Thursday, October 28, 2010

CVE-2010-3654 Adobe Flash player zero day vulnerability

Update 7 Nov 5, 2010
Security update available for Adobe Flash Player




Update 6 Nov 4, 2010
If you need a sample for developing protection for your customers/users or testing security products, email me.
Please note that the malicious PDF itself will NOT be publicly released on Contagio until Adobe 
 issues a security update / patch for Flash player (expected November 9, November 5, 2010)

 
Update 5. Nov 4, 2010 The IP of news.mysundayparty.com is changing
Original was 65.202.221.207, then it changed to 63.232.79.43, today it is 65.202.221.207 again

news.mysundayparty.com. A       65.202.221.207
first seen      2010-10-28 23:58:14 -0000
last seen       2010-10-29 06:37:15 -0000

news.mysundayparty.com. A       63.232.79.43
first seen      2010-10-29 19:47:29 -0000
last seen       2010-10-30 13:10:27 -0000

Update 4. Oct 28, 2010 11:40 pm

Please scroll down to see information about the PDF file, dropped/created files and associated traffic  

Update 3. Oct 28, 2010 10:07 pm


 A very good analysis has been published by Villy at New Adobe 0day (bug in flash player) http://bugix-security.blogspot.com

Update 2. Oct 28, 2010 10:50am



Adobe issued a bulletin CVE-2010-3654 Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat 
A Security Advisory (APSA10-05) has been posted in regards to a new Flash Player, Adobe Reader and Acrobat issue (CVE-2010-3654). A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player

Update 1. Oct 28, 2010 6:10 am

Tom Ferris has confirmed it as well:
tferris   Based on the PoC that @snowfl0w sent me, a Flashplayer 0day seems to be making it rounds.. Adobe PSIRT has been notified


Heh, here is a small article about this finding in the news already this morning.. Unpatched Critical Flash Player Vulnerability Possibly Exploited in the Wild by Lucian Constantin from http://news.softpedia.com/

Adobe was notified. The bug has not been confirmed by Adobe yet. Once we get a confirmation or correction, we will post it as well.

Original Message


From: jobs@usajobs.gov [mailto:benderdj@yahoo.com]

Sent: Tuesday, October 26, 2010 8:02 AM
To: xxxxxxxxxxxx

Subject: News Release : OPM Announces iPhone and iPad Application for USAJobs.gov

Washington, DC -  The U.S. Office of Personnel Management (OPM) officially unveiled a USAJOBS® application for both the iPhone® and iPad®. The free app allows for greater mobile access to finding Federal job opportunities. Since debuting late last week, the app received more than 50,000 downloads. OPM sees its application as a first step in making USAJOBS more accessible to the American public, and OPM is currently working on rolling out apps for additional mobile platforms. See the attached for more details.

Message Headers


Headers
Received: (qmail 16647 invoked from network); 26 Oct 2010 12:01:34 -0000
Received: from nm11-vm0.bullet.mail.ac4.yahoo.com (HELO nm11-vm0.bullet.mail.ac4.yahoo.com) (98.139.53.196)
  by xxxxxxxxxxxxxxxxxx; 26 Oct 2010 12:01:34 -0000
Received: from [98.139.52.193] by nm11.bullet.mail.ac4.yahoo.com with NNFMP; 26 Oct 2010 12:01:33 -0000
Received: from [98.139.52.138] by tm6.bullet.mail.ac4.yahoo.com with NNFMP; 26 Oct 2010 12:01:33 -0000
Received: from [127.0.0.1] by omp1021.mail.ac4.yahoo.com with NNFMP; 26 Oct 2010 12:01:33 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 404089.4644.bm@omp1021.mail.ac4.yahoo.com
Received: (qmail 79842 invoked by uid 60001); 26 Oct 2010 12:01:33 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1288094493; bh=
TAnmECKkGi3wwWZa3zaGJhgE0BQp7qvxIa1IiV7s+G8=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=cM9BdKBbzqthxsR1YOjnClOyfTJzm0BCIIyhXSCYzYeDVijtIPXqPPjpYSbKVDTvj9Pblq2n28/Mpj9AOGNnawBO1KmweW8ObTfiJUTK/6YdXtxyPnb81oz+/KCd+zaKUdgG9X5TCMbhe2grHBCxg3gJguRlSZ7Yhgkm+eqr40A=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=CbD7Wke74q+VNbKg34FKvvt6v1bweKiEsVVAn2MLRam1iaAjmupyaPIQsK7+Aw2dFG1H4rWLfP8RO5McZt+dVfmPI8I3dSTvkMhN0/HAOZVcanf4Q+rN3vMUMWzZLW+QDmVcijplLa30f/9EpAaXORrVt3rocyOcR6V71D4VKys=;
Message-ID: <107808.79368.qm@web51507.mail.re2.yahoo.com>
X-YMail-OSG: dnA5x0kVM1msWXfj1lmvzMrzvlxxi.SfKkvffD3NOmfpVE5
 G3m4jy8PjG9cLVrWcDmBlXQKGIOPj_4.uCXxkwnmbUawq8QSQoxTV76HmNkS
 d6ijm8nWsarOol_0mx0CYtY2ou.VQLmHaAkB5YwqqIZSpau2iRwV_nyZWIA5
 HNMUcAe0iC76fk7WyWWgHCwW7YLEFaQaYtdGUDrN9SLczQuqTb6TBMFTTr90
 pjvinI0TkXxUWIpWvSzCIZs.NJbwHu.EzaZ3k4KksLdOOAPHjZMlc5N0Fiz4
 YxBcr8shED34fCLGjWFNAgv5DHXssr1Oi2I2.0fy05p6egnvbjLljhFbOIEr
 UF_RJua3LbW65gD0E_JB2COSAnPA-
Received: from [173.245.79.35] by web51507.mail.re2.yahoo.com via HTTP; Tue, 26 Oct 2010 05:01:33 PDT
X-Mailer: YahooMailClassic/11.4.9 YahooMailWebService/0.8.107.284920
Date: Tue, 26 Oct 2010 05:01:33 -0700
From: "jobs@usajobs.gov" <benderdj@yahoo.com>
Subject: News Release : OPM Announces iPhone and iPad Application for USAJobs.gov
To: XXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1552159246-1288094493=:79368"


Sender

Sender 173.245.79.35
Hostname:    173.245.79.35
ISP:    EGIHosting
Organization:    EGIHosting
Proxy:    Suspected network sharing device.
Type:    Corporate
Assignment:    Static IP
Geolocation Information
Country:    United States
State/Region:    California
City:    Milpitas 

Automated Scans

File name: CVE-2010-3654_pdf_2010-10-26_News Release.pdf
Submission date:2010-10-29 02:11:21 (UTC)
http://www.virustotal.com/file-scan/report.html?id=ed3503c107826bc256208a49f59a4faf2e226c94000853bef00f15fef02f73dc-1288318281
14/ 42 (33.3%)
Avast    4.8.1351.0    2010.10.29    JS:Pdfka-gen
Avast5    5.0.594.0    2010.10.29    JS:Pdfka-gen
AVG    9.0.0.851    2010.10.28    Exploit_c.NLK
BitDefender    7.2    2010.10.29    Exploit.PDF-JS.Gen
Emsisoft    5.0.0.50    2010.10.29    Virus.JS.Pdfka!IK
F-Prot    4.6.2.117    2010.10.28    W32/Heuristic-XEN!Eldorado
F-Secure    9.0.16160.0    2010.10.29    Exploit:W32/Pidief.CSR
GData    21    2010.10.29    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.90.0    2010.10.29    Virus.JS.Pdfka
McAfee-GW-Edition    2010.1C    2010.10.28    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.6301    2010.10.28    Exploit:Win32/Pdfjsc.gen!A
nProtect    2010-10-28.01    2010.10.28    Exploit.PDF-JS.Gen
Panda    10.0.2.7    2010.10.29    Exploit/PDF.Flash.A
Symantec    20101.2.0.161    2010.10.29    Trojan.Pidief
Additional information
Show all
MD5   : 411406d5ace2201e5dd73ce8e696b03b




Analysis


Files Created


%TEMP%
File: ~temp.bat
Size: 132
MD5:  8B7A45A9494D047896DFFB813D7DEB35

 ping 127.0.0.1 -n 3 & taskkill /im Acrobat.exe /f & taskkill /im AcroRd32.exe /f & "C:\DOCUME~1\Mila\LOCALS~1\Temp\News Release.pdf"
----------------------------------------------------------------------------------- 
File: News Release.pdf
Size: 16527
MD5:  B0ABDF5E37ED82A334D7422CDD68DE4F
-----------------------------------------------------------------------------------
File: nsunday.dll
Size: 27649
MD5:  31E0D52EDCF2BBE8A05849D357A03302
File name:nsunday.dll
http://www.virustotal.com/file-scan/report.html?id=8b088f16c39972e7a5f57d9ca13d78c186e4ecd7b17bbefc868107399fba1f74-1288321831
Submission date:2010-10-29 03:10:31 (UTC)
Result:23/ 42 (54.8%)
AhnLab-V3    2010.10.29.00    2010.10.28    Win-Trojan/Wisp.27649
AntiVir    7.10.13.67    2010.10.28    HEUR/Malware
Avast    4.8.1351.0    2010.10.29    Win32:Malware-gen
Avast5    5.0.594.0    2010.10.29    Win32:Malware-gen
AVG    9.0.0.851    2010.10.28    Generic19.BYBD
BitDefender    7.2    2010.10.29    Backdoor.Generic.497009
Comodo    6546    2010.10.29    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.10.29    BackDoor.Terapy.1
F-Secure    9.0.16160.0    2010.10.29    Backdoor.Generic.497009
GData    21    2010.10.29    Backdoor.Generic.497009
Ikarus    T3.1.1.90.0    2010.10.29    Trojan.Win32.Wisp
McAfee    5.400.0.1158    2010.10.29    Generic.dx!ule
McAfee-GW-Edition    2010.1C    2010.10.28    Generic.dx!ule
Microsoft    1.6301    2010.10.28    Trojan:Win32/Wisp.gen!A
NOD32    5573    2010.10.29    a variant of Win32/Wisp.B
nProtect    2010-10-28.01    2010.10.28    Backdoor.Generic.497009
Panda    10.0.2.7    2010.10.29    Suspicious file
PCTools    7.0.3.5    2010.10.29    Backdoor.Trojan
Prevx    3.0    2010.10.29    Medium Risk Malware
Sophos    4.59.0    2010.10.29    Troj/Wisp-A
Sunbelt    7161    2010.10.29    Trojan.Win32.Generic!BT
SUPERAntiSpyware    4.40.0.1006    2010.10.29    -
Symantec    20101.2.0.161    2010.10.29    Backdoor.Trojan
VBA32    3.12.14.1    2010.10.28    BackDoor.Terapy.1
Additional information
Show all
MD5   : 31e0d52edcf2bbe8a05849d357a03302

--------------------------------------------------------------------------------------------
File: nsunday.exe
Size: 153600
MD5:  20F8B25A9A57B07895E112DAECB1C4CC

File name:nsunday.exe
http://www.virustotal.com/file-scan/report.html?id=beec0289bcd9625a6498b4cc93ed691148b17e6a13460b7af3825f6e5dd74d2a-1288322070
Submission date:2010-10-29 03:14:30 (UTC)
24/ 41 (58.5%)
AhnLab-V3    2010.10.29.00    2010.10.28    Win-Trojan/Wisp.153600
AntiVir    7.10.13.67    2010.10.28    TR/Dropper.Gen
Antiy-AVL    2.0.3.7    2010.10.29    Trojan/Win32.heuristic
Avast    4.8.1351.0    2010.10.29    Win32:Malware-gen
Avast5    5.0.594.0    2010.10.29    Win32:Malware-gen
AVG    9.0.0.851    2010.10.28    Dropper.Generic2.BNQT
BitDefender    7.2    2010.10.29    Gen:Trojan.Heur.RP.jqZ@aeVV!!ab
Comodo    6546    2010.10.29    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.10.29    Trojan.MulDrop1.46814
eSafe    7.0.17.0    2010.10.28    Win32.TRDropper
F-Secure    9.0.16160.0    2010.10.29    Gen:Trojan.Heur.RP.jqZ@aeVV!!ab
GData    21    2010.10.29    Gen:Trojan.Heur.RP.jqZ@aeVV!!ab
Jiangmin    13.0.900    2010.10.28    Trojan/Scar.cyn
McAfee    5.400.0.1158    2010.10.29    Generic.dx!ule
McAfee-GW-Edition    2010.1C    2010.10.28    Heuristic.BehavesLike.Win32.PasswordStealer.H
Microsoft    1.6301    2010.10.28    Trojan:Win32/Wisp.gen!A
NOD32    5573    2010.10.29    probably a variant of Win32/Wisp.A
Panda    10.0.2.7    2010.10.29    Suspicious file
PCTools    7.0.3.5    2010.10.29    Backdoor.Trojan
Prevx    3.0    2010.10.29    Medium Risk Malware Dropper
Sophos    4.59.0    2010.10.29    Mal/Dropper-P
Sunbelt    7161    2010.10.29    BehavesLike.Win32.Malware.tsc (mx-v)
Symantec    20101.2.0.161    2010.10.29    Backdoor.Trojan
VBA32    3.12.14.1    2010.10.28    Trojan.Win32.Inject.2
MD5   : 20f8b25a9a57b07895e112daecb1c4cc

File: nsunday.exe
MD5:  20f8b25a9a57b07895e112daecb1c4cc
Size: 153600
Ascii Strings:
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-nsunday
&hostname=
https://news.mysundayparty.com/asp/kys_allow_get.asp?name=getkys.kys
PID:%5d    PATH:%s
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/asp/kys_allow_put.asp?type=
%s,get:%s,%d
get:%s,%d
https://news.mysundayparty.com/asp/kys_allow_get.asp?name=
The process has been unsuccessfully killed!
The process has been successfully killed!
cmd /c "echo
cmd /c "
kill
SeShutdownPrivilege
reboot false!
waiting......
reboot
process
network.proxy.http
network.proxy.http_port
NULL
prefs.js
\Mozilla\Firefox\Profiles
%s\%s
-----------------------------------------------------------------------------------
============
Local Settings\temp
File: ~.exe  (same as File: nsunday.exe above)
Size: 153600
MD5:  20F8B25A9A57B07895E112DAECB1C4CC
-----------------------------------------------------------------------------------
File: dllfile.dll
Size: 27648
MD5:  15F200F08B19F26E36E7E851D7F68674

File name:dllfile.dll
http://www.virustotal.com/file-scan/report.html?id=a145a61159a4e08702fdb1c8920a78f45303297484bd3f33c83301ea9ac59df5-1288316892
Submission date:2010-10-29 01:48:12 (UTC)
18 /43 (41.9%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2010.10.29.00     2010.10.28     Win-Trojan/Wisp.27649
AntiVir     7.10.13.67     2010.10.28     HEUR/Malware
Avast     4.8.1351.0     2010.10.29     Win32:Malware-gen
Avast5     5.0.594.0     2010.10.29     Win32:Malware-gen
AVG     9.0.0.851     2010.10.28     Generic19.BYBD
BitDefender     7.2     2010.10.29     Backdoor.Generic.496992
DrWeb     5.0.2.03300     2010.10.29     BackDoor.Terapy.1
F-Secure     9.0.16160.0     2010.10.29     Backdoor.Generic.496992
GData     21     2010.10.29     Backdoor.Generic.496992
Microsoft     1.6301     2010.10.28     Trojan:Win32/Wisp.gen!A
NOD32     5573     2010.10.29     a variant of Win32/Wisp.B
nProtect     2010-10-28.01     2010.10.28     Backdoor.Generic.496992
Panda     10.0.2.7     2010.10.29     Suspicious file
PCTools     7.0.3.5     2010.10.29     Downloader.Generic
Prevx     3.0     2010.10.29     Medium Risk Malware
Sunbelt     7161     2010.10.29     Trojan.Win32.Generic!BT
Symantec     20101.2.0.161     2010.10.29     Downloader
VBA32     3.12.14.1     2010.10.28     BackDoor.Terapy.1
MD5   : 15f200f08b19f26e36e7e851d7f68674


File: dllfile.dll
MD5:  15f200f08b19f26e36e7e851d7f68674
Size: 27648
Ascii Strings: (partial)

ServerDll.dll
read buffer error
cannot open the message file
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
news.mysundayparty.com
pdnsunday.tmp
gdnsunday.tmp
pnsunday.tmp
gnsunday.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver

Network activity

Download pcap file for 65.202.221.207.pcap

65.202.221.207
Hostname:    65.202.221.207
ISP:    Verizon Business
Organization:    J R F AMERICA
Type:    Corporate
Assignment:    Static IP
Country:    United States us flag
State/Region:    Pennsylvania
City:    Norristown

http://www.jrfamerica.com/  



BaseRecordNameIPReverseRouteAS
news.mysundayparty.com
14 hours old
a 65.202.221.207
United States
(none) 65.192.0.0/11AS701
UUNET Alternet
mysundayparty.com
14 hours old
a 68.178.232.100
United States
(none) 68.178.232.0/22AS26496
PAH-INC Go Daddy Software, Inc.
ns-soa ns09.domaincontrol.com
7 hours old
216.69.185.5
United States
216.69.185.0/24
ns ns09.domaincontrol.com
7 hours old
216.69.185.5
United States
ns10.domaincontrol.com
23 hours old
(only in delegation)
208.109.255.5
United States
208.109.255.0/24
mx 10mailstore1.secureserver.net
1 hour old

(none)
?
0smtp.secureserver.net
1 hour old


Domain Name:    MYSUNDAYPARTY.COM
Registrar:    GODADDY.COM, INC.
Whois Server:    whois.godaddy.com
Referral URL:    http://registrar.godaddy.com
Name Server:    NS09.DOMAINCONTROL.COM
Name Server:    NS10.DOMAINCONTROL.COM
Status:    clientDeleteProhibited
Status:    clientRenewProhibited
Status:    clientTransferProhibited
Status:    clientUpdateProhibited
Updated Date:    15-sep-2010
Creation Date:    15-sep-2010
Expiration Date:    15-sep-2011



The IP of news.mysundayparty.com is changing
Original was 65.202.221.207, then on Oct 30 it changed to 63.232.79.43, on Nov. 5 it is 65.202.221.207 again

news.mysundayparty.com. A       65.202.221.207
first seen      2010-10-28 23:58:14 -0000
last seen       2010-10-29 06:37:15 -0000

news.mysundayparty.com. A       63.232.79.43
first seen      2010-10-29 19:47:29 -0000
last seen       2010-10-30 13:10:27 -0000


PLEASE NOTE THE SAME DOMAIN WAS USED IN PDF POSTED
Thursday, September 16, 2010  Sep 15 CVE-2010-2883 Adobe 0-Day PDF US Government Programs to Pay Medical Expenses from rodney.cadataa@gmail.com


5 comments:

  1. Doesn't disabling JavaScript in PDF mitigate this?

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Does disabling JavaSctip prevent this exploit, or is it the authplay.dll that's being loaded and exploited regardless of the JS status?
    Thansk!

    ReplyDelete