Friday, January 29, 2010

Jan 28 CVE-2009-4324 台美軍售最新情況.pdf The latest U.S. arms sales to Taiwan from shi9927@yahoo.com.tw Jan 28, 2010 10:45 PM

  1. Download 台美軍售最新情況.pdf as 401b4f707b8063b0c4b087c41716746b  -The latest U.S. arms sales to Taiwan.zip (password protected, please contact me if you need it)
  2. Download uncompressed (with pdf-parser.py) as 401b4f707b8063b0c4b087c41716746b-The latest U.S. arms sales to Taiwan.txt

Attachment name 
台美軍售最新情況.pdf

----- Original Message -----
From: shi9927@yahoo.com.tw
To: XXXXXXXXXX
Sent: Thursday, January 28, 2010 10:45 PM
Subject: 台美軍售最新情況

___________________________________________________
您的生活即時通 - 溝通、娛樂、生活、工作一次搞定!
http://messenger.yahoo.com.tw/

Headers
No headers info available for this post, unfortunately


Virustotal
http://www.virustotal.com/analisis/36e94022b007648137404500a2c3be69db93ebf64dfbb4986f48316d231b3ed0-1264781712
File ________________________.pdf received on 2010.01.29 16:15:12 (UTC)
Microsoft 1.5406 2010.01.29 Exploit:Win32/Pdfjsc.CW
nProtect 2009.1.8.0 2010.01.29 Exploit.PDF-JS.Gen.C02
Sunbelt 3.2.1858.2 2010.01.29 Exploit.PDF-JS.Gen (v)
Additional information
File size: 62182 bytes
MD5...: 401b4f707b8063b0c4b087c41716746b 

Wepawet
http://wepawet.iseclab.org/view.php?hash=401b4f707b8063b0c4b087c41716746b&type=js
Analysis report for �美�售最新情�.pdf
File �美�售最新情�.pdf
MD5 401b4f707b8063b0c4b087c41716746b
Analysis Started 2010-01-29 08:15:37
Report Generated 2010-01-29 08:15:38
Jsand 1.03.02 benign 




ViCheck.ca
 https://www.vicheck.ca/md5query.php?hash=401b4f707b8063b0c4b087c41716746b
Encrypted embedded executable with a key of 1024 bytes.
Exploit method detected as pdfexploit - PDF Exploit call to media.newPlayer CVE-2009-4324.


Here is a part of the java script (uncompressed with pdf-parser.py)



Jan 28 CVE-2009-4324 PEER REVIEW--Assessing Chinese Military Transparency from phillip.saunders74@yahoo.com Thu, 28 Jan 2010 05:01:50 PST


Download c603dffd233f4c00e0ec6ffe85e52110- PEER REVIEW--Assessing Chinese Military Transparency.pdf as a password protected archive (contact me if you need the password)




From: Phillip Saunders [mailto:phillip.saunders74@yahoo.com]
Sent: Thursday, January 28, 2010 8:02 AM
To: XXXXXXXXXXXXXXX
Subject: PEER REVIEW--Assessing Chinese Military Transparency

Morning,

Attached is a draft study that develops a methodology for assessing and comparing transparency based on defense white papers, applies that methodology to assess changes in Chinese transparency over time, and compares the transparency evident in China's defense white paper with that of other Asia-Pacific white papers.

It is envisoned as both an analytical tool, but also something that might support a productive dialogue with China and other countries about transparency.

Comments about the methodology and substantive findings are welcome.

Phillip

Headers
Received: from [69.197.151.114] by web113701.mail.gq1.yahoo.com via HTTP; Thu, 28 Jan 2010 05:01:50 PST
X-Mailer: YahooMailRC/272.7 YahooMailWebService/0.8.100.260964
Date: Thu, 28 Jan 2010 05:01:50 -0800 (PST)
From: Phillip Saunders
Subject: PEER REVIEW--Assessing Chinese Military Transparency
To: XXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-928444982-1264683710=:32069"


Lookup IP Address: 69.197.151.114
      Hostname:    server.gvd.tw
      ISP:    WholeSale Internet
      Organization:    Max Dmitry
      Country:    United States
      State/Region:    MO
      City:    Kansas City


Wednesday, January 27, 2010

Jan 27 CVE-2009-4324 + CVE-2009-0927 + CVE-2007-5659 letter to Solarz and US position on free speech rights..from ilovelibby@fastmail.fm 27 Jan 2010 06:01:34 -0800

Download CF0063F0FA4ACDE50E38859BAE7CECA2-letter.pdf as a password protected archive (please contact me if you need it)
----Original Message-----
From: Paul Maas Risenhoover [mailto:ilovelibby@fastmail.fm]
Sent: 2010-01-27 9:02 AM
To: d15943@Tier.org.tw
Subject: letter to Solarz and US position on free speech rights of native Formosans to advocate independence thru Taiwanese

 Attached and below is a letter to U.S. government on on free speech rights of native Formosans to advocate independence thru Taiwanese self-determination.  Please support us.

Thanks.

Dear Press Officer Kavanaugh,

Kindly advise whether the US continues to stand by her duties under our Constitution, treaty obligations and laws, towards the defense of Formosa, and the rights of the native Formosans to engage in free speech rights secured by the First Article of Amendment to the US Constitution permitting petition for redress of their grievances against the United States, and her alter ego the Republic of China, located in exile, outside China, on Formosa, a trust territory for which the US asserted by Aide Memoire of October 25, 1950, in the travaux preparatoires for Article 2 of the Treaty of Peace with Japan concluded at San Franicsco, that Formosa did not by that treaty nor by the Treaty of Taipei (also see FRUS that the Treaty of Taipei did not cede Formosa from Japan to the Republic of China, using the terms legal Dept. China) become territory of China nor of the Republic of China, and asserting her solemn UN Charter and Constitutional law of war duties as Principal Victor in the Pacific theater against Japan, for the ultimate disposition of Formosa, consonant with the territorial integrity or historical claims of China thereto, and the Article 73 duties of the US as Administering Authority, through her alter ego, the Republic of China, on Taiwan, for Formosa.

 Recently the fascist Chinese Nazi Party called the KMT has preferred treason charges to be brought by the Taiwan High Court, which is now investigating the judges and clerks of the US Court of Appeals for the Armed Forces and DC Circuit, SCUS, and USDC DC Judge Rosemary Collyer, for conspiracy to cause .....

see the full text below..


Monday, January 25, 2010

Jan 25 CVE-2009-4324 PLS Confirm your biography from jeffery464@gmail.com




Download  cb9da3ce624c66cda70c9ba84b7e0040 biography.pdf as a password protected archive (please contact me if you need it)




-----Original Message-----
From: Jeffery ask [mailto:jeffery464@gmail.com]
Sent: Monday, January 25, 2010 9:55 PM
To: XXXXXXXXXXXXXX
Subject: PLS Confirm your biography.

Dear Sir / Madam:

Congratulations!You have been  selected successfully for "Century Celebrity Network the most influential 500 people of 20th century "
listed by "Century Celebrity Network".Celebrity World Network is a celebrities and celebrities interactive introduction website, we are committed to creating a world's largest, most complete with celebrity information, forums, news, work, activities and awards ceremony site.
All the world's celebrities and their stories, works, achievements, are the world's wealth, for the world and leave this one than the wealth of future generations is of great significance. Celebrity Categories include: arts entertainment, sports, athletics, political and military, literature, religion, philosophy, business finance, doctors, martial artists, social celebrities, scientists and so on.

We will be so grateful if you could take some time to read your relevant description carefully to ensure the truth and integrity of the 20th century largest and most authoritative database.If there is something wrong,pls feel free to contact me.If you think the text we written is far from the truth and can't satisfy you,we will be appreaciate if you  could send a biography within 500 words by yourself.

Looking forward to your early reply.

Chou Zhi-wen, editor of Century Celebrity




Jan 25 CVE-2009-4324 / CVE-2007-5659.+ Senate Hearing from:jpodesta@fastmail.fm Mon, 25 Jan 2010 08:26:21 -0500

Download F40376D0C1EB19A7774D32D6229D0465-_Principles_of_U.S._Engagement_in_Asia.pdf as a password protected archive (contact me for the password, if you need it) 

 Our friends are back to work







-----Original Message-----
From: John Podesta [mailto:jpodesta@fastmail.fm]
Sent: 2010-01-25 8:26 AM
To: XXXXXXXXXXX
Subject: Senate Hearing

Colleague,

Please find a brief summary attached from the Senate Foreign Relations hearing on U.S. engagement in Asia. If you have any questions, let me know.

Best,

John

--
http://www.fastmail.fm - Does exactly what it says on the tin

Sunday, January 24, 2010

Weekends

I noticed a while ago, and this trend continues, that our creative senders take weekends off. Mailings stop on Friday afternoon and do not resume until 8-10 pm Sunday (which is already Monday is some parts of the world). The greeting cards and banking scam artists take no days off - maybe because they are not salary men?
I hope you all are enjoying your weekend
M
 

Friday, January 22, 2010

Mystery Excel from Russia

 MS Excel
Download CB572207B25B61FC2EFD76A4CE07B255-buvplpk.xls  as password protected archive (please let me know if you need the password)

  Messagelabs scan detects "Possible MalWare 'Backdoor.Win32.Agent.qwh.dam" 

    -----Original Message-----

    From: Блохин Арсений [mailto:pugnacious@audiomobile.ru]
    Sent: 2010-01-22 10:40 AM
    To: XXXXXXXXXXX
    Subject: Распостраняeм информaцию

    Служба достaвки почты


Virustotal  
buvplpk.xls received on 2010.01.22 17:30:58 (UTC)
Current status: finished

Result: 0/41 (0.00%)


I  checked with OfficeMalScanner (http://www.reconstructer.org/code.html) - not malicious.
I will look at it again later and you are welcome to do it too, please let me know if you find/not find anything.
  .



Jan 22 CVE-2009-4324 Conference Report: Military Confidence Building Measures in the Taiwan Strait from chinastudies@fastmail.fm 2010-01-22 8:39 AM


Download  4CE2D4AD39572811D87F22F69C7C203A -  Conference Report.pdf as a password protected archive (please contact me if you need it)


Fri, 22 Jan 2010 05:39:04 -0800 

-----Original Message-----
From: CNA China Studies [mailto:chinastudies@fastmail.fm]
Sent: 2010-01-22 8:39 AM
To: XXXXXXXXXXXXXX
Subject: Conference Report: Military Confidence Building Measures in the Taiwan Strait
Importance: High


Colleague,

It is with great pleasure that I forward you the link to CNA China
Studies' latest conference report: Military Confidence Building Measures
in the Taiwan Strait.

Since the inauguration of Ma Ying-jeou as Taiwan's s president in May
2008, relations between Taipei and Beijing have improved at a rapid
pace.  The resumption of quasi-official talks between the two sides of
the Strait has led to a series of landmark agreements. Among other
promising results, the commencement of direct flights, shipping, and
postal services have been important steps toward reconciliation.
Nevertheless, officials and scholars on both sides of the Strait
recognize that progress has thus far been limited to relatively easy
issues and that addressing such delicate, yet critical, topics as
sovereignty and military deployments will require a prolonged period of
time and greater political trust.

To better understand how officials and experts on both sides of the
Strait are thinking about pursuing military CBMs and creating
appropriate conditions for cross-Strait discussions of CBMs, a CNA-led
delegation visited Taipei and Beijing December 24-28, 2009. This
conference discussed the findings of the trip, including recommendations
for how Taiwan, Mainland China, and the United States can further create
an environment that is favorable to establishing military CBMs. It
provided a venue for informed specialists and U.S. government officials
to discuss the measures and the implications for the United States.

You can access the report, on the CNA China Studies publications page
at: http://www.cna.org/international/china/publications.aspx. We hope
you will find this report useful.


Very Best Regards,

--
  CNA China Studies

--
http://www.fastmail.fm - Email service worth paying for. Try it for free



Virustotal
http://www.virustotal.com/analisis/57acd42eb5003eec9992441deb136d02daf254f6a598fc6c9b22a1e244445d0b-1264174896
File Conference_Report.pdf received on 2010.01.22 15:41:36 (UTC)
Result: 2/41 (4.88%)
Avast 4.8.1351.0 2010.01.22 JS:Pdfka-WP
GData 19 2010.01.22 JS:Pdfka-WP 
File size: 235512 bytes
MD5...: 4ce2d4ad39572811d87f22f69c7c203a

Thursday, January 21, 2010

Jan 21 CVE-2009-4324 Cyber Warfare and Cyber Terrorism from riroth5@gmail.com 2010-01-21 9:44 AM


Download  CB92CEFF7D73C3EC002CD42165685AA1 - Cyber Warfare and Cyber Terrorism.pdf as a password protected archive (please contact me for the password)






From: XXXXXXX
[mailto:riroth5@gmail.com]
Sent: 2010-01-21 9:44 AM
To: isabelhilton@mac.com
Subject: Cyber Warfare and Cyber Terrorism

Dear Initiative Working Group member,

We hope that you find this report thought-provoking, and look forward to receiving your comments at any time. We also
apologize if you have already received this report.

Hope it will be help for your work and also your suggestions will be appreciated.

Best regards,

XXXXX XXXXX


Director, Initiative for U.S.-China Cooperation on Energy and Climate
Asia Society, Center for U.S.-China Relations
1575 Eye St., NW, Suite 325
Washington, D.C., 20005
Phone: (202) 414-2802 (o); (571) 276-1020 (m)
Web: www.asiasociety.org 


Virustotal
http://www.virustotal.com/analisis/e72b949e21ba9743b139b0df211b3bd869d07f82bd35f4294e19e95f55d062e0-1264096140
File Cyber_Warfare_and_Cyber_Terrorism received on 2010.01.21 17:49:00 (UTC)
Result: 8/41 (19.51%)
AntiVir 7.9.1.146 2010.01.21 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.21 JS:Pdfka-VO
AVG 9.0.0.730 2010.01.21 Script/Exploit
GData 19 2010.01.21 JS:Pdfka-VO 
Kaspersky 7.0.0.125 2010.01.21 Exploit.JS.Pdfka.bex
McAfee 5867 2010.01.20 Exploit-PDF.b.gen
McAfee+Artemis 5867 2010.01.20 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.21 Script.Malicious.PDF.Gen
File size: 435947 bytes
MD5   : cb92ceff7d73c3ec002cd42165685aa1




Jan.20 CVE-2009-4324 Road Map for Asian-Pacific Security from spoofed gjschmit@aei.org 20 Jan 2010 15:13:10 -0000


Attack of the clones. Here is the third one with the same MD5hash as
Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed xxxxx@gwu.edu 20 Jan 2010 14:26:00 -0000 and
Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]@thealbrightgroupllc.com

 Same IP address of the sender as here Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed xxxxxxxx@gwu.edu 20 Jan 2010 14:26:00 -0000


 Download  238ECF8C0AEE8BFD216CF3CAD5D82448 - Road Map for Asian-Pacific Security.pdf as a password protected archive (please contact me for the password if you need it)



From: Schmitt, Gary J. [mailto:gjschmit@aei.org]
Sent: Wednesday, January 20, 2010 10:13 AM
To: "Undisclosed-Recipient:;"
Subject: Road Map for Asian-Pacific Security

Colleagues,

This is the second of two Outlooks on the Obama administration's foreign policy approach to Asia. Neither the Clinton nor Bush administrations took full advantage of the growing impetus among the states of the Asia-Pacific region to work through multilateral forums. The Obama administration appears to be following the same pattern. Today a hodgepodge of institutions and forums exists in Asia, but none of them addresses the strategic needs of the region. The United States needs to find ways to maximize its influence through new regionwide forums and institutional arrangements. A two-tiered multilateral approach could benefit the nations in the region and the United States.

Please see the attached for more information.

Hope it will be help for your work and also your suggestions will be appreciated.

Best,

Gary


 Header
Received: (qmail 15802 invoked from network); 20 Jan 2010 15:13:10 -0000
Received: from sideq03.attnet.ne.jp (HELO sideq03.attnet.ne.jp) (165.76.72.13)
  by XXXXXXXXXXXXXXXXXXX
Received: by sideq03.attnet.ne.jp (8.12.11/ver5(11/20/06)) id o0KFD71C016512; Thu, 21 Jan 2010 00:13:07 +0900
Received: from virus01.attnet.ne.jp (virus01 [10.10.13.21])
    by purify-out01.attnet.ne.jp (Postfix) with ESMTP id DD9C733643
    for xxxxxxxxxxxxxxx; Thu, 21 Jan 2010 00:13:07 +0900 (JST)
Received: from purify02.attnet.ne.jp (purify.attnet.ne.jp [165.76.8.44])
    by virus01.attnet.ne.jp (Postfix) with ESMTP id 9201F3A209
    for XXXXXXXXXXXXXXXX; Thu, 21 Jan 2010 00:13:07 +0900 (JST)
Received: from jhc.co.jp (www.jhc.co.jp [202.211.150.106])
    by purify02.attnet.ne.jp (Postfix) with SMTP id 1C96A32E27
    for XXXXXXXXXXXXXXX; Thu, 21 Jan 2010 00:13:02 +0900 (JST)
Received: (qmail 21106 invoked from network); 21 Jan 2010 00:12:56 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@222.95.43.226)
  by www.jhc.co.jp with SMTP; 21 Jan 2010 00:12:56 +0900
Message-ID: <3BB0641226EF4F6A9F46A0CFE30A784D@3me8de026f8d12>
From: "Schmitt, Gary J."
To: <"Undisclosed-Recipient:;">
Subject: Road Map for Asian-Pacific Security
Date: Wed, 20 Jan 2010 10:12:54 -0500




Indeed. See Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed shambaugd@gwu.edu 20 Jan 2010 14:26:00 -0000 and Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]@thealbrightgroupllc.com
 File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Current status: finished

Result: 12/41 (29.27%)
MD5   : 238ecf8c0aee8bfd216cf3cad5d82448


http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1264008736


 File Road_Map_for_Asian-Pacific_Securi received on 2010.01.21 12:47:33 (UTC)
Result: 12/40 (30%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.01.21    Exploit.PDF-JS!IK
AntiVir    7.9.1.146    2010.01.21    HTML/Malicious.PDF.Gen
Avast    4.8.1351.0    2010.01.21    JS:Pdfka-VO
AVG    9.0.0.730    2010.01.21    Script/Exploit
BitDefender    7.2    2010.01.21    Trojan.Script.256073
F-Secure    9.0.15370.0    2010.01.21    Exploit:W32/Pidief.CKZ
GData    19    2010.01.21    Trojan.Script.256073
Ikarus    T3.1.1.80.0    2010.01.21    Exploit.PDF-JS
Kaspersky    7.0.0.125    2010.01.21    Exploit.JS.Pdfka.bex
McAfee    5867    2010.01.20    Exploit-PDF.b.gen
McAfee+Artemis    5867    2010.01.20    Exploit-PDF.b.gen
McAfee-GW-Edition    6.8.5    2010.01.21    Script.Malicious.PDF.Gen

File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448



Wednesday, January 20, 2010

Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed XXXXXXXXXX@gwu.edu 20 Jan 2010 14:26:00 -0000

This is my favorite of all times, they have some nerve. I know the George Washington University did not move to China yet. Plus we already received his file yesterday.

Update Jan 21. F-Secure analysts reported that this pdf attachment (or identical file they got)  drops Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435), which gets detected as W32/PoisonIvy.NQ, aka Poison Ivy RAT.



Download 238ecf8c0aee8bfd216cf3cad5d82448 - Chinese_cyberattack.pdf as password protected archive (please contact me if you need the password)



From: XXXXXXX [mailto: XXXX@gwu.edu]
Sent: 2010-01-20 9:26 AM
To: "Undisclosed-Recipient:;"
Subject: Chinese cyberattack

Colleagues,

Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.

If you have any good idea / comments,  are warmly welcome to feedback.

Best,

David




Received: (qmail 4722 invoked from network); 20 Jan 2010 14:26:00 -0000
Received: from sideq01.attnet.ne.jp (HELO sideq01.attnet.ne.jp) (165.76.72.11)
  by XXXXXXXXXXXXXXXXX
Received: by sideq01.attnet.ne.jp (8.12.11/ver5(11/20/06)) id o0KEPwZv027218; Wed, 20 Jan 2010 23:25:58 +0900
Received: from virus05.attnet.ne.jp (virus05 [10.10.13.25])
    by purify-out01.attnet.ne.jp (Postfix) with ESMTP id 127D333642
    for XXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:58 +0900 (JST)
Received: from purify05.attnet.ne.jp (purify.attnet.ne.jp [165.76.8.44])
    by virus05.attnet.ne.jp (Postfix) with ESMTP id A7F8635C46
    for XXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:57 +0900 (JST)
Received: from jhc.co.jp (www.jhc.co.jp [202.211.150.106])
    by purify05.attnet.ne.jp (Postfix) with SMTP id 09AF434002
    for XXXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:52 +0900 (JST)
Received: (qmail 11732 invoked from network); 20 Jan 2010 23:25:46 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@222.95.43.226)
  by www.jhc.co.jp with SMTP; 20 Jan 2010 23:25:46 +0900
Message-ID:
From: "Shambaugh, David"
To: <"Undisclosed-Recipient:;">
Subject: Chinese cyberattack
Date: Wed, 20 Jan 2010 15:25:45 +0100

Hostname: 222.95.43.226
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Cable/DSL
Country: China  
City: Nanjing


Virustotal



File has already been analyzed
http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1263958772



Rescan http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1264008736
File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Result: 12/41 (29.27%)
a-squared 4.5.0.50 2010.01.20 Exploit.PDF-JS!IK
AntiVir 7.9.1.146 2010.01.20 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.20 JS:Pdfka-VO
AVG 9.0.0.730 2010.01.19 Script/Exploit
BitDefender 7.2 2010.01.20 Trojan.Script.256073
F-Secure 9.0.15370.0 2010.01.20 Exploit:W32/Pidief.CKZ
GData 19 2010.01.20 Trojan.Script.256073
Ikarus T3.1.1.80.0 2010.01.20 Exploit.PDF-JS
Kaspersky 7.0.0.125 2010.01.20 Exploit.JS.Pdfka.bex
McAfee 5866 2010.01.19 Exploit-PDF.b.gen
McAfee+Artemis 5866 2010.01.19 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.20 Script.Malicious.PDF.Gen
Additional information
File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448


Wepawet detects it under a different name
 http://wepawet.iseclab.org/view.php?hash=238ecf8c0aee8bfd216cf3cad5d82448&type=js
from a file we scanned earlier - same MD5hash - we have a post for this one already
Sample Overview
File Obama\'s First Year in Foreign Policy.pdf
MD5 238ecf8c0aee8bfd216cf3cad5d82448
Analysis Started 2010-01-19 20:07:01
Report Generated 2010-01-19 20:12:10
Jsand 1.03.02 benign 









Trojan.Hydraq detection and naming


Ok, it is not really a big deal, the trojan was in the wild since at least 2006 and Symantec just added a better name for it. It was discovered not on January 11, 2010 but much earlier. I like Hydraq better than just Trojan Horse, really. Why Hydraq? What prompted the name, I wonder.


Here is a Symantec blog entry linking Hydraq to attacks on Google Hydraq - An Attack of Mythical Proportions


Update Jan. 20, 2010 Please read more about IExplorer 0day CVE-2010-0249 – Exploit-Comele / Hydraq / Aurora  on from Extraexploit.blogspot.com here and here 

  
Update Jan 24, 2010  Download Hydraq
 As you see, Hydraq is well researched (http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html) and most AV products detect the key files. I can provide the following files for antivirus and IT security companies/researchers.

c_1758.nls (ba3545841d8a40ed8493e22c0e70a72c)- copy of the trojan
Acelpvc.dll (4A47404FC21FFF4A1BC492F9CD23139C)- helper file
VedioDriver.dll (467EEF090DEB3517F05A48310FCFD4EE)- helper file


Results on January 17, 2010
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2


Discovered: January 11, 2010
Updated: January 11, 2010 2:59:20 PM
Also Known As: TROJ_HYDRAQ.A [Trend]
Type: Trojan
Infection Length: 81,920 bytes
Systems Affected: Windows 2000, Windows Server 2003, Windows Vista, Windows XP
This Trojan may arrive in an email or it may be dropped or downloaded by another threat.

When executed, the threat creates one of the following files:
%Temp%\c_1758.nls
%Temp%\[RANDOM FILE NAME]

It then creates a service with the following characteristic:
Service name: RaS[FOUR RANDOM CHARACTERS]



http://www.virustotal.com/analisis/160cb3d6c6e11a8c649a1d0ed33faf927ae6dc99e0c76ae1982720255867b38e-1263698531
File c_1758.nls received on 2010.01.17 03:22:11 (UTC)
Result: 25/41 (60.98%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.01.16     CC.Agent.BA!IK
AhnLab-V3     5.0.0.2     2010.01.16     Win-Trojan/Agent.20480.PL
AntiVir     7.9.1.142     2010.01.16     CC/Agent.BA
Avast     4.8.1351.0     2010.01.16     Win32:Trojan-gen
BitDefender     7.2     2010.01.17     Trojan.Generic.1470226
CAT-QuickHeal     10.00     2010.01.16     Trojan.Agent.ATV
Comodo     3608     2010.01.17     UnclassifiedMalware
eSafe     7.0.17.0     2010.01.14     Win32.CCAgent.Ba
eTrust-Vet     35.2.7240     2010.01.15     Win32/Enuairs.A
F-Secure     9.0.15370.0     2010.01.16     Trojan.Generic.1470226
Fortinet     4.0.14.0     2010.01.16     PossibleThreat
GData     19     2010.01.17     Trojan.Generic.1470226
Ikarus     T3.1.1.80.0     2010.01.16     CC.Agent.BA
K7AntiVirus     7.10.949     2010.01.16     Trojan.Win32.Malware.1
McAfee+Artemis     5863     2010.01.16     Generic.dx
McAfee-GW-Edition     6.8.5     2010.01.16     Virus.Agent.BA
Microsoft     1.5302     2010.01.16     Trojan:Win32/Bumat!rts
nProtect     2009.1.8.0     2010.01.16     Trojan/W32.Agent.20480.KJ
Panda     10.0.2.2     2010.01.16     Generic Trojan
PCTools     7.0.3.5     2010.01.17     Trojan.Hydraq
Prevx     3.0     2010.01.17     Medium Risk Malware
Rising     22.30.06.01     2010.01.17     Trojan.Spy.Rasmon.a
Symantec     20091.2.0.41     2010.01.17     Trojan.Hydraq
TrendMicro     9.120.0.1004     2010.01.16     TROJ_Generic.ADV
Additional information
File size: 20480 bytes
MD5   : ba3545841d8a40ed8493e22c0e70a72c


Results on April 3, 2009


same file
 File c_1758.nls received on 2009.04.03 17:28:45 (UTC)
Result: 15/40 (37.50%)
a-squared     4.0.0.101     2009.04.03     CC.Agent.BA!IK
AhnLab-V3     5.0.0.2     2009.04.03     Win-Trojan/Agent.20480.PL
AntiVir     7.9.0.129     2009.04.03     CC/Agent.BA
Avast     4.8.1335.0     2009.04.03     Win32:Trojan-gen {Other}
BitDefender     7.2     2009.04.03     Trojan.Generic.1470226
eTrust-Vet     31.6.6434     2009.04.03     Win32/Enuairs.A
Fortinet     3.117.0.0     2009.04.03     PossibleThreat
K7AntiVirus     7.10.692     2009.04.03     Trojan.Win32.Malware.1
McAfee-GW-Edition     6.7.6     2009.04.03     Virus.Agent.BA
Rising     21.23.41.00     2009.04.03     Trojan.Spy.Rasmon.a
Symantec     1.4.4.12     2009.04.03     Trojan Horse
Additional information
File size: 20480 bytes
MD5...: ba3545841d8a40ed8493e22c0e70a72c




file timedatestamp.....: 0x44e1d7b3 (Tue Aug 15 14:18:27 2006)
The first known attack attempt using this trojan - December 20, 2006



Vediodriver.dll
http://www.virustotal.com/analisis/f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430-1264023110
f0c78171b11b40f40e24dd9eaa8a3a381 received on 2010.01.20 21:31:50 (UTC)

Result: 18/40 (45.00%)
a-squared 4.5.0.50 2010.01.20 RemoteAccess!IK
AntiVir 7.9.1.146 2010.01.20 APPL/Remote.RealVNC.95
AVG 9.0.0.730 2010.01.19 BackDoor.Agent.AFFU
ClamAV 0.94.1 2010.01.20 Trojan.Hydraq-3
Comodo 3650 2010.01.20 UnclassifiedMalware
eTrust-Vet 35.2.7249 2010.01.20 Win32/Aviror.A
Ikarus T3.1.1.80.0 2010.01.20 RemoteAccess
K7AntiVirus 7.10.951 2010.01.20 Trojan.Win32.Malware.1
McAfee 5867 2010.01.20 Roarur.dll
McAfee+Artemis 5867 2010.01.20 Roarur.dll
McAfee-GW-Edition 6.8.5 2010.01.20 Riskware.Remote.RealVNC.95
Microsoft 1.5302 2010.01.20 Backdoor:Win32/Mdmbot.C
Panda 10.0.2.2 2010.01.20 Trj/CI.A
PCTools 7.0.3.5 2010.01.19 Trojan.Hydraq
Sophos 4.50.0 2010.01.20 Mal/Spy-E
Symantec 20091.2.0.41 2010.01.20 Trojan.Hydraq
TrendMicro 9.120.0.1004 2010.01.20 TROJ_HYDRAQ.H
VirusBuster 5.0.21.0 2010.01.20 Backdoor.Mdmbot.B

File size: 8192 bytes
MD5   : 467eef090deb3517f05a48310fcfd4ee
SHA1  : 43d20c85e323b59e7971626a3c1fe1542ab945f7
SHA256: f0c78171b11b40f40e24dd9eaa8a3a381e1816ab8c3653aeb167e94803f90430
PEInfo: PE Structure information
entrypointaddress.: 0x1C37
timedatestamp.....: 0x4473474A (Tue May 23 19:32:58 2006)
machinetype.......: 0x14C (Intel I386)



http://www.virustotal.com/analisis/ce7debbcf1ca3a390083fe5753f231e632017ca041dfa662ad56095a500f2364-1264140003
 File acelpvc.dll received on 2010.01.22 06:00:03 (UTC)
Result: 21/41 (51.22%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.50     2010.01.22     Win32.SuspectCrc!IK
AhnLab-V3     5.0.0.2     2010.01.22     Win-Trojan/Mdmbot.136704
AntiVir     7.9.1.146     2010.01.21     APPL/Remote.RealVNC.94
BitDefender     7.2     2010.01.22     Trojan.Generic.2992679
ClamAV     0.94.1     2010.01.22     PUA.Packed.ASPack212
eTrust-Vet     35.2.7251     2010.01.21     Win32/Hydraq.A
F-Secure     9.0.15370.0     2010.01.22     Trojan.Generic.2992679
GData     19     2010.01.22     Trojan.Generic.2992679
Ikarus     T3.1.1.80.0     2010.01.22     Win32.SuspectCrc
Kaspersky     7.0.0.125     2010.01.22     Trojan.Win32.Genome.eraf
McAfee     5868     2010.01.21     Roarur.dll
McAfee+Artemis     5868     2010.01.21     Roarur.dll
McAfee-GW-Edition     6.8.5     2010.01.21     Riskware.Remote.RealVNC.94
Microsoft     1.5302     2010.01.21     Backdoor:Win32/Mdmbot.C
Panda     10.0.2.2     2010.01.21     Suspicious file
PCTools     7.0.3.5     2010.01.22     Trojan.Hydraq
Sunbelt     3.2.1858.2     2010.01.22     Trojan.Win32.Generic!BT
Symantec     20091.2.0.41     2010.01.22     Trojan.Hydraq
TrendMicro     9.120.0.1004     2010.01.22     TROJ_HYDRAQ.G
VirusBuster     5.0.21.0     2010.01.21     Backdoor.Mdmbot.A
Additional information
File size: 136704 bytes
MD5   : 4a47404fc21fff4a1bc492f9cd23139c



Tuesday, January 19, 2010

Jan 19 CVE-2009-4324 Obama's First Year in Foreign Policy [Redacted]@thealbrightgroupllc.com




Download 238ecf8c0aee8bfd216cf3cad5d82448 - Obama's First Year in Foreign Policy.pdf as password protected archive (please contact me for the password if you need it)




From: Suzy George [mailto:[redacted]@thealbrightgroupllc.com]
Sent: Tuesday, January 19, 2010 8:32 AM
To: "Undisclosed-Recipient:;"
Subject: Obama's First Year in Foreign Policy



Jan. 19 CVE-2009-4324 + CVE-2008-2992 Revitalizing Democracy Assistance from thmscarothers@gmail.com Jan 19, 2010 9:42 AM


 Download 9088220c7fa358f70a95455630e4eedd - revitalizing_democracy_assistance_summary.pdf as password protected archive (please contact me for the password)

Details: 9088220C7FA358F70A95455630E4EEDD - revitalizing_democracy_assistance_summary.pdf


From: Thomas Carothers [mailto:thmscarothers@gmail.com]
Sent: Tuesday, January 19, 2010 9:42 AM
To: XXXXXXXXXXXXX
Subject: Revitalizing Democracy Assistance

FYI.

Thomas Carothers
Vice President for Studies, CEIP












Virustotal
http://www.virustotal.com/analisis/3c2ff3d5a833fb4d7c867e1083681ef05b8e688ee3474355b9db7b462b143b02-1263962253

File revitalizing_democracy_assistance received on 2010.01.20 04:37:33 (UTC)
Result: 2/41 (4.88%)
Avast    4.8.1351.0    2010.01.19    JS:Pdfka-WP
GData    19    2010.01.20    JS:Pdfka-WP
File size: 235512 bytes
MD5...: 9088220c7fa358f70a95455630e4eedd

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=9088220c7fa358f70a95455630e4eedd&type=js
File    revitalizing_democracy_assistance_summary.pdf
MD5    9088220c7fa358f70a95455630e4eedd
Analysis Started    2010-01-19 20:58:32
Report Generated    2010-01-19 20:58:36
Jsand 1.03.02    malicious
doc.media.newPlayer    Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2    CVE-2009-4324

ViCheck.ca
https://www.vicheck.ca/md5query.php?hash=9088220c7fa358f70a95455630e4eedd

revitalizing_democracy_assistance_summary.pdf:
EXECUTABLE SCAN: PDF Exploit suspicious use of util.printd CVE-2008-2992 (pdfexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=9088220c7fa358f70a95455630e4eedd
Confidence ranking: 90 (4 hits).



Sunday, January 17, 2010

Jan 17 Trojan Darkmoon.B EXE Haiti relief from santi_nidas@yahoo.com 17 Jan 2010 13:15:02 -0800 PST


This message contains a zip attachment with  ârâfâI.exe (Darkmoon.B) and a 20100118.pdf  (containing pictures).



Download the A4754BE7B34ED55FAFF832EDADAC61F6 -Darkmoonb.zip (password protected< please contact me if you need it)


The message is in Japanese




From: santi_nidas@yahoo.com [mailto:santi_nidas@yahoo.com]
Sent: Sunday, January 17, 2010 4:15 PM
To: xxxxxxxxxxx
Subject: ハイチの救援活動が難航 7千人埋葬、時間との勝負


ハイチの救援活動が難航 7千人埋葬、時間との勝負
 【ポルトープランス共同】大地震発生から2日が経過したハイチでは14日、現地入りした欧米の救援チームが倒壊家屋の下敷きになった被災者の捜索活動を始めるなど、国際的な救援活動が本格化した。しかし、人員や医薬品が不足し活動は難航している。

 ロイター通信によると、プレバル・ハイチ大統領は同日、地震による死者約7千人が既に墓地に埋葬されたと述べた。国連の潘基文事務総長は「発生後、72時間が鍵だ」と述べ、時間との勝負になっていることを強調した。

 国連や米CNNテレビによると、米の救援チームが14日朝、首都ポルトープランスで倒壊した平和維持活動(PKO)部隊の本部ビルに下敷きになっていたエストニアの警備要員の男性(38)を救助。現地には災害救助犬を連れたフランス隊のほか、スペイン、ドミニカ共和国などの救援チームが続々と到着、活動を始めた。事務総長は「今後、各国からさらに派遣される」と語った。

 被災地では医師、医療品不足が深刻化。国連や各国は救援物資の運搬、配布に全力を挙げる方針だ。ただ、ロイター通信によると、甚大な被害を受けたポルトープランスの空港は人員や物資を運ぶ航空機で満杯状態となり、米連邦航空局(FAA)は米国から同空港への飛行を当面見合わせるよう指示した。



Subject: Haiti relief deadlock seven people buried in 1000, race against time
  
Haiti's troubled rescue seven people buried in 1000, race against time
[Co] from a large earthquake in Port au Prince in Haiti two days after the 14th, and now he will begin his search for victims buried under collapsed houses in the West entered the local rescue team, the international relief activities in earnest. However, a lack of activity and medical personnel are faced with difficulties. 




Friday, January 15, 2010

Jan15 CVE-2009-4324 USEUCOM Intelligence Summit from mjamureli@yahoo.com 15 Jan 2010 00:47:09 PST


Here is a fake trojan-laden pdf about the United States European Command Intelligence Summit.


Download Agenda.pdf as c3079303562d4672d6c3810f91235d9b-Agenda.zip (Password protected, please contact me if you need it)

Details: c3079303562d4672d6c3810f91235d9b - Agenda.pdf 




From: Malkhaz Jamureli [mailto:mjamureli@yahoo.com]
Sent: 2010-01-15 3:47 AM
Subject: Fw: USEUCOM Intelligence Summit

ALCON,
    
The USEUCOM Intelligence Summit, taking place February 15-17, 2010 in Heidelberg, Germany
   
The theme for the summit is: “Building Partnerships-Linking Nations” and it will bring together working staff-level US and European mission partner capability planners, program managers, intelligence producers, end-users, and subject matter experts from government, military, law enforcement, academia, private sector, and leading edge technology organizations to discuss and determine ways to improve Intelligence-Sharing and Collaboration capabilities that address common challenges in the Regional and International Security Environment.
   
Conference Objectives
--  Discuss common US-European security challenges where increased intelligence-sharing and collaboration are needed
--  Highlight US and European Partner intelligence-sharing and collaboration capabilities, programs, and technologies
--  Demonstrate enabling concepts, technologies, business processes, and best practices available from US and European mission partners,  academia, private sector, and industry.
--  Identify initiatives, establish relationships, and create opportunities to improve development and delivery of intelligence-sharing and collaboration architectures and systems capabilities in the near to mid-term.
  
    
MAJ Malkhaz Jamureli
Defense, Military, Naval and Air Attache
Embassy of Georgia
2209 Massachusetts Ave., NW
Washington, DC 20008
Comm: 202-387-2580
FAX:   202-387-2581



Jan 15 Zany.pdf -fc5196ff7d14bda18cd9f89d81f913db

This file from an URL was submitted by TarunKumar Singh - thank you, TarunKumar


Download  zany.pdf as FC5196FF7D14BDA18CD9F89D81F913DB-zany.zip (Password protected. Please contact me for the password)

Details: fc5196ff7d14bda18cd9f89d81f913db - zany.pdf


Virustotal
http://www.virustotal.com/analisis/b5b6866775f437d9730e3baf4e6d23d512278a613299b17270cfd7cdc999a68b-1263640687
File zany.pdf99 received on 2010.01.16 11:18:07 (UTC)
F-Secure     9.0.15370.0     2010.01.16     Exploit:W32/Pidief.CKT
Kaspersky     7.0.0.125     2010.01.16     Exploit.Win32.Pidief.cyn
PCTools     7.0.3.5     2010.01.16     Trojan.Pidief
Sophos             4.49.0     2010.01.16     Mal/PDFEx-D
Sunbelt     3.2.1858.2     2010.01.16     Exploit.PDF-JS.Gen (v)
Symantec     20091.2.0.41     2010.01.16     Trojan.Pidief.H
File size: 3701 bytes
MD5   : fc5196ff7d14bda18cd9f89d81f913db


Thursday, January 14, 2010

Technical analysis of CVE-2009-4324 samples by different analysts.

Please see technical analysis of some of the samples kindly offered by different analysts. 

Analysis of Jan 7 US-J-India_strategic_dialogue sample
Us-J-India_strategic_dialogue.pdf --- MD5 12aab3743c6726452eb0a91d8190a473


========================================
All contagio samples

Analysis by extraexploit  (http://extraexploit.blogspot.com)
January 12, 2010  Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day (for Jan 7 US-J-India_strategic_dialogue sample) -- New
December 29, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection
December 19, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas
December 18, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down

December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0



Analysis by Wh's Behind (http://whsbehind.blogspot.com)

January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
December 30, 2009 CVE-2009-4324 Doc.media.newPlayer 0-day vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (new PDF from Taiwan govs) -
December 22, 2009 CVE-2009-4324 Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)


Analysis of Interview Outline by kaito (http://d.hatena.ne.jp/kaito834)
December 26, 2009 悪意あるPDF(malicious PDF)に含まれる Exploit コードを pdf-parser.py で確認する

 Analysis by demantos (http://malwarelab.tistory.com)

December 22, 2009 Adobe 0-Day
December 16, 2009 New Adobe Reader and Acrobat Vulnerability


CVE-2009-4324 Samples from other sources:
A
nalysis by Bojan Zdrnja - SANS (http://isc.sans.org/diary.html
)

January 4, 2009 Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324



Analysis by VRT (http://vrt-sourcefire.blogspot.com)
December 15, 2009 - Adobe Reader media.newPlayer() Analysis (CVE-2009-4324) 


Let me know if I missed any you think need to be added.