CVE-2010-2883 Security Advisory for Adobe Reader and Acrobat
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
Technical Analysis and Research links (just a few, in no particular order, send more if you want me to add)
- Brief Analysis On Adobe Reader SING Table Parsing Vulnerability (CVE-2010-2883) Matt Oh
- Return of the Unpublished Adobe Vulnerability http://blog.metasploit.com/ Joshua J. Drake
- New Adobe 0day Demonstration - Attack Vector Matt
- Adobe advises on new Reader and Acrobat vulnerability Chester Wisniewski’s Blog
- VUPEN Vulnerability Research Team (VRT) Blog- Criminals Are Getting Smarter: Analysis of the Adobe Acrobat / Reader 0-Day Exploit << very detailed analysis
-
- =================================================================
Download files
- golf clinic.pdf - (\Application Data) - 6AF93ED231AEA3B00769FC8283943E75
- iso88591 - (same location as the original) F7A341ACBB05F6A597EC33ACCB7AD04E
- wincrng.exe + winhelp32.exe (downloaded from academyhouse.us) 687B8D2112F25E330820143EDE7FEDCE
- igfxver.exe (%tmp%) E8CE9CB98C71405F0FB3888235302568 - dropped by the original
Download hlp.cpl signed with the stolen Verisign certificate issued to secure2.ccuu.com
Update 10
Lead Adobe 0-day CVE-2010-2883 Made in Korea - by villy
Update9
[Unofficial] 0-Day Acrobat SING Table Vulnerability Patch (sent by INT3 CC, thank you)
https://www.rafzar.com/node/22
I did not test but heard it works well. Try it, test it
Update 8
Cédric Gilbert, from SkyRecon Systems sent a short and later (per my request, because I wanted to understand it ) , a more detailed explanation for the DEP bypass - in clear terms, for people who don't already know everything :)DEP Bypass in Golf Clinic PDF by Cédric Gilbert, SkyRecon Systems
Please comment and correct, if you find mistakes, we will add the corrections. Many thanks!
---------------------------------------------
There are 4 settings for DEP :- AlwaysOff- Opt-in- Opt-out- Always On
‘Opt-in’ is the one used by default on every Desktop Edition of Windows, while ‘opt-out’ is the default for Server Editions.‘Opt-in’ only protects software that is fully compatible with DEP (those software programs are marked at compilation with the flag ‘/NXCOMPAT’).‘Opt-out’ protects every software program (even the ones without /NXCOMPAT) except the ones explicitly added by the administrator to a white list.
“AcroRd32.exe” is not /NXCOMPAT, thus if an execution occurs in a page in memory marked as ‘not executable’ (the heap for instance), DEP in ‘opt-in’ mode will ignore the fault and silently change the rights of the page to ‘EXECUTE’. On the other hand, if DEP is set to ‘opt-out’, it will immediately kill the faulting process. This is why most exploits using heap spraying actually do work. Because even though execution occurs on the heap (NO EXEC) when the execution flow is redirected into the ‘nop’ slide, DEP in opt-in mode will not block the attack.
Now the writers of the exploit used in this case obviously wanted to go a step further by bypassing DEP even in its ‘opt-out’ or ‘always-on’ mode.
Which means that they had to find a way to execute their payload without triggering any ‘page fault’ in NO EXECUTE memory.
The best way to do so is to use some kind of ‘ret into libc’ technique (in this case a ROP technique). Instead of redirecting the execution flow into the heap, they redirect it to a CODE section in a DLL (which got EXECUTE rights) by overwriting saved eip on the stack. Of course no DLL exactly have the code that the attacker would like to execute, so the idea is to chain calls into this DLL on small code portions using return addresses smartly placed on the stack before the vulnerability is triggered. The problem with this technique is that it requires the attacker to use ‘hardcoded’ addresses pointing at each code portion that he wishes to execute.
Starting with Windows Vista, Microsoft introduced a new protection called ‘ASLR’ for Address Space Layout Randomization. This protection, among other things, randomize the base address of each DLL when they get loaded into a process address space (the random base address changes at each boot). This protection was meant to defeat attacks, which used hardcoded addresses, since a randomized DLL place in memory is changing at each boot.
So to defeat both DEP and ASLR, the attacker got AcroRd32.exe to load a DLL not compatible with ASLR into its address space (I do not know how they managed to do so at the moment).The DLL used is “icucnv34.dll”, the fact that it is not compatible with ASLR means that it will always get loaded at the same address in memory, thus allowing the attacker to use ‘hardcoded’ addresses pointing to this DLL.
The thing is, it’s very complicated to build a whole shellcode using this kind chained call into a DLL. So the attacker used it only to get a place in memory allocated with exec rights, copy his shellcode on it and, eventually, jump on it and do whatever he wants without caring about DEP anymore.
In this exploit, the attacker manages to do so by chaining 4 API call in “icucnv34.dll”.
1) CreateFileA:IN LPCTSTR lpFileName = 4a8254e0 = « iso88591 »
IN DWORD dwDesiredAccess = 0x 10000000 = GENERIC_ALL
IN DWORD dwShareMode = 0 = not shared
IN lpSecurityAttributes (OPTIONAL) = 0
IN DWORD dwCreationDisposition = 2 = CREATE_ALWAYS
IN DWORD dwFlagsAndAttributes = 0x102 = FILE_ATTRIBUTE_TEMPORARY | FILE_ATTRIBUTE_HIDDENHere the attacker creates an empty file called “iso88591” at the location where the pdf was opened.
2) CreateFileMappingAIN HANDLE hFile = 0x1c4 = handle on « iso88591 »IN OPT lpAttributes = NULLIN DWORD flProtect = 0x40 = PAGE_EXECUTE_READWRITEIN DWORD dwMaximumSizeHigh = 0IN DWORD dwMaximumSizeLow = 0x10000IN OPT LPCTSTR lpName = NULLSince the file is empty, the attacker has to specify an arbitrary size for the file mapping.At this point the attacker is ready to map the file into memory.
3) MapViewOfFileIN HANDLE hFileMappingObject = 0x2dc = Handle from CreateFileMappingAIN DWORD dwDesiredAccess = 0x22 = FILE_MAP_EXECUTE | FILE_MAP_WRITEIN DWORD dwFileOffsetHigh = 0IN DWORD dwFileOffsetLow = 0IN SIZE_T dwNumberOfBytesToMap = 0x10000Now the attacker’s got a 0x10000 bytes space with EXECUTE rights allocated into memory. All that he has to do to complete his ‘DEP-evading-technique’ is to copy the shellcode that he wishes to execute in this newly allocated exec space and jump on it.Which he does by calling :4) MSVCR80!memcpyDst = 0x05bc0000 // Base Address returned from the MapViewOfFile aboveSrc = 0885f118 // Not sure whether it is an address from the mapping of the pdf itself or something that he sprayed on the heap beforeLen = 0x1000
And here we are, after this call the real payload (at 0x0885f118) is mapped into an ‘EXEC’ memory space (at 0x05bc0000). The jump to the the payload is actually made by the memcpy call itself since the return address set on the stack by the attacker for this call is the destination of the copy (0x05bc0000) ! BAM! Both ASLR and DEP are defeated!
Now one may ask : ”Ok nice, icucnv34.dll is not ASLR-compatible, but kernel32.dll is, so how did the attacker get the required API addresses?”. Well, it is pretty simple actually, he just had to use API imported by icucnv34.dll ! When this DLL got loaded, its import table got fixed by the loader with the addresses of all API required by the DLL.Since the base address of icucnv34.dll is known by the attacker, he just had to retrieve the needed addresses from icucnv34.dll import table :)
Cédric Gilbert, SkyRecon Systems
Update7 - Aurora?
Here here an interesting observation by Itzhak Avraham (Zuk) @ihackbanme about the fact that this pdf is using a technique similar to one found in Aurora.DMS.bat mentioned in Update 6, has been observed during analysis of ad_1_.jpg file, which was one of the files recovered during the Aurora investigation (see Aurora US-CERT advisory here)
ad_1_.jpg unpacking/analysis - Aurora by Itzhak Avraham (Zuk)
DFS.bat from ad_1_.jpg (Aurora)
The DMS.bat from CVE-2010-2883 Adobe 0-Day
:Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl"
if exist "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl" goto Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\DMS.bat"
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl"
if exist "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl" goto Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\DMS.bat"
Update6
Exploit in action:(see a video demo in the end of this post)According to Sophos researchers (many thanks to Chester Wisniewski) -
- the shellcode drops hlp.cpl DLL to user %tmp% folder and then manually parses to its StartUp export and runs from there.
- wincrng .exe gets downloaded using the DLLs's "DownloadFile" export from hxxp://academyhouse .us/from/wincrng exe to user Application Data folder, renames it to winhelp32.exe and runs it. The domain is currently under the control of Shadow Server (http:/internal/tools/whois/?domain=academyhouse.us)
- The DLL then calls its "MakeAndShowEgg" export, which reads a filename from the original PDF ("Golf Clinic.pdf") and then drops a clean PDF file (golf clinic.pdf 6AF93ED231AEA3B00769FC8283943E75) and launches it in Acrobat Reader so as not to arouse suspicion. The text of the PDF, however, still arouses a lot of suspicion - see below :)
- Finally the DLL calls the imaginatively-titled "DeleteMyself" export to drop the file DMS.bat which deletes the DLL and then itself.
:Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl"
if exist "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl" goto Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\DMS.bat"
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl"
if exist "C:\DOCUME~1\USER\LOCALS~1\Temp\hlp.cpl" goto Repeat
DEL "C:\DOCUME~1\USER\LOCALS~1\Temp\DMS.bat"
Update5
A few more variants of this message
Variant 2
from 119.247.163.249 MD5 2802c47b48cced7f1f027f3b278d6bb3
From: Thomas Bennett [mailto:Thomas.Bennett@gmx.com]
Sent: Tuesday, September 07, 2010 5:41 AM
To: xxx
Subject: Golf Clinic, David Leadbetter's One Point Lesson
Importance: High
Hi
Want to improve your score?
In these golf tips David Leadbetter shows you some important principles Cause & Effect, which have been helpful to thousands of amateur golfers around world.
Whatever your handicap, Whatever your age or ability, the tips will improve your game!
bye
Received: from 119.247.163.249 by rms-eu003.v300.gmx.net with HTTP
Content-Type: multipart/mixed; boundary="========GMX5905128385245737671"
Date: Tue, 7 Sep 2010 11:40:54 +0200
From: "Thomas Bennett"
Message-ID: <20100907094057.59050@gmx.com>
MIME-Version: 1.0
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxx
X-Authenticated: #68122450
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: nTqxe3hubGInbSsBYmBnUVVvcmZ1ZhzD
X-FuHaFi:
Content-Type: multipart/mixed; boundary="========GMX5905128385245737671"
Date: Tue, 7 Sep 2010 11:40:54 +0200
From: "Thomas Bennett"
Message-ID: <20100907094057.59050@gmx.com>
MIME-Version: 1.0
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxx
X-Authenticated: #68122450
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: nTqxe3hubGInbSsBYmBnUVVvcmZ1ZhzD
X-FuHaFi:
Variant 3
from 119.247.163.249 MD5 2802c47b48cced7f1f027f3b278d6bb3 - same MD5 and message text as Variant 2
Received: from 119.247.163.249 by rms-eu003.v300.gmx.net with HTTP
Content-Type: multipart/mixed; boundary="========GMX59081283851294565464"
Date: Tue, 7 Sep 2010 11:21:32 +0200
From: "Thomas Bennett"
Message-ID: <20100907092134.59080@gmx.com>
MIME-Version: 1.0
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxx
X-Authenticated: #68122450
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: KDG0dCMkPjl+J2dDOTE2PRE7MTE2Ncna
X-FuHaF i:
Content-Type: multipart/mixed; boundary="========GMX59081283851294565464"
Date: Tue, 7 Sep 2010 11:21:32 +0200
From: "Thomas Bennett"
Message-ID: <20100907092134.59080@gmx.com>
MIME-Version: 1.0
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxx
X-Authenticated: #68122450
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: KDG0dCMkPjl+J2dDOTE2PRE7MTE2Ncna
X-FuHaF
Variant 4
203.69.158.248 MD5 2802c47b48cced7f1f027f3b278d6bb3 - same MD5 and message text as Variant 2
Received: from [203.69.158.248] by web120320.mail.ne1.yahoo.com via HTTP; Wed, 08 Sep 2010 07:23:24 PDT
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Wed, 8 Sep 2010 07:23:24 -0700
From: Thomas Bennett <bennettthomas20@yahoo.com>
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1774150817-1283955804=:98963"
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Wed, 8 Sep 2010 07:23:24 -0700
From: Thomas Bennett <bennettthomas20@yahoo.com>
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1774150817-1283955804=:98963"
Variant 5
203.69.158.248 MD5 2802c47b48cced7f1f027f3b278d6bb3 - same MD5 and message text as Variant 2
Received: from [203.69.158.248] by web120020.mail.ne1.yahoo.com via HTTP; Wed, 08 Sep 2010 06:18:15 PDT
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Wed, 8 Sep 2010 06:18:15 -0700
From: Thomas Bennett <thomasbennett3632@yahoo.com>
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1680004829-1283951895=:32066"
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Wed, 8 Sep 2010 06:18:15 -0700
From: Thomas Bennett <thomasbennett3632@yahoo.com>
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1680004829-1283951895=:32066"
Variant 6
83.91.87.14 MD5 2802c47b48cced7f1f027f3b278d6bb3 - same MD5 and message text as Variant 2
Received: from [183.91.87.14] by web120110.mail.ne1.yahoo.com via HTTP; Wed, 08 Sep 2010 05:39:58 PDTX-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Wed, 8 Sep 2010 05:39:58 -0700
From: Thomas Bennett
Subject: Golf Clinic, David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-2129242729-1283949598=:59537"
Update4.
hlp.cpl signed with the stolen Verisign certificate issued to secure2.ccuu.com file gets dropped in user %tmp% directory. You can download it in the download section below.
Many thanks to DaH4ckeR from http://hypersecurity.blogspot. com for his contribution
Click on the picture to enlarge
Update3.
http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1284005926
2010-09-09 04:18:46 (UTC) --thanks to Antivirus companies for taking action.
File name:Golf Clinic.pdf
15/ 42 (35.7%)
AhnLab-V3 2010.09.09.00 2010.09.09 PDF/Exploit
Authentium 5.2.0.5 2010.09.08 PDF/Expl.II
Emsisoft 5.0.0.37 2010.09.09 Win32.SuspectCrc!IK
F-Secure 9.0.15370.0 2010.09.09 Exploit:W32/AdobeReader.WX
Ikarus T3.1.1.88.0 2010.09.09 Win32.SuspectCrc
McAfee 5.400.0.1158 2010.09.09 Exploit-PDF.ps.gen
McAfee-GW-Edition 2010.1B 2010.09.09 Exploit-PDF.ps.gen
Microsoft 1.6103 2010.09.09 Exploit:Win32/Pdfjsc.HQ
NOD32 5435 2010.09.08 JS/Exploit.Pdfka.OFZ
Norman 6.06.05 2010.09.08 PDF/Exploit.FW
PCTools 7.0.3.5 2010.09.09 HeurEngine.PDF
Sophos 4.57.0 2010.09.09 Troj/PDFJs-ME
Symantec 20101.1.1.7 2010.09.09 Bloodhound.PDF!gen1
TrendMicro 9.120.0.1004 2010.09.09 TROJ_PIDIEF.WM
TrendMicro-HouseCall 9.120.0.1004 2010.09.09 TROJ_PIDIEF.WM
Show all
MD5 : 9c5cd8f4a5988acae6c2e2dce563446a
Update2
- Secunia advisory Adobe Reader / Acrobat Font Parsing Buffer Overflow Vulnerability
- Many thanks to Adobe PSIRT team for a quick response and researchers on twitter vicheck, jduck1337 for their comments and analysis
Update1
- Adobe Security people got a copy and will notify us about the results/diagnosis
- There was a bit of a discussion on twitter regarding this during the day, new comments from researchers are likely to show up in twits before I have time to post any updates here -
From: Thomas Bennett [mailto:thomasbennett34@yahoo.com]
Sent: Monday, September 06, 2010 8:01 AM
To: XXXXX
Subject: David Leadbetter's One Point Lesson
Should know Cause & Effect of the World's Leading
Golf Instructor, David Leadbetter.
Want to improve your score?
In these golf tips David Leadbetter shows you
some important principles Cause & Effect, which
have been helpful to thousands of amateur golfers
around world.
In this lesson, David focuses on his unique techniques
or experience.
Whatever your handicap, Whatever your age or
ability, the tips will improve your game!
Header
Received: from n54b.bullet.mail.sp1.yahoo.com (HELO n54b.bullet.mail.sp1.yahoo.com) (98.136.45.27)
by XXXXXXXXXXXXXX 6 Sep 2010 12:01:15 -0000
Received: from [216.252.122.219] by n54.bullet.mail.sp1.yahoo.com with NNFMP; 06 Sep 2010 12:01:15 -0000
Received: from [67.195.9.83] by t4.bullet.sp1.yahoo.com with NNFMP; 06 Sep 2010 12:01:13 -0000
Received: from [98.137.27.131] by t3.bullet.mail.gq1.yahoo.com with NNFMP; 06 Sep 2010 12:01:12 -0000
Received: from [127.0.0.1] by omp205.mail.gq1.yahoo.com with NNFMP; 06 Sep 2010 12:01:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 377446.77522.bm@omp205.mail.gq1.yahoo.com
Received: (qmail 48048 invoked by uid 60001); 6 Sep 2010 12:01:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1283774469; bh=0bBYYw2sHC3o3o1Cge7uqebfpzmUxLED7NttMeJ98XU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=FT8rFCjZWvWpJRZlFH/IvOY4xAcfQHG76ZwZaB4omENDYEI+ONxzv1Pbl12p43UKQI5exuQ14Hp713EAd+BGOISFvXv6ghtE726NtS7YMsfUWuh8uV4RgIk3VGfuumsse8aJLKrSj+Rtc5S8xpbK7JBQ7od1FE9smnFM8d+PbmI=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=NU+wudJNMZectofoD5PEUnK3AOa7nPcx7hbz0ZqMsfYxivvLXhrs/fUhgCQR+2SsbSxZn2cf07+/A2qhVPFwnmT2CQprPBBdY6CvPIs0A1yxQYRw6PprOsp46CY/11LgZ+it0O/f0fYSY+JxrOYNpy2zLQsbI7ldyRli17khOkE=;
Message-ID: <855752.47126.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: dJDX4QcVM1nYoU7AoyRsmcivnwc9vgOThtwyE9kxdR_BvWm
2dmWsAd8xXToAMpljbsjZUKbqVhD4DTgT.rvPy51_.X7KdNFfxEv4EAEQLa8
cwqYRZnnyfsiYs6a8f2THPAmXvbMjNfhp6a4TfFKJ9PEAjjmbBosHCY5GFER
XI_2DV2cE8OR8ODZ.KKVxB257zt4efSCnAIf8ioqECNvnXY7fc4iwwLVVxVT
C7rsukcBDFR1uNn6jNx_d2.s2KA--
Received: from [193.106.85.61] by web120112.mail.ne1.yahoo.com via HTTP; Mon, 06 Sep 2010 05:01:09 PDT
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Mon, 6 Sep 2010 05:01:09 -0700
From: Thomas Bennett
Subject: David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-625861097-1283774469=:47126"
by XXXXXXXXXXXXXX 6 Sep 2010 12:01:15 -0000
Received: from [216.252.122.219] by n54.bullet.mail.sp1.yahoo.com with NNFMP; 06 Sep 2010 12:01:15 -0000
Received: from [67.195.9.83] by t4.bullet.sp1.yahoo.com with NNFMP; 06 Sep 2010 12:01:13 -0000
Received: from [98.137.27.131] by t3.bullet.mail.gq1.yahoo.com with NNFMP; 06 Sep 2010 12:01:12 -0000
Received: from [127.0.0.1] by omp205.mail.gq1.yahoo.com with NNFMP; 06 Sep 2010 12:01:12 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 377446.77522.bm@omp205.mail.gq1.yahoo.com
Received: (qmail 48048 invoked by uid 60001); 6 Sep 2010 12:01:10 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1283774469; bh=0bBYYw2sHC3o3o1Cge7uqebfpzmUxLED7NttMeJ98XU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=FT8rFCjZWvWpJRZlFH/IvOY4xAcfQHG76ZwZaB4omENDYEI+ONxzv1Pbl12p43UKQI5exuQ14Hp713EAd+BGOISFvXv6ghtE726NtS7YMsfUWuh8uV4RgIk3VGfuumsse8aJLKrSj+Rtc5S8xpbK7JBQ7od1FE9smnFM8d+PbmI=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=NU+wudJNMZectofoD5PEUnK3AOa7nPcx7hbz0ZqMsfYxivvLXhrs/fUhgCQR+2SsbSxZn2cf07+/A2qhVPFwnmT2CQprPBBdY6CvPIs0A1yxQYRw6PprOsp46CY/11LgZ+it0O/f0fYSY+JxrOYNpy2zLQsbI7ldyRli17khOkE=;
Message-ID: <855752.47126.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: dJDX4QcVM1nYoU7AoyRsmcivnwc9vgOThtwyE9kxdR_BvWm
2dmWsAd8xXToAMpljbsjZUKbqVhD4DTgT.rvPy51_.X7KdNFfxEv4EAEQLa8
cwqYRZnnyfsiYs6a8f2THPAmXvbMjNfhp6a4TfFKJ9PEAjjmbBosHCY5GFER
XI_2DV2cE8OR8ODZ.KKVxB257zt4efSCnAIf8ioqECNvnXY7fc4iwwLVVxVT
C7rsukcBDFR1uNn6jNx_d2.s2KA--
Received: from [193.106.85.61] by web120112.mail.ne1.yahoo.com via HTTP; Mon, 06 Sep 2010 05:01:09 PDT
X-Mailer: YahooMailRC/470 YahooMailWebService/0.8.105.279950
Date: Mon, 6 Sep 2010 05:01:09 -0700
From: Thomas Bennett
Subject: David Leadbetter's One Point Lesson
To: xxxxxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-625861097-1283774469=:47126"
193.106.85.61
Hostname: 193.106.85.61
ISP: Centrum-IT Magdalena Wietrzak
Organization: Centrum-IT Magdalena Wietrzak
Proxy: Confirmed proxy serverCountry: Poland
City: Sosnowiec
ISP: Centrum-IT Magdalena Wietrzak
Organization: Centrum-IT Magdalena Wietrzak
Proxy: Confirmed proxy serverCountry: Poland
City: Sosnowiec
Golf Clinic.pdf
http://www.virustotal.com/file-scan/report.html?id=d55aa45223606db795d29ab9e341c1c703e5a2e26bd98402779f52b6c2e9da2b-1283833897
1 /43 (2.3%)
McAfee-GW-Edition 2010.1B 2010.09.07 Heuristic.BehavesLike.PDF.Suspicious.O
Show all
MD5 : 9c5cd8f4a5988acae6c2e2dce563446a
PDF uncompressed JS
http://pastebin.com/yLv57H9Z
It looks like it could be CVE-2010-1241 or CVE-2010-2862 but no CVE has been confirmed yet.
Adobe security bulletin regarding issued patches for CVE-2010-1241 and CVE-2010-2862
Tested on XP SP2 Adobe Reader 9.3.4 (Tyler from vicheck.ca confirmed it worked on Adobe Reader 9.3.4, no OS info provided)
It crashes / closes and opens a decoy file with the same name (except in lower case), which gets dropped is in user profile Application Data (see picture below). A downloader file (not pictured) gets dropped in user %tmp% directory (not shown here) downloads winhelp32.exe, which creates connection to academyhouse.us 124.217.255.232:80. there are really a lot of things going on with it, I will add more details later, here is a good scan with details by vicheck.ca
https://www.vicheck.ca/md5query.php?hash=9c5cd8f4a5988acae6c2e2dce563446a
igfxver.exe created in %TMP%
http://www.virustotal.com/file-scan/report.html?id=994a5bc0e21a3b89441e5b70720ef6ba62aa9a0d4a71b33e995766d1d12007f4-1283918499
File name:
igfxver.exe
Submission date:2010-09-08 04:01:39 (UTC)
3/ 43 (7.0%)
NOD32 5432 2010.09.07 probably unknown NewHeur_PE
PCTools 7.0.3.5 2010.09.08 Trojan.Generic
TrendMicro-HouseCall 9.120.0.1004 2010.09.08 TROJ_CHIFRAX.BU
MD5 : e8ce9cb98c71405f0fb3888235302568
File name:
winhelp32.exe - created in Application Data (actually downloaded from academyhouse.us)
http://www.virustotal.com/file-scan/report.html?id=d6d089fcbd886363cfbc23c237cab8d99d5033eff9f6a4a3eeb95e32f5b80113-1283836305
3 /42 (7.1%)
eTrust-Vet 36.1.7839 2010.09.06 Win32/FakeAV.PVA
McAfee-GW-Edition 2010.1B 2010.09.07 Heuristic.BehavesLike.Win32.Suspicious.H
NOD32 5429 2010.09.06 probably unknown NewHeur_PE
Additional information
Show all
MD5 : 687b8d2112f25e330820143ede7fedce
file iso88691 get created in the same location as the original .
I dont have it now but I will upload a bit later
academyhouse.us
124.217.255.232:80
Hostname: penguin1.ip-asia.com
ISP: PIRADIUS NET
Organization: PIRADIUS NET
Country: Malaysia
State/Region: Johor
City: Johor Bahru
Domain Name: ACADEMYHOUSE.US - Domain has been "sinkholed" If you need downloaded files - see the file download link on top
Domain ID: D26616000-US
Sponsoring Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Registrar URL (registration services): www.publicdomainregistry.com
Domain Status: clientTransferProhibited
Registrant ID: DI_11232940
Registrant Name: Private Registration
Registrant Organization: academyhouse.us
Registrant Address1: Rm.804, Sino Centre.
Registrant City: Nathan Road
Registrant State/Province: Kln Hong Kong
Registrant Postal Code: 582-592
Registrant Country: Hong Kong
Registrant Country Code: HK
Registrant Phone Number: +852.23840332
Registrant Email: academyhouse@domainsproxy.name
academyhouse.us/from/wincrng.exe
academyhouse.us/from/eincrng.exe (this file was not captured/downloaded)
Dinner is over, now the movie
Hi there,
ReplyDeleteI come from Germany and try to read news on this site. Unfortunately, there are no news neither in English lnaguage nor in German. It appears to be auto-translated text. Most topics are non-understandable due to language which is really messed up.
So my proposal is, could you implement a switch for language? Me myself could understand native English much better than this, what I now can read here.
Thanks
Andreas
Andreas,
ReplyDeleteI write in English, as well as I can :) Maybe try a different browser to avoid the strange auto-translate issues you are having. Thank you for reading :)
Mitigations for this include protecting Adobe Reader with EMET v2 which has been shown to break the exploit. AFAIK, disabling javascript offers some protection since javascript was used for a heap spray or similar function. Of course this isn't foolproff, but it does represent another hardening step.
ReplyDelete