Friday, April 30, 2010

Apr 30 CVE-2010-0188 PDF North Korea's Radio Waves of Resistance fromdavidaustin3@yahoo.com

Details 2b4b5e0ce5a19d81ea918f50f56ff8d0 North_Korea_update.pdf 


From: David Austin [mailto:davidaustin3@yahoo.com]
Sent: Friday, April 30, 2010 2:00 AM
To: XXXXXXXXXXXXX
Subject: North Korea's Radio Waves of Resistance
Importance: Low
North Korea's Radio Waves of Resistance

By Peter M. Beck | April 27, 2010

North Korea remains the most isolated country on earth, with its people
effectively cut off from the outside world?or so the world has been told.
But there is reason to believe this is no longer the case. My research
suggests millions of North Koreans listen to or hear about foreign radio
broadcasts. There is evidence the numbers are growing.

Attachments
     http://www.virustotal.com/analisis/a967a1523f859cfbd69de0d5f9f70228e100ec9d7bf07066cbfb206b8e4d4b23-1272627594
     File North_Korea_update.pdf received on 2010.04.30 11:39:54 (UTC)
    Result: 13/40 (32.5%)
    AhnLab-V3    2010.04.30.02    2010.04.30    PDF/Cve-2010-0188
    Avast    4.8.1351.0    2010.04.30    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.30    PDF:CVE-2010-0188
    AVG    9.0.0.787    2010.04.30    Exploit_c.DEY
    BitDefender    7.2    2010.04.30    Exploit.PDF-EXE.Gen
    DrWeb    5.0.2.03300    2010.04.30    Exploit.PDF.758
    eSafe    7.0.17.0    2010.04.29    PDF.Exploit
    F-Secure    9.0.15370.0    2010.04.30    Exploit.PDF-EXE.Gen
    GData    21    2010.04.30    Exploit.PDF-EXE.Gen
    Rising    22.45.04.03    2010.04.30    Hack.Exploit.PDF.aem
    Sophos    4.53.0    2010.04.30    Troj/PDFJs-II
    Sunbelt    6241    2010.04.30    Exploit.PDF.CVE-2010-0806 (v)  - Sunbelt, this is a wrong name
    VirusBuster    5.0.27.0    2010.04.29    JS.Crypt.UQBF
    Additional information
    File size: 240872 bytes
    MD5...: 2b4b5e0ce5a19d81ea918f50f56ff8d0

    Received: from [123.125.156.138] by web114410.mail.gq1.yahoo.com via HTTP; Thu, 29 Apr 2010 22:59:34 PDT
    X-Mailer: YahooMailRC/348.5 YahooMailWebService/0.8.103.269680
    Date: Thu, 29 Apr 2010 22:59:34 -0700
    From: David Austin
    Subject: North Korea's Radio Waves of Resistance


          Hostname:    123.125.156.138
          ISP:    China Unicom Beijing Province Network
          Organization:    China Unicom Beijing Province Network
          Proxy:    Suspected network sharing device.
          Country:    China
          State/Region:    Beijing
          City:    Beijing
    http://www.robtex.com/ip/123.125.156.138.html#whois

    inetnum: 123.112.0.0 - 123.127.255.255
    netname: UNICOM-BJ
    descr: China Unicom Beijing province network
    descr: China Unicom
    country: CN
    admin-c: CH1302-AP
    tech-c: SY21-AP
    mnt-by: APNIC-HM
    mnt-lower: MAINT-CNCGROUP-BJ
    mnt-routes: MAINT-CNCGROUP-RR
    status: ALLOCATED PORTABLE
    person: ChinaUnicom Hostmaster
    nic-hdl: CH1302-AP
    e-mail: abuse@chinaunicom.cn
    address: No.21,Jin-Rong Street
    address: Beijing,100140
    address: P.R.China
    phone: +86-10-66259940
    fax-no: +86-10-66259764
    country: CN
    changed: abuse@chinaunicom.cn 20090408
    mnt-by: MAINT-CNCGROUP
    source: APNIC

    person: sun ying
    address: fu xing men nei da jie 97, Xicheng District
    address: Beijing 100800
    country: CN
    phone: +86-10-66030657
    fax-no: +86-10-66078815
    e-mail: hostmast@publicf.bta.net.cn
    nic-hdl: SY21-AP
    mnt-by: MAINT-CNCGROUP-BJ
    changed: suny@publicf.bta.net.cn 19980824
    changed: hm-changed@apnic.net 20060717
    changed: hostmast@publicf.bta.net.cn 20090630
    source: APNIC

    Apr 26 CVE-2009-4324 w low detection and CVE-2010-0188 Symposium from smiles@mail.knu.edu.tw



    UPDATE APRIL 30 
    a bit of progress

    File ATT42909.pdf received on 2010.04.30 11:09:44 (UTC)
    Result: 9/41 (21.96%)
    Avast    4.8.1351.0    2010.04.30    JS:Pdfka-AEE
    Avast5    5.0.332.0    2010.04.30    JS:Pdfka-AEE
    F-Secure    9.0.15370.0    2010.04.30    Exploit:W32/Pidief.COJ
    GData    21    2010.04.30    JS:Pdfka-AEE
    Kaspersky    7.0.0.125    2010.04.30    Exploit.JS.Pdfka.ceg
    McAfee    5.400.0.1158    2010.04.30    Exploit-PDF.q.gen!stream
    Sophos    4.53.0    2010.04.30    Troj/PDFJs-GQ
    Symantec    20091.2.0.41    2010.04.30    Trojan.Pidief.H
    TrendMicro-HouseCall    9.120.0.1004    2010.04.30    JS_UTOTI.LS
    Additional information
    File size: 129722 bytes
    MD5...: 536c0afe4d655a66dccad4af9679caa9

    File ATT85645.pdf received on 2010.04.30 11:16:13 (UTC)
    Result: 6/40 (15.00%)
    Avast 4.8.1351.0 2010.04.30 PDF:CVE-2010-0188
    Avast5 5.0.332.0 2010.04.30 PDF:CVE-2010-0188
    ClamAV 0.96.0.3-git 2010.04.30 Exploit.PDF-22737
    eTrust-Vet 35.2.7460 2010.04.30 PDF/CVE-2010-0188!exploit
    GData 21 2010.04.30 PDF:CVE-2010-0188 
    Sophos 4.53.0 2010.04.30 Troj/PDFJs-II
    Additional information
    File size: 115796 bytes
    MD5   : 58de08c1155a775b760049dff3f5abe4



    From: smile [mailto:smiles@mail.knu.edu.tw]
    Sent: Monday, April 26, 2010 9:55 PM
    To: XXXXXXXXXXX
    Subject: [研討會]開南大學公共事務管理學系第五屆「全球化與行政治理」國際學術研討會
    Importance: High

    各位學術先進,大家好:
    開南大學公共事務管理學系謹訂於2010年5月7日(星期五),假開南大學顏文隆國際會議中心,舉辦第五屆「全球化與行政治理」國際學術研討會。本研討會報名時間自即日起至99年5月2日止,檢附議程及報名表,請查收!
    您的參與將使本次研討會熠熠生輝,期待 道席參與此一學術盛會,共襄盛舉,不勝感荷。
        順頌

    道安
                                                                                                                                               後學
     許慶復    敬邀
         開南大學公共事務管理學系教授兼主任
    聯絡人:開南大學公共事務管理學系系助理許舒涵
    E-Mail: smile@mail.knu.edu.tw;pm@mail.knu.edu.tw
    TEL :03-3412500(分機3802)


    Approximate translation (machine)
    From: smile [mailto: smiles@mail.knu.edu.tw]Sent: Monday, April 26, 2010 9:55 PMTo: XXXXXXXXXXXSubject: [seminar] Public Affairs Management, Kainan University, the fifth "Globalization and Administrative Governance" International SymposiumImportance: HighMembers of academic art, Hello, everybody:Kainan University, Public Affairs and Management would like to set 2010 5 月 7 日 (Friday), leave open the International Conference Centre, Southern University, Yan Wenlong, held its fifth "Globalization and Administrative Governance" International Conference. The seminar registration time from now until 99 May 2 only, the attached agenda and registration form, please check!Your participation in this seminar will shine, I look forward to participate in this academic Road event, join in. Thank you very much.
        
    Shun ChungRoad Safety
                                                                                                                                               
    After school
     
    Xu Qing Fu, Michelle
         
    Kainan University Professor and Director of Public Affairs ManagementContact: Public Affairs Management, Kainan University, Assistant Xu ShuhanE-Mail: smile@mail.knu.edu.tw; pm@mail.knu.edu.twTEL :03-3412500 (ext 3802)
    ==================================================
    http://www.virustotal.com/analisis/2532c39a9227d272050ab3545c18bab989ed3dbf0e7826fa1ac4c06dcb696383-1272466905
    File ATT42909.pdf received on 2010.04.28 15:01:45 (UTC)
    Result: 2/39 (5.13%)
    McAfee     5.400.0.1158     2010.04.28     Exploit-PDF.q.gen!stream
    Sophos     4.53.0     2010.04.28     Troj/PDFJs-GQ
    Additional information
    File size: 129722 bytes
    MD5   : 536c0afe4d655a66dccad4af9679caa9


    ATT42909.pdf  - CVE-2009-4324



     http://www.virustotal.com/analisis/3f01888d51bd67a2501d4d3d1b5ed63cf3d0cea1413d563484f041cd0b3ff295-1272516410
     File ATT85645.pdf received on 2010.04.29 04:46:50 (UTC)
    Result: 6/41 (14.64%)
    Avast    4.8.1351.0    2010.04.28    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.28    PDF:CVE-2010-0188
    ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-22737
    eTrust-Vet    35.2.7456    2010.04.28    PDF/CVE-2010-0188!exploit
    GData    21    2010.04.29    PDF:CVE-2010-0188
    Sophos    4.53.0    2010.04.29    Troj/PDFJs-II
    File size: 115796 bytes
    MD5...: 58de08c1155a775b760049dff3f5abe4

    =================================================
    ATT85645.pdf = CVE-2010-0188

    Headers
    Received: from mail.vac.gov.tw (HELO mail.vac.gov.tw) (210.241.78.245)
      by server-7.tower-37.messagelabs.com with SMTP; 27 Apr 2010 02:23:10 -0000
    Received: from vac (unknown [140.93.105.3])
        by mail.vac.gov.tw (Postfix) with ESMTP id 64ED7D6C431
        for XXXXXXXX ; Tue, 27 Apr 2010 10:22:32 +0800 (CST)
    Message-ID: <1975e5623c$23fce32a$0ae1d8b4@vac212af2ce2>
    From: "smile"


    Hostname: 140.93.105.3
    ISP: Laboratoire d'Automatique et d'Analyse des Systeme 
    Organization: Laboratoire d'Automatique et d'Analyse des Systeme
    Country: France  
    State/Region: Midi-Pyrenees
    City: Toulouse


    It appears that 140.93.105.3  used mail.vac.gov.tw (210.241.78.245)as a relay server
    210.241.78.245
    inetnum: 210.241.0.0 - 210.241.127.255
    netname: GSN
    descr: GSN, Taiwan Government Service Network.
    descr: Data-Bldg.14F, No.21, Sec.21, Hsin-Yi Rd.
    descr: Taipei Taiwan 100
    country: TW
    Incoming mail for mail.vac.gov.tw is handled by two mailservers at gov.tw. They are on different IP networks. mail.vac.gov.tw has one IP number , which also has a corresponding reverse pointer.
    vac.gov.tw and mail.vac.gov.tw use this as a mailserver. vac.gov.tw and x346-3.vac.gov.tw share mailservers with this domain.
    vac.gov.tw is delegated to one nameserver, however one extra nameserver is listed in the zone. The NS sunlx.vac.gvo.tw.vac.gov.tw stated in SOA record is not in the list of nameservers. Incoming mail for vac.gov.tw is handled by twelve mailservers also at gov.tw. Some of them are on the same IP network.
    You might also be interested in mail3.vac.gov.tw, mail4.vac.gov.tw, mail2.vac.gov.tw and mail5.vac.gov.tw.
    mail.vac.gov.tw is hosted on a server in Taiwan.
    It is not listed in any blacklists.

    Thursday, April 29, 2010

    Apr 26 CVE-2010-0188 PDF North Korea Policy Piece from (fake) walterkeats@yahoo.com

    Download  4fcc7b56fdc488a333f3d97ad502eb22 20100426_WLK_Position_Paper.pdf as a password protected archive (please contact me for the password if you need it)


    Details 4fcc7b56fdc488a333f3d97ad502eb22 20100426_WLK_Position_Paper.pdf 


    From: Keats, Walter 
    [mailto:walterkeats@yahoo.com]
    Sent: Monday, April 26, 2010 9:53 AM
    To: XXXXXXXXXXXXXX
    Subject: North Korea Policy Piece

    XXXXX

    I was able to visit the DPRK in February, my 20th trip, demonstrating that Americans can now visit the DPRK year round.  The most significant new thing I did this trip was to visit Sinchon where there was a massacre in the fall of 1950.  Pretty gruesome, but not clear who did what to whom.  I also got to see the Pyongyang Golf Club, although it was snow covered, among other sites in the Pyongyang area.

    At any rate, I have written the attached opinion piece, not for publication or attribution, to see what you and others think about it.  Let me know at your convience.

    Best regards,

    Walter

    Walter L. Keats, CTC, CMP
    President
    Asia Pacific Travel, Ltd.
    P.O. Box 350
    Kenilworth, IL 60043-0350 USA

    Celebrating 30 years of designing memorable custom individual and small group tours to East Asia for discerning clients.

    The only American company directly authorized by North Korea to arrange for tourists from America and other countries to visit the DPRK.

    Header info
    Received: from [204.12.252.250] by web114508.mail.gq1.yahoo.com via HTTP; Mon, 26 Apr 2010 06:53:11 PDT
    X-Mailer: YahooMailClassic/10.1.9 YahooMailWebService/0.8.102.267879
    Date: Mon, 26 Apr 2010 06:53:11 -0700
    From: "Keats, Walter"

         204.12.192.0/18     AS32097
    RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity
    WholeSale Internet, Inc. WHOLESALEINTERNET-3 (NET-204-12-192-0-1)
    204.12.192.0 - 204.12.255.255
    Daigou Inc. WII-2197-10075602 (NET-204-12-252-248-1)
    204.12.252.248 - 204.12.252.255

    File 20100426_WLK_Position_Paper.pdf received on 2010.04.29 04:24:04 (UTC)
    Result: 6/41 (14.64%)
    Avast    4.8.1351.0    2010.04.28    PDF:CVE-2010-0188
    Avast5    5.0.332.0    2010.04.28    PDF:CVE-2010-0188
    ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-22668
    eTrust-Vet    35.2.7456    2010.04.28    PDF/CVE-2010-0188!exploit
    GData    21    2010.04.29    PDF:CVE-2010-0188
    Sophos    4.53.0    2010.04.29    Troj/PDFJs-II
    Additional information
    File size: 44661 bytes
    MD5...: 4fcc7b56fdc488a333f3d97ad502eb22




    Wednesday, April 28, 2010

    Apr 23 CVE-2008-4841 DOC Important Message from indianembassy.org.cn


    Download  03546e59967af0c2dbf609013934cd07 message-cv.doc as a password protected archive (please contact me for the password, if you need it)


    Details 03546e59967af0c2dbf609013934cd07 message-cv.doc


    From: polsec@ [mailto:indianembassy.org.cn polsec@indianembassy.org.cn]
    Sent: Friday, April 23, 2010 4:30 AM
    To: XXXXXXXXXX
    Subject: Important Message

    Dear sir,

       Pls find attached file .

    Regards,

    Satish Kumar
    Second Secretary,
    Embassy of India,
    Beijing


    http://www.virustotal.com/analisis/7a6b78a4662ceca77e76cd7f2bc08f69a588fc7547db60eb77eb4c328a04c0a8-1272378511
    File message-cv.doc received on 2010.04.27 14:28:31 (UTC)
    Result: 13/40 (32.50%)
    a-squared     4.5.0.50     2010.04.27     Exploit.Win32.CVE-2008!IK
    Authentium     5.2.0.5     2010.04.27     MSWord/Dropper.B!Camelot
    BitDefender     7.2     2010.04.27     Exploit.MSOffice.Gen
    F-Prot     4.5.1.85     2010.04.26     CVE-2006-2389
    F-Secure     9.0.15370.0     2010.04.27     Exploit.MSOffice.Gen
    Fortinet     4.0.14.0     2010.04.27     MSWord/Agent.Y!exploit
    GData     21     2010.04.27     Exploit.MSOffice.Gen
    Ikarus     T3.1.1.80.0     2010.04.27     Exploit.Win32.CVE-2008
    Jiangmin     13.0.900     2010.04.27     Exploit.MSWord.b
    McAfee-GW-Edition     6.8.5     2010.04.27     Heuristic.BehavesLike.Exploit.OLE2.CodeExec.EBKP
    Microsoft     1.5703     2010.04.27     Exploit:Win32/CVE-2008-4841
    nProtect     2010-04-27.01     2010.04.27     Exploit.MSOffice.Gen
    Panda     10.0.2.7     2010.04.26     Trj/1Table.C
    Additional information
    File size: 292864 bytes
    MD5   : 03546e59967af0c2dbf609013934cd07

    Headers
    Received: from unknown (HELO mail.niit.com.cn) (202.109.110.87)
      by XXXXXXXXXXXXX  with SMTP; 23 Apr 2010 08:30:17 -0000
    Received: Fri, 23 Apr 2010 16:30:13 +0800
    From: polsec@indianembassy.org.cn       
    Hostname:    202.109.110.8
          ISP:    ChinaNet Shanghai Province Network
          Organization:    Business China Trading Company
          Country:    China
          State/Region:    Shanghai
          City:    Shanghai

    dl-niit.com, niit.com.cn, okshanghai.com, www.niit.com.cn, mail.niit.com.cn and at least three other hosts point to 202.109.110.87. It is blacklisted in four lists.

    dl-niit.com
    indianembassy.org.cn
    mail.indianembassy.org.cn
    mail.niit.com.cn
    niit.com.cn
    okshanghai.com
    www.indianembassy.org.cn
    www.niit.com.cn

    Domains using this as mail server
    indianembassy.org.cn(primary)
    niit.com.cn(primary)


    Malware Links April 2010

    Sunday, April 25, 2010

    Apr 13 JAVA Malware evading decompilation by Donato "ratsoul" Ferrante - www.InReverse.net Post #5

    The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on April 13, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010 (this is their new blog - replacing www.inreverse.net) .  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #5) but this time together with the malware samples provided by the InReverse crew.   We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.
    Donato "ratsoul" Ferrante can be reached at ratsoul -at- inreverse-net


    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)



    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
           
    ----------------------------------------
    Tuesday, April 13, 2010
    Donato "ratsoul" Ferrante
     JAVA Malware evading decompilation
    Hello,

    some days ago Param (thanks!) one of our blog readers sent me a couple of undetected JAVA malwares, which I'm going to analyze, the md5 are:

    (Sample 1) 2138bfc0c92b726a13ff5095bd2f2b72
    (Sample 2) a0585edf638f5d1c556239d3bfaf08db

    At this time, both of this malware have a low detection, the first one 1/42 and the second one 0/42 from VirusTotal.

    One of the interesting things is that if you try to decompile these samples by using jD you will get the following notice:
    So after a little investigation I figured out the reason. The reason is that jD is unable to handle methods with a large body.

    Is it a problem ? No. To proceed with the analysis we can summon JAD. In fact by using JAD we can obtain the full code. Here are some snippets taken from the two samples.

    (I will go fast on the analysis, at the end of the post you can find a couple of links with more details about these malwares.)

    Sample 1:
    ([CVE-2009-3867])

    Imports reveal a lot of information about what the malware is trying to "use"...

    Mar 17 JAVA Malware Family by Donato "ratsoul" Ferrante - www.InReverse.net Post #4

    The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on March 17, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #4) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
            -----------------------------------------

    Wednesday, March 17, 2010
    Donato "ratsoul" Ferrante

    Wednesday, March 17, 2010


    JAVA Malware Family

    Hello guys,

    do you remember one of my last post about a JAVA malware exploiting a vulnerability related to the deserialization? If not, you can read it here.

    In the last days I have found a lot of variants of this malware. I picked for this post the following:

    sample 1: 3af7627af6348a76d1bf3b7bf31514e0
    sample 2: a022524cb52223a939ba50043d90ff94
    sample 3: d45a156c76f3c34bac0cf22cb586fdd1

    In this post we will try to discover a quick way to detect this "family" of malware.

    Each jar comes with 3 classes as for the original sample that I analyzed. The class names are changed into AdgredY, DyesyasZ, LoaderX, for one of these samples.

    First thing to note is about the class names. We can note the following relations:

    C1. AppletX is AdgredY;
    C2. PayloadX is DyesyasZ;
    C3. LoaderX is LoaderX.

    The class name length is the same as the original one, also the position of the capital letters is preserved.

    Let's proceed.

    Here is some snippet of code taken from the Applet subclass of each sample above.
    Sample 1.

    Mar 7 JAVA Sound Malware by Donato "ratsoul" Ferrante - www.InReverse.net Post #3

    Update May 14. The old www.inreverse.net was indefinitely suspended by the provider last month because of the DDoS. The new blog is here http://blog.inreverse.net/ 
    It is not clear why the guys behind the DDoS got so upset over the old exploits


    The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on March 7, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #3) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)
    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
            -----------------------------------------
    Sunday, March 7, 2010
    Donato "ratsoul" Ferrante
      
    JAVA Sound Malware

    Hello guys,

    I'm sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.

    Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX.  After using a java decompiler on our target, we will get the AppletX class code.

    I will report only the relevant parts. Let's go..
    Firstly, the malware tries to discover the operating system in use by using System.getProperty("os.name"), then it fills str1 according to the O.S. in use.

    At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:

    As we can see, this function simply converts the parameters into hex and then it calls the real spray method:

    Jan 17, 2010 JAVA Mobile Malware #1 by Donato "ratsoul" Ferrante www.InReverse.net Post #2

    The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on January 17, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #2) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
           
    -----------------------------------------
    Sunday, January 17, 2010
    Donato "ratsoul" Ferrante

    JAVA Mobile Malware #1
    Hi guys,

    today I will focus on a JAVA mobile malware (md5 is: 7e92d280472ca426aff1c20fbeb8d2db).

    It is spread as jar, containing a class with an attractive name. The jar contains three files:


        * a java class (the malware engine);

        * an icon image (it is used in order to be attractive..);

        * an inf file (it is used to extract sms information).


    The following is the class code after the usage of jd. I report only relevant parts:

    LoadData:


     This method is used to read the inf file in order to fill smsnumber and smstext fields. It uses the first byte of the inf file to know how many sms should be sent.

    InputStreamString:


    This method is used to read user-defined strings from the inf file.

    Jan 5 JAVA Exploit Kit Malware #1 by Donato "ratsoul" Ferrante - www.InReverse.net Post #1

    The following article was written and published by Donato "ratsoul" Ferrante (http://www.inreverse.net/) on January 5, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010. DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
    http://www.inreverse.net/ is currently inaccessible, therefore, we are publishing all InReverse java articles here (this is Post #1) but this time together with the malware samples provided by the InReverse crew. 


     
    Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


    All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5

    1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
    2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
    3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
    4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
    5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
    6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
    7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
    8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
    9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
            --------------------------------------------------
    Tuesday, January 5, 2010
    Donato "ratsoul" Ferrante

    JAVA Exploit Kit Malware #1

    This is my first blog post of the new year. New year new target!
    I am going to analyze a JAVA exploit kit malware, the md5 is: 8d499308df04932ed1b58a78417d6fb9.

    Since our target is a jar, containing three class files, we try to get more information about it by using a java decompiler (i.e. jd).

    After decompilation, we have a java package that contains three classes:

    • C1. AppletX.java

    • C2. LoaderX.java

    • C3. PayloadX.java
    C1. AppletX.java

     Here we have an Applet subclass that mainly does three things:

    1. It deserializes a serialized object;

    2. It grabs a couple of information via applet parameters: data and cc;

    3. It plays with a custom class loader named: LoaderX.

    The most interesting part is the serialized object obviously.
    Do you have any idea about the usage of the serialized object in the above code ?

    Well, I will lead you to the right answer. Please just focus on the above AppletX code. If you pay attention to the above code, you can see the initialization of localObject, it is located just above the if test. But we can't see any sort of explicit initialization for LoaderX.instance. In fact the initialization lies in the deserialization routine... nice eh ?

    Here is a visual recap:

    Let's examine the custom class loader now.