Thursday, August 26, 2010

Aug 26 CVE-2009-4324 Chess on the High Seas from matthewgebert@yahoo.com 113.30.106.22


Download 43cb55861b7fcf1dfb6968c9ef110bcc Aug2010.pdf as a password protected archive (contact me if you need the password)

From: Matthew Gebert [mailto:matthewgebert@yahoo.com]
Sent: Thursday, August 26, 2010 10:11 PM
To: matthewgebert@yahoo.com
Subject: Chess on the High Seas - Dangerous Times for U.S.-China Relations

The Obama administration's hopes that its warmer approach to Beijing would yield a more fruitful Sino-American relationship have been disappointed. Rather than adopting a more cooperative bearing, Beijing has become increasingly assertive over the past year. Recognizing the resulting detriment to U.S. interests and Asia-Pacific peace and security, the Obama administration is now pushing back. This new direction may convince Beijing to reconsider its recent assertive policies, but for now, the United States and China have entered a period of tense relations, raising the odds of a true crisis. Particularly worrisome is Chinese media coverage of this summer's quarrels, which has been nationalistic and anti-American in tone and content. Such coverage makes conflicts more difficult to resolve, as the Chinese regime cannot afford to look weak in the eyes of an incensed citizenry. Policymakers in both countries should be aware of this dynamic as they approach any additional disputes in the coming months.
Key points in this Outlook:
•    The United States and China have clashed over maritime exercises, with Beijing opposed to Washington asserting its right to exercise in international waters.
•    The Chinese media responded with a stream of nationalistic, anti-American reporting--portraying the United States as an imperial power.
•    Despite China's confidence, there are signs of internal weakness in the People's Republic, with social unrest on the rise
•    The United States should prepare diplomati¬cally and militarily for a potential crisis.

File name:
Aug2010.pdf
Submission date:
2010-08-29 03:33:46 (UTC)
http://www.virustotal.com/file-scan/report.html?id=a74996d152e867a8bc9a7585a622bab3fdf7c792d9ed16d3fd07643bbec2cfff-1283052826
Result:
24 /41 (58.5%)
AntiVir     8.2.4.46     2010.08.28     EXP/Pdfka.otd.2
Antiy-AVL     2.0.3.7     2010.08.26     Exploit/Win32.Pidief
Authentium     5.2.0.5     2010.08.28     PDF/Obfusc.M!Camelot
Avast     4.8.1351.0     2010.08.28     JS:Pdfka-WJ
Avast5     5.0.594.0     2010.08.28     JS:Pdfka-WJ
AVG     9.0.0.851     2010.08.28     Script/Exploit
BitDefender     7.2     2010.08.29     Exploit.PDF-JS.Gen
ClamAV     0.96.2.0-git     2010.08.28     Suspect.PDF.ObfuscatedJS-5
DrWeb     5.0.2.03300     2010.08.29     Exploit.PDF.1386
Emsisoft     5.0.0.37     2010.08.28     Exploit.Win32.Pidief!IK
eTrust-Vet     36.1.7823     2010.08.27     PDF/Utild.A
F-Prot     4.6.1.107     2010.08.28     JS/ShellCode.AV.gen
F-Secure     9.0.15370.0     2010.08.28     Exploit.PDF-JS.Gen
GData     21     2010.08.29     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.88.0     2010.08.28     Exploit.Win32.Pidief
Kaspersky     7.0.0.125     2010.08.29     Exploit.Win32.Pidief.dcw
Microsoft     1.6103     2010.08.28     Exploit:Win32/Pdfjsc.FE
NOD32     5405     2010.08.28     JS/Exploit.Pdfka.OAQ
Norman     6.05.11     2010.08.28     PDF/Exploit.EK
nProtect     2010-08-28.01     2010.08.28     Exploit.PDF-JS.Gen
Panda     10.0.2.7     2010.08.28     Exploit/PDF.Gen.B
Sophos     4.56.0     2010.08.28     Troj/PDFJs-LP
Sunbelt     6808     2010.08.29     Exploit.PDF-JS.Gen (v)
TrendMicro-HouseCall     9.120.0.1004     2010.08.29     Expl_ShellCodeSM
Additional information
Show all
MD5   : 43cb55861b7fcf1dfb6968c9ef110bcc

PDF
Metadata
ModifyDate>2009-12-22T11:36:33+08:00
CreateDate>2009-07-08T10:53:46+08:00
MetadataDate>2009-12-22T11:36:33+08:00


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=43cb55861b7fcf1dfb6968c9ef110bcc&type=js

Vicheck
https://www.vicheck.ca/md5query.php?hash=43cb55861b7fcf1dfb6968c9ef110bcc

Headers

Received: from n9.bullet.mail.ac4.yahoo.com (HELO n9.bullet.mail.ac4.yahoo.com) (76.13.13.237)
  by XXXXXXXX with SMTP; 27 Aug 2010 02:11:07 -0000
Received: from [76.13.13.26] by n9.bullet.mail.ac4.yahoo.com with NNFMP; 27 Aug 2010 02:11:07 -0000
Received: from [67.195.9.82] by t3.bullet.mail.ac4.yahoo.com with NNFMP; 27 Aug 2010 02:11:06 -0000
Received: from [98.137.27.128] by t2.bullet.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 02:11:05 -0000
Received: from [127.0.0.1] by omp202.mail.gq1.yahoo.com with NNFMP; 27 Aug 2010 02:11:05 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 802667.36531.bm@omp202.mail.gq1.yahoo.com
Received: (qmail 72747 invoked by uid 60001); 27 Aug 2010 02:11:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1282875064; bh=l9AXsT5C8sF+Wj3+wZuf66KGHc9tCySFLnfUCWLNbP4=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=5lAniIl4dUviz+2ztqdLBTUv2dJJosRNUFwUA6v5b6Bv91c0xc3X2+iQi0lmA/u2zhBbdkpa/7kkRFxOwQ37Yug0Yz87x46EFqWnc7nj6NryiKtw5IwQQrmjbYis5+iUrM0+vIGFWDsafRccUMM2JLMcMmyuAwtWo2V306eDxuY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=fyoCJ/7uWzk719SN6brIlyQpRM7DTUGHl3avD700M0W5g/8I8sy2taVIo3hUOtw5hJpy7AK7cB8uwMny2YQl/5gnaCSvogE9ZyOkTPe8VMYe+TCNJzOjcYSTpvWwCyY/HxWA/PM3pikcpAjWICDGaCGteXVewpEd7/UyO+F00eA=;
Message-ID: <520863.70331.qm@web120012.mail.ne1.yahoo.com>
X-YMail-OSG: Cg7zbwIVM1n3PDFvLIg7lltCnqUSL4y_NlzOFZE1zbiyDxr
 85gBGwOK1IbPQvo.9Hs2KWuieNkJFhApgm0ANFIB7L.bxG2QGqH7_XY9oix7
 hlESdD6YZrxr3Vw7Z5IbQUYLcVXpHI17096rHp_WSYX7foGEcAtyhxI_d7m9
 2.rOb6nWEuT6n_aOT3YujB85FSo9wvI8FRD4LJaA-
Received: from [113.30.106.22] by web120012.mail.ne1.yahoo.com via HTTP; Thu, 26 Aug 2010 19:11:04 PDT
X-Mailer: YahooMailClassic/11.3.2 YahooMailWebService/0.8.105.279950
Date: Thu, 26 Aug 2010 19:11:04 -0700
From: Matthew Gebert
Subject: Chess on the High Seas - Dangerous Times for U.S.-China Relations
To: matthewgebert@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-52491509-1282875064=:70331"


 113.30.106.22
Hostname:    113.30.106.22
ISP:    HCLC
Organization:    HCLC
Assignment:    Static IP
Country:    Korea, Republic of

 ============================================================
 Windows XP SP2 Adobe Reader 9.1

Created files 
%tmp%\asrss.exe   0 bytes

It needs to be tested on a different VM perhaps, it crashes, so it is hard to tell without further testing or static analysis of the payload

No comments:

Post a Comment