Wednesday, August 11, 2010

Aug 3 CVE-2010-0188 PDF Asian Regionalism and US Policy

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors


UPDATE August 11,2010 Many thanks to binjo (@binjo), xanda (@xanda), Matthew de Carteret (@lordparody) and Tyler M from Vicheck.ca for additional information/analysis of the attachment


Download  126939c66f62baaa0784d4e7f5b4d973 Asian_Regionalism_and_US_Policy  and all the files listed below as a password protected archive (please contact me for the password if you need it)



From: XXXXXXXX [mailto:XXXXXXXXXXX@yahoo.com]
Sent: Tuesday, August 03, 2010 8:18 AM
To: XXXXXXXXXXXX
Subject: Asian Regionalism and US Policy

Dear All,

Recently I read an excellent article.

Maybe you are interested in it.

FYI.

Best,
XXXXXX

 File Asian_Regionalism_and_US_Policy.p received on 2010.08.05 05:00:51 (UTC)
http://www.virustotal.com/analisis/d4323260646038181015f91cc83fc310b9f4901bb2c187cc5580ff15ae798737-1280984451
Result: 7/41 (17.08%)
Authentium    5.2.0.5    2010.08.05    JS/CVE-0188
BitDefender    7.2    2010.08.05    Exploit.PDF-JS.Gen
F-Prot    4.6.1.107    2010.08.05    JS/CVE-0188
F-Secure    9.0.15370.0    2010.08.05    Exploit.PDF-JS.Gen
GData    21    2010.08.05    Exploit.PDF-JS.Gen
Microsoft    1.6004    2010.08.04    Exploit:Win32/Pdfjsc.gen!B
nProtect    2010-08-04.01    2010.08.04    Exploit.PDF-JS.Gen
Additional information
File size: 168331 bytes
MD5...: 126939c66f62baaa0784d4e7f5b4d973

Headers
Received: from [173.244.197.210] by web120020.mail.ne1.yahoo.com via HTTP; Tue, 03 Aug 2010 05:17:59 PDT
X-Mailer: YahooMailClassic/11.2.4 YahooMailWebService/0.8.105.279950
Date: Tue, 3 Aug 2010 05:17:59 -0700
From: "XXXXXXXXXXX"
Subject: Asian Regionalism and US Policy
To: XXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1610185150-1280837879=:30394"

Tor
Hostname:    anonymizer2.torservers.net
ISP:    Hosting Services
Organization:    Hosting Services
Proxy:    Confirmed proxy server. (Read about proxy servers)
State/Region:    Utah
City:    Providence

=============
 Test on WinXP XP 2 Adobe 8 and 9.3.0

Created files
%tmp%\1.dat
File: 1.dat
Size: 168331
MD5:  126939C66F62BAAA0784D4E7F5B4D973 (same as the PDF itself)
%tmp%\A9R3302.tmp
File A9R3302.tmp
Size: 358
MD5:  AD395DBE5B8E5005CF87EC6B0958AB09
%tmp%\jackjon.exe
File: jackjon.exe
Size: 0
MD5:  D41D8CD98F00B204E9800998ECF8427E





Vicheck.ca results
PDF Exploit metasploit version of TIFF overflow CVE-2010-0188


CREATED FILE 1 -  1.dat = 126939C66F62BAAA0784D4E7F5B4D973  168331 bytes
CVE-2010-0188  1.dat, which is the same MD5 as Asian_Regionalism_and_US_Policy.pdf
MD5:  126939C66F62BAAA0784D4E7F5B4D973
 the js (131) checks for the version and loads the image according to the version (149) (@Xanda )



Note 450 PDF Comments in this manner in the end of the file (comments welcome, not sure what they are for)

============================================================================
CREATED FILE 2
A9RF7D5.tmp  5c0b10ca87c532b43519eb567f29b182.tmp  :358 bytes

If you open 1.dat MD5:  126939C66F62BAAA0784D4E7F5B4D973 as an Adobe document, the created files are the same as listed above except there is a
program.pdf (0bytes) instead of jackjon.exe (0 bytes)

Interestingly, Vicheck.ca got much better results than we did  - program.pdf and jackjon.exe were not 0 bytes
C:\DOCUME~1\username\LOCALS~1\Temp\A9RF7D5.tmp=5c0b10ca87c532b43519eb567f29b182.tmp:358
C:\DOCUME~1\username\LOCALS~1\Temp\1.dat=126939c66f62baaa0784d4e7f5b4d973.dat:168331
C:\DOCUME~1\username\LOCALS~1\Temp\jackjon.exe=939b7526572f0c128c0cda9baed7f8a3.exe:7763
C:\DOCUME~1\username\LOCALS~1\Temp\program.pdf=407236f7f989210fa64630b5ac501d94.pdf:156771

C:\DOCUME~1\username\LOCALS~1\Temp\program.pdf=407236f7f989210fa64630b5ac501d94.pdf:156771
==============================================================================
CREATED FILE 3
jackjon.exe   939b7526572f0c128c0cda9baed7f8a3   7763 bytes
Analysis details on jackjon.exe from Binjo (@binjo)
http://pastebin.org/468812




 payload decoding rol+xor(197-201) from 0xdf8 + 4 (@binjo  http://pastebin.org/459615)


Shellcode (@binjo)

 
 A few interesting changes from the Anubis analysis
http://anubis.iseclab.org/?action=result&task_id=161ab6f77e4f50384cd3bf260e71d3a26
Files Renamed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Old File Name: [ C:\939b752657.exe ], New File Name: [ C:\Documents and Settings\Administrator\cisvc.exe  ]
Registry Values Modified:
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ ProxyBypass ], New Value: [ 1 ] 
Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows
\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0
 Registry Values created
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
SystemService = "%UserProfile%\cisvc.exe"
    Files Created (downloaded): 
    File Name: [ C:\Documents and Settings\Administrator\KB958544.log ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\localstart[1].htm ]
    [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ trading.armed.us ], Query Type: [ DNS_TYPE_A ], Query Result: [ 202.134.237.59 ], Successful: [ YES ], Protocol: [ udp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] From ANUBIS:1038 to 202.134.237.59:80 - [ trading.armed.us ] Request: [ GET /localstart.html ], Response: [ 200 "OK" ] From ANUBIS:1039 to 202.134.237.59:80 - [ trading.armed.us ] Request: [ GET /localstart.html ], Response: [ 206 "Partial Content" ] 



    Anubis Pcap - download

    Vicheck pcap

    Domains used
    trading.armed.us 202.134.237.59:80
    freetrade.allowed.org
    Screeshot from Robtex.com

    File name: 939b7526572f0c128c0cda9baed7f8a3.
    http://www.virustotal.com/file-scan/report.html?id=23e7e286cd8e18e42b02172dba48956a5358c7a78743dff97ba80c0a609a1eae-1281416834
    Submission date: 2010-08-10 07:07:14 (UTC)
    Result: 25 /42 (59.5%)
    AntiVir 8.2.4.34 2010.08.09 TR/Crypt.NSPI.Gen
    Authentium 5.2.0.5 2010.08.10 W32/Heuristic-210!Eldorado
    AVG 9.0.0.851 2010.08.09 Generic15.AZAH
    BitDefender 7.2 2010.08.10 DeepScan:Generic.Malware.Sdld!!.F74D3917
    CAT-QuickHeal 11.00 2010.08.10 (Suspicious) - DNAScan
    ClamAV 0.96.0.3-git 2010.08.10 PUA.Packed.NPack-2
    Comodo 5702 2010.08.10 Heur.Pck.NsPacK
    Emsisoft 5.0.0.36 2010.08.10 Trojan-Dropper.Agent!IK
    eSafe 7.0.17.0 2010.08.09 Suspicious File
    F-Prot 4.6.1.107 2010.08.09 W32/Heuristic-210!Eldorado
    F-Secure 9.0.15370.0 2010.08.10 DeepScan:Generic.Malware.Sdld!!.F74D3917
    GData 21 2010.08.10 DeepScan:Generic.Malware.Sdld!!.F74D3917
    Ikarus T3.1.1.87.0 2010.08.10 Trojan-Dropper.Agent
    Jiangmin 13.0.900 2010.08.10 Trojan/Scar.xcv
    Kaspersky 7.0.0.125 2010.08.10 Heur.Trojan.Generic
    McAfee 5.400.0.1158 2010.08.10 Suspect-D!939B7526572F
    McAfee-GW-Edition 2010.1 2010.08.09 Heuristic.LooksLike.Win32.Suspicious.J!85
    Norman 6.05.11 2010.08.09 W32/Packed_Nspack.A
    Panda 10.0.2.7 2010.08.10 Suspicious file
    Sophos 4.56.0 2010.08.10 Mal/Packer
    Sunbelt 6710 2010.08.10 Packer.NSAnti.Gen (v)
    Symantec 20101.1.1.7 2010.08.09 Suspicious.MH690.A
    TheHacker 6.5.2.1.341 2010.08.10 W32/Behav-Heuristic-063
    TrendMicro 9.120.0.1004 2010.08.10 PAK_Generic.005
    VirusBuster 5.0.27.0 2010.08.09 Packed/NSPack

    Hostname:    202.134.237.59
    ISP:    AINS, Internet Service Provider
    Organization:    AINS, Internet Service Provider
    Type:    Dial-up
    Assignment:    Static IP
    Country:    Australia
    State/Region:    New South Wales
    City:    Sydney


    Robtex blacklist of 202.134.237.59
    Threatexpert results of jackjon.exe = cisvc.exe = setup.exe = 939b7526572f0c128c0cda9baed7f8a3.
    http://www.threatexpert.com/report.aspx?md5=939b7526572f0c128c0cda9baed7f8a3
              o Submitted sample:
                    + File MD5: 0x939B7526572F0C128C0CDA9BAED7F8A3
                    + File SHA-1: 0xEEBE799A4B3AC5AF14A57BE73C1FECDE159CA652
                    + Filesize: 7,763 bytes
                    + Alias & packer info:
                          # Suspicious.MH690 [Symantec]
                          # Mal/Packer [Sophos]
                          # Trojan-Dropper.Agent [Ikarus]
                          # packed with: NSPack [Kaspersky Lab]

     Technical Details:
         File System Modifications
        * The following files were created in the system:
    #    Filename(s)    File Size    File Hash    Alias
    1     %UserProfile%\KB958544.log     295 bytes     MD5: 0xFB5D40BB8024EA6C049A204EA883C030
    SHA-1: 0x6D7E4E893D50356F756495F186B5880F1DE3348E     (not available)

    2     %Temp%\setup.exe     7,763 bytes     MD5: 0x939B7526572F0C128C0CDA9BAED7F8A3
    SHA-1: 0xEEBE799A4B3AC5AF14A57BE73C1FECDE159CA652     Suspicious.MH690 [Symantec]

    Mal/Packer [Sophos]
    Trojan-Dropper.Agent [Ikarus]
    packed with NSPack [Kaspersky Lab]

        * Attention! The following process was intentionally hidden from the user:
    Process Name    Main Module Size
    UserNa    28,672 bytes
         Registry Modifications
        * The newly created Registry Value is:
              o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                    + SystemService = "%UserProfile%\cisvc.exe"

     Contents of %UserProfile%\KB958544.log
    [KB958544.log]
    1.328: ===============================
    1.328: 20100810235154 .109 (local)
    1.328 c:\update\H1ZqbGwGGwQBSFxbR0ZFVkhJT1JPTUiutLusyOrh6Lqn4v/hjY6vkLGSs5S1lreYuZq7nL2ev6CBooOkhaaHqImqi6yNro+wka6ztLK3t7g=\update.exe (version 6.3.5.1)
    2.343: Update.exe extended error code = 0xf001



    CREATED FILE 4
    program.pdf=407236f7f989210fa64630b5ac501d94.pdf:156771 bytes


    No comments:

    Post a Comment