Wednesday, February 10, 2010

Feb 10 CVE-2009-4324 Rep. Mike Castle faking @ssd.com sender 2010-02-10 10:08 AM

This post is to be continued...


According to  Villy (thanks, Villy :)) the file contains two embedded pdfs - one small with js exploiting CVE-2009-4324 and one larger clean file. There is also a xored exe between those two files.
It is a very nice package.



 
From:[Redacted] [mailto:[Redacted]@gmail.com]
Sent: 2010-02-10 10:08 AM
Subject: Rep. Mike Castle

Attached is an invitation for a February 15 reception honoring Rep. Mike Castle (R-De) in his candidacy for the U.S. Senate.   I hope you will be able to join us.

Although his expected Democrat opponent has dropped out of the race, the New Castle County Executive has already announced his intention to seek the Democractic nomination.  Hence, Mike's political situation is strong, but the Democrats are expected to make a full scale contest out of this race.

Presuming your support, Mike will make a great contribution in the Senate for Delaware and the Country.

Please send your response to me at: [Redacted]@gmail.com

All best,

[Redacted]
[Redacted]
[Redacted]@ssd.com

Direct: +1.[Redacted]
Fax: +1.[Redacted]
Mobile: +[Redacted]

Squire Sanders Public Advocacy, LLC
a wholly owned non-law firm affiliate of
Squire, Sanders & Dempsey L.L.P.
Suite 500
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004

sspa.ssd.com

Squire Sanders|Legal Counsel Worldwide
32 Offices in 15 Countries
Cincinnati • Cleveland • Columbus • Houston • Los Angeles • Miami • New York • Palo Alto • Phoenix • San Francisco • Tallahassee • Tampa • Tysons Corner • Washington DC • West Palm Beach | Bogotá+ • Buenos Aires+ • Caracas • La Paz+ • Lima+ • Panamá+ • Rio de Janeiro • Santiago+ • Santo  Domingo • São Paulo | Bratislava • Brussels • Bucharest+ • Budapest • Dublin+ • Frankfurt • Kyiv • London • Moscow • Prague • Riyadh+ • Warsaw | Beijing • Hong Kong • Shanghai • Tokyo
+Independent Network Firm

NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.


IRS Circular 230 Notice: To comply with U.S. Treasury regulations, we advise you that any U.S. federal tax advice included in this communication is not intended or written to be used, and cannot be used, to avoid any U.S. federal tax penalties or to promote, market, or recommend to another party any transaction or matter.


Original PDF
 http://www.virustotal.com/analisis/70f43ed12ff8c48156f5d1ad9e09f12ecbcff77f64bbc8a2f58566e3e9f3c06f-1265828519
  File Invitation_to_Mike_Castle_Event.p received on 2010.02.10 19:01:59 (UTC)
Result: 1/41 (2.44%)
Sophos     4.50.0     2010.02.10     Mal/PDFEx-D
File size: 325206 bytes
MD5   : 7775e7ade13d73919e8dca4695ae7d0a

The first unpacked pdf 1.pdf with CVE-2009-4324
http://www.virustotal.com/analisis/e83a2b658f404731e314a8646e258d17a383ac474564c3d5f6ccd36ad2a93c3d-1266008863
Result: 5/41 (12.2%)
Loading server information...
Avast    4.8.1351.0    2010.02.12    JS:Pdfka-gen
BitDefender    7.2    2010.02.12    Exploit.PDF-JS.Gen
GData    19    2010.02.12    Exploit.PDF-JS.Gen
nProtect    2009.1.8.0    2010.02.12    Exploit.PDF-JS.Gen.C02
Sunbelt    5671    2010.02.11    Exploit.PDF-JS.Gen (v)

File size: 7221 bytes
MD5...: caf3ff27a9688097cf13906c117513ef

1.pdf shellcode (again by Villy)

No comments:

Post a Comment