Monday, August 16, 2010

Aug 16 CVE-2009-4324 PDF Communist China remove missiles from Qiying526@ntu.edu.tw (140.119.170.173)


Update 3  See here http://extraexploit.blogspot.com/search/label/CVE-2009-4324 more about CVE-2009-4324, it is a classic case. 

Update2. It certainly does NOT have CVE-2010-1297. Thanks to Tyler McLeod (Vicheck.ca) and Giuseppe Bonfa (evilcry ) for checking and confirmation.The presence of j_exp function made it similar to other files exploiting CVE-2010-1297 but this one has just this piece of code without apparent reason (malware writer mistake?) It is also not clear why it is checking versions.

Update. Ok, exploitation of CVE-2010-1297 is debatable. But what is it? 


Download :ATT72558.pdf 6227e1594775773a182e1b631db5f6bb as a password protected archive (contact me if you need the password)

各位師長:

附檔為新修改之中共撤除海峽對岸飛彈的研析
,請查收。

奕伶敬上



--
劉奕伶
國家政策研究基金會
國安組助理研究員
10052台北市杭州南路一段16號4樓
tel: 02-2343-3405
fax: 02-2343-3512
Chinese to English translation 
From: YiLing [mailto: Qiying526@ntu.edu.tw]
Sent: Monday, August 16, 2010 4:09 AM
To: adamma0606@mail.faps.org.tw
Subject: Communist China remove missiles across the Strait of Research and Analysis

Members teachers:

Modify the attached file for the new CPC remove missiles across the Straits Research and Analysis
Please check.

Sincerely, Yi Ling
-
Yi-Ling
National Policy Foundation
National security, an assistant researcher
Hangzhou South Road, Taipei 10052 4th Floor, No. 16
tel: 02-2343-3405
fax: 02-2343-3512


Headers
X-MailGates: (mail_type:PASS,2)(compute_score:DELIVER,40,3)
Received: from 140.119.166.2
    by mg.nccu.edu.tw with MailGates ESMTP Server V2.9(27464:1:AUTH_RELAY)
    (envelope-from ); Tue, 17 Aug 2010 09:59:54 +0800 (CST)
Return-Path:
Received: from 140.119.170.173
    by nccu.edu.tw with Mail2000 ESMTP Server V4.00M(792:0:AUTH_RELAY)
    (envelope-from ); Tue, 17 Aug 2010 09:59:53 +0800 (CST)
Return-Path:
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "YiLing"
To: ,
BCC: XXXXXXXXXXXXXXX
Subject: =?big5?B?pKSmQLpNsKOu/K5sue+ppK24vHWquqzjqlI=?=
Date: Mon, 16 Aug 2010 16:08:59 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000D_01CB3D5D.56D84CE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579


Hostname:    140.119.170.173
ISP:    MOEC
Organization:    National Chengchi University
Assignment:    Static IP
Country:    Taiwan

File name:ATT72558.pdfhttp://www.virustotal.com/file-scan/report.html?id=cdb9fd9ddbd9cbd8496747a70ae6708d1805a3e684857d5008da46f49cb83170-1282098895
Submission date:2010-08-18 02:34:55 (UTC)
Result:16/ 42 (38.1%)
Authentium    5.2.0.5    2010.08.18    JS/Pdfka.V
Avast    4.8.1351.0    2010.08.17    JS:Pdfka-gen
Avast5    5.0.332.0    2010.08.17    JS:Pdfka-gen
AVG    9.0.0.851    2010.08.17    Exploit.PDF
BitDefender    7.2    2010.08.18    Exploit.PDF-JS.Gen
DrWeb    5.0.2.03300    2010.08.18    Exploit.PDF.1301
Emsisoft    5.0.0.39    2010.08.18    Exploit.JS.Pdfka!IK
eTrust-Vet    36.1.7797    2010.08.17    PDF/CVE-2010-1297.B!exploit  - No, it is not
F-Prot    4.6.1.107    2010.08.18    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.08.18    Exploit.PDF-JS.Gen
GData    21    2010.08.18    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.88.0    2010.08.18    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.08.18    Exploit.JS.Pdfka.cqx
McAfee-GW-Edition    2010.1B    2010.08.18    Heuristic.BehavesLike.PDF.Suspicious.O
Norman    6.05.11    2010.08.17    JS/Shellcode.IZ
nProtect    2010-08-17.01    2010.08.18    Exploit.PDF-JS.Gen
Additional information
MD5   : 6227e1594775773a182e1b631db5f6bb

Vicheck.ca
Exploit call to media.newPlayer CVE-2009-4324 (pdfexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=6227e1594775773a182e1b631db5f6bb

 CVE-2009-4324 and CVE-2010-1297   

=========
Created files
%Tmp%\1.pdf
%Tmp%\hpqimzone.exe

Adobe 8.1

Adobe 9.1
1.pdf (0/42 VT)

hpqimzone.exe
http://www.virustotal.com/file-scan/report.html?id=7f0e5d608fa54e139cf7f7e699b68877f281337b751743c15d08c4359cad6f9a-1282103202
Submission date:2010-08-18 03:46:42 (UTC)
8 /41 (19.5%)
Authentium     5.2.0.5     2010.08.18     W32/Heuristic-245!Eldorado
ClamAV     0.96.2.0-git     2010.08.18     PUA.Packed.ASPack
F-Prot     4.6.1.107     2010.08.18     W32/Heuristic-245!Eldorado
McAfee     5.400.0.1158     2010.08.18     Suspect-D!36EE61663FC4
Microsoft     1.6004     2010.08.18     Backdoor:Win32/Ixeshe.A
Panda     10.0.2.7     2010.08.17     Suspicious file
Sophos     4.56.0     2010.08.18     Mal/PdfExDr-B
TrendMicro     9.120.0.1004     2010.08.17     PAK_Generic.001
MD5   : 36ee61663fc41496642850c4293fed01
 
Threatexpert report of hpqimzone.exe
http://www.threatexpert.com/report.aspx?md5=36ee61663fc41496642850c4293fed01
File System Modifications

    * The following file was created in the system:

#    Filename(s)    File Size    File Hash    Alias
1     [file and pathname of the sample #1]     16,384 bytes     MD5: 0x36EE61663FC41496642850C4293FED01

SHA-1: 0xE6119E18B54EDB0B87466D2EF3129285EE8925C0     Mal/PdfExDr-B [Sophos]
packed with ASPack [Kaspersky Lab]

    Memory Modifications

    * There was a new process created in the system:

Process Name    Process Filename    Main Module Size
[filename of the sample #1]    [file and pathname of the sample #1]    45,056 bytes


    Registry Modifications

    * The newly created Registry Value is:
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                + SP = "[file and pathname of the sample #1]"

            so that [file and pathname of the sample #1] runs every time Windows starts

    * The following ports were open in the system:
Port    Protocol    Process
1054    TCP    [file and pathname of the sample #1]
1055    TCP    [file and pathname of the sample #1]

Remote Host    Port Number
120.126.34.94    80

    * The data identified by the following URL was then requested from the remote web server:
          o http://oltnsck.dnsrd.com/AWS96.jsp?8Bl3SGQJ1pvY0=LPI5RVjs9Kh/Dwjs9Kj/DMI5DmIZMmY5+fp8AA

120.126.34.94
Hostname:    ymu034-094.ym.edu.tw
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
State/Region:    T'ai-pei

Appears to be a compromised machine at the university


1 comment:

  1. I have been visiting various blogs for my dissertation research. I have found your blog to be quite useful. Keep updating your blog with valuable information... Regards

    ReplyDelete