Monday, June 14, 2010

Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com



Adobe will fix this vulnerability on June 29


Many thanks To Scott D, JM, AK1010, Villy  for their information, relevant discussions and ideas and Binjo for his shellcode analysis


Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)





Tested on  Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.


Message:







 VT SCAN JUNE 21
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1277107857

  File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:13/41 (31.71%)
a-squared    5.0.0.30    2010.06.22    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.21    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.18    Exploit/SWF.Agent
BitDefender    7.2    2010.06.22    Exploit.SWF.J
Comodo    5178    2010.06.22    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.21    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.22    Exploit.SWF.J
GData    21    2010.06.22    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.22    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.22    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.22    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.22    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972


Javascript code snapshot


On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.

The dropped files are the following:
  • 9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left
  •  D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
  •  TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe








  File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1277182875
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.30    2010.06.22    Backdoor.Win32.Ixeshe!IK
AhnLab-V3    2010.06.22.00    2010.06.22    Backdoor/Win32.Small
AntiVir    8.2.2.6    2010.06.21    BDS/Small.jjf
Avast    4.8.1351.0    2010.06.21    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.21    Win32:Malware-gen
AVG    9.0.0.787    2010.06.21    Small.CCX
BitDefender    7.2    2010.06.22    Trojan.Generic.4211739
Comodo    5178    2010.06.22    Backdoor.Win32.Small.jjf
eSafe    7.0.17.0    2010.06.20    Win32.Small.Nem
F-Secure    9.0.15370.0    2010.06.22    Trojan.Generic.4211739
GData    21    2010.06.22    Trojan.Generic.4211739
Ikarus    T3.1.1.84.0    2010.06.22    Backdoor.Win32.Ixeshe
Kaspersky    7.0.0.125    2010.06.22    Backdoor.Win32.Small.jjf
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32    5216    2010.06.21    probably a variant of Win32/Small.NEM
nProtect    2010-06-21.01    2010.06.21    Trojan.Generic.4211739
Panda    10.0.2.7    2010.06.21    Suspicious file
Sunbelt    6483    2010.06.21    Trojan.Win32.Generic!BT
ViRobot    2010.6.21.3896    2010.06.22    Backdoor.Win32.S.Small.30720.E
VirusBuster    5.0.27.0    2010.06.21    -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c

older scan


http://anubis.iseclab.org/?action=result&task_id=103e66936121161044dbaae530a892283&format=html

=============================================
Traffic information
DNS Queries
ftp.jlesher.xxuz.com       DNS_TYPE_A       21.216.185.67       YES       udp
www.jlesher.xxuz.com      DNS_TYPE_A      110.4.3.2      YES      udp
TCP Connections
216.185.67.21:443

Intersesting traffic, really.  Looks like they configured their Changeip.com domain name ftp.jlesher.xxuz.com  to point to 21.216.185.67.
216.185.67.21, which you can see also being used by this malware is very similar.
 I think they just made a typo and directed it to DoD instead of their machine.
Or they temporarily set that domain to 21.216.185.67 (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..

Unconfirmed theory here is that malware receives DNS replies 21.216.185.67 and 110.4.3.2 and transforms them into 216.185.67.21:443 by transposing 21 for the IP address and  by using the following forumula to turn 110.4.3.2 into the port number a.b.c.d - 110.4.3.2, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking 110.4.3.2 and 21.216.185.67 achieves nothing) and ability to change IP ports by just changing IP address on their domain in Changeip.com.

Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.


 Traffic. Malware IPs are marked - see picture below

DNS query for ftp.jlesher.xxuz.com returns 21.216.185.67
 21.216.185.67 is http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=21.216.185.67

DoD Network Information Center is Department of Defense http://www.nic.mil/
DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.
OrgName: DoD Network Information Center 
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 21.0.0.0 - 21.255.255.255
CIDR: 21.0.0.0/8
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642





 General IP Information
Hostname: 61.177.42.5
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China 
State/Region: Beijing






OLDER SCANS

VT SCAN JUNE 17 (with minor improvement)
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276774425
 File WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result: 9/41 (21.96%)
a-squared    5.0.0.26    2010.06.17    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.17    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.17    Exploit/SWF.Agent
F-Prot    4.6.0.103    2010.06.16    JS/Pdfka.V
Ikarus    T3.1.1.84.0    2010.06.17    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.17    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.17    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.17    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

VT SCAN  JUNE 16
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276571931
BitDefender     7.2     2010.06.15     Exploit.SWF.J
F-Prot     4.6.0.103     2010.06.14     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.06.15     Exploit.SWF.J
GData     21     2010.06.15     Exploit.SWF.J
Kaspersky     7.0.0.125     2010.06.15     Exploit.SWF.Agent.dp
Microsoft     1.5802     2010.06.14     Exploit:SWF/CVE-2010-1297.A
Sophos     4.54.0     2010.06.15     Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5   : 81f31e17d97342c8f3700fdd56019972




No comments:

Post a Comment