Thursday, September 16, 2010

Sep 16 CVE-2010-2883 PDF INTEREST & FOREIGN EXCHANGE RATES



Download  INTEREST_&_FOREIGN_EXCHANGE_RATES.pdf and dropped files  as a password protected archive (contact me if you need the password)

-----Original Message-----
From: XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Sent: Thursday, September 16, 2010 11:32 AM
To: XXXXXXXXXXXXXX
Subject: INTEREST & FOREIGN EXCHANGE RATES


Dear XXXXXXXXXXXXXXXXXXX,

Hope this email finds you well.

Maby you are intersted of this article.

Apologies for this sudden request, but we would greatly appreciate your advice.

Best Regards,

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Headers
Received: (qmail 23641 invoked from network); 16 Sep 2010 15:33:10 -0000
Received: from iismx.iis.sinica.edu.tw (HELO iismx.iis.sinica.edu.tw) (140.109.20.49)
  by XXXXXXXXXXXX; 16 Sep 2010 15:33:10 -0000
Received: from webmail.iis.sinica.edu.tw ([192.168.0.51])
    by iismx.iis.sinica.edu.tw (8.14.3/8.14.3) with ESMTP id o8GFYqvL050905
    for ; Thu, 16 Sep 2010 23:34:52 +0800 (CST)
    (envelope-from XXXXXXXXXXXXXXX)
Received: from webmail.iis.sinica.edu.tw (localhost [127.0.0.1])
    by webmail.iis.sinica.edu.tw (8.13.8/8.13.8) with ESMTP id o8GFVqXC099684
    for ; Thu, 16 Sep 2010 23:31:52 +0800 (CST)
    (envelope-from XXXXXXXXXXXXXX)
Received: (from www@localhost)
    by webmail.iis.sinica.edu.tw (8.13.8/8.13.8/Submit) id o8GFVqI2099683
    for XXXXXXXXXXXXXXXX; Thu, 16 Sep 2010 23:31:52 +0800 (CST)
    (envelope-from XXXXXXXXXXXXXXX)
X-Authentication-Warning: webmail.iis.sinica.edu.tw: www set sender to XXXXXXXXXXXXXX using -f
Received: from mail.confinewags.com (mail.confinewags.com [204.45.63.6]) by
    webmail.iis.sinica.edu.tw (Horde MIME library) with HTTP; Thu, 16 Sep 2010
    23:31:52 +0800
Message-ID: <20100916233152.w71ipg6umo8sscgg@webmail.iis.sinica.edu.tw>
Date: Thu, 16 Sep 2010 23:31:52 +0800
From: XXXXXXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXX
Subject: INTEREST & FOREIGN EXCHANGE RATES
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_5ad2cgdiu1d4"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.5) / FreeBSD-6.2
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (iismx.iis.sinica.edu.tw [192.168.0.49]); Thu, 16 Sep 2010 23:34:52 +0800 (CST)
X-Scanned-By: MIMEDefang 2.67 on 192.168.0.49

Message Received from 
204.45.63.6
Hostname:    mail.confinewags.com
ISP:    FDCservers.net
Organization:    FDCservers.net
Type:    Corporate
Assignment:    Static IP
Country:    United States 
State/Region:    California
City:    Newark

 via
 140.109.20.49

 General IP Information
Hostname:    iismx.iis.sinica.edu.tw
ISP:    Academia Sinica
Organization:    Academia Sinica
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
State/Region:    T'ai-pei






 
File name:
http://www.virustotal.com/file-scan/report.html?id=daac83fc4af5c53068c4e5a29dadfdc5200e3b3fc2b491eebe0a4bc19ec9e3f2-1285731514
CVE-2010-2883_PDF_2010-09-INTEREST_&_FOREIGN_EXCHANGE_RATES.pdf=
22/ 43 (51.2%)
Avast    4.8.1351.0    2010.09.28    PDF:CVE-2010-2883
Avast5    5.0.594.0    2010.09.28    PDF:CVE-2010-2883
AVG    9.0.0.851    2010.09.28    Exploit_c.KAH
BitDefender    7.2    2010.09.29    Exploit.PDF-TTF.Gen
Emsisoft    5.0.0.50    2010.09.29    Exploit.Win32.CVE-2010-2883!IK
eTrust-Vet    36.1.7881    2010.09.28    PDF/CVE-2010-2883.A!exploit
F-Secure    9.0.15370.0    2010.09.29    Exploit.PDF-TTF.Gen
Fortinet    4.1.143.0    2010.09.28    PDF/CoolType!exploit.CVE20102883
GData    21    2010.09.29    Exploit.PDF-TTF.Gen
Ikarus    T3.1.1.90.0    2010.09.29    Exploit.Win32.CVE-2010-2883
Kaspersky    7.0.0.125    2010.09.29    Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition    2010.1C    2010.09.28    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.6201    2010.09.28    Exploit:Win32/Pdfjsc.HX
NOD32    5487    2010.09.28    PDF/Exploit.Gen
Norman    6.06.06    2010.09.28    PDF/Suspicious.D
nProtect    2010-09-28.01    2010.09.28    Exploit.PDF-Name.Gen
Panda    10.0.2.7    2010.09.28    Exploit/PDF.Exploit
PCTools    7.0.3.5    2010.09.28    HeurEngine.MaliciousExploit
Sophos    4.58.0    2010.09.29    Troj/PDFEx-DW
Symantec    20101.1.1.7    2010.09.29    Bloodhound.Exploit.357
TrendMicro-HouseCall    9.120.0.1004    2010.09.29    -
VBA32    3.12.14.1    2010.09.27    Exploit.Win32.CVE-2010-2883.a
ViRobot    2010.8.31.4017    2010.09.28    Backdoor.Win32.S.Agent.289515

MD5   : 4ef704239fa63d1c1dfcf2ea2da0d711

The file code appears to be borrowed from Metasploit


Created files
#1

%tmp%\setup.exe
http://anubis.iseclab.org/?action=result&task_id=14495366b24a64d242d1946aa1e3a88be&format=html
File: setup.exe
MD5:  95d42d365489a6e5ebdf62565c5c8aa2
Size: 139264
File name: setup.exe
http://www.virustotal.com/file-scan/report.html?id=ecefcd2f2b862e987ea4b6b7d475c924d9662ad955096872a2c5b822901c63b3-1285735301
Submission date: 2010-09-29 04:41:41 (UTC)
Result: 19/ 43 (44.2%)
AhnLab-V3 2010.09.29.00 2010.09.28 Trojan/Win32.Gen
AVG 9.0.0.851 2010.09.28 unknown virus Win32/DH.BA
BitDefender 7.2 2010.09.29 Trojan.Generic.4780118
DrWeb 5.0.2.03300 2010.09.28 Trojan.Inject.10568
Emsisoft 5.0.0.50 2010.09.29 Trojan.Win32.Agent.fext!A2
F-Secure 9.0.15370.0 2010.09.29 Trojan.Generic.4780118
GData 21 2010.09.29 Trojan.Generic.4780118
Kaspersky 7.0.0.125 2010.09.29 Trojan.Win32.Agent.fext
McAfee 5.400.0.1158 2010.09.29 Artemis!95D42D365489
McAfee-GW-Edition 2010.1C 2010.09.28 Artemis!95D42D365489
Norman 6.06.06 2010.09.28 W32/Malware
nProtect 2010-09-28.01 2010.09.29 Trojan/W32.Agent.139264.RP
Panda 10.0.2.7 2010.09.28 Trj/CI.A
PCTools 7.0.3.5 2010.09.28 Trojan.Gen
Sophos 4.58.0 2010.09.29 Mal/Ovoxual-A
Sunbelt 6943 2010.09.29 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.09.29 Trojan.Gen
TrendMicro 9.120.0.1004 2010.09.29 TROJ_GEN.R47C3IR
TrendMicro-HouseCall 9.120.0.1004 2010.09.29 TROJ_GEN.R47C3IR
MD5   : 95d42d365489a6e5ebdf62565c5c8aa2

Mal/Ovoxual-A
Mal/Ovoxual-A is a malicious executable file.
Mal/Ovoxual-A often drops the following files:
\FAVORITES.DAT (clean data file)
\msupdater.exe (usually detected as Mal/Ovoxual-B).
Mal/Ovoxual-A may also then set the following registry entry to run msupdater.exe automatically:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe "\msupdater.exe"

#2


%userprofile%\Local Settings\Application Data\msupdater.exe
http://anubis.iseclab.org/?action=result&task_id=1e84f89b1e5b8fe04ad889cf45d8dbb88
File: msupdater.exe
MD5:  374075ce8b6e8f0cd1f90009fd5a703b
Size: 49152
 File name: msupdater.exe
Submission date: 2010-09-29 04:58:03 (UTC)
http://www.virustotal.com/file-scan/report.html?id=043935374ce39637a4816d0a484d30bed1d3054bbe89625fbc22f83ef4cb3e04-1285736283
Result: 25/ 43 (58.1%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2010.09.29.00 2010.09.28 Trojan/Win32.Agent
AntiVir 7.10.12.61 2010.09.28 TR/Agent.fext
Antiy-AVL 2.0.3.7 2010.09.29 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2010.09.28 Win32:Malware-gen
Avast5 5.0.594.0 2010.09.28 Win32:Malware-gen
AVG 9.0.0.851 2010.09.28 Agent2.AXTO
BitDefender 7.2 2010.09.29 Trojan.Generic.4762825
DrWeb 5.0.2.03300 2010.09.28 Trojan.Starter.1222
Emsisoft 5.0.0.50 2010.09.29 Trojan.Agent2!IK
F-Secure 9.0.15370.0 2010.09.29 Trojan.Generic.4762825
GData 21 2010.09.29 Trojan.Generic.4762825
Ikarus T3.1.1.90.0 2010.09.29 Trojan.Agent2
Kaspersky 7.0.0.125 2010.09.29 Trojan.Win32.Agent.fext
McAfee 5.400.0.1158 2010.09.29 Generic.dx!two
McAfee-GW-Edition 2010.1C 2010.09.28 Generic.dx!two
Norman 6.06.06 2010.09.28 W32/Backdoor!gens.19256608
nProtect 2010-09-28.01 2010.09.29 Trojan/W32.Agent.49152.AMN
Panda 10.0.2.7 2010.09.28 Trj/CI.A
PCTools 7.0.3.5 2010.09.28 Trojan.Gen
Sophos 4.58.0 2010.09.29 Mal/Ovoxual-B
Sunbelt 6943 2010.09.29 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.09.29 -
Symantec 20101.1.1.7 2010.09.29 Trojan.Gen
TrendMicro 9.120.0.1004 2010.09.29 TROJ_GEN.R47C4IM
TrendMicro-HouseCall 9.120.0.1004 2010.09.29 TROJ_GEN.R47C4IM
MD5   : 374075ce8b6e8f0cd1f90009fd5a703b



same location as the pdf
File: iso88591
MD5:  18b0a39b7f9329e12d2b5893d4177053
Size: 65536



TCP connections to 140.112.19.195
140.112.19.195:80
Hostname:    ipserver.ee.ntu.edu.tw
ISP:    National Taiwan University
Organization:    National Taiwan University
Assignment:    Static IP
Country:    Taiwan tw flag
State/Region:  
City:    Taipei


 National Taiwan University are aware of the problem on 140.112.19.195



Payload analysis kindly offered by Shpata Skenderbeut
msupdate.exe / favorites.dat Analysis

No comments:

Post a Comment