City: Taipei


No comments:

Post a Comment