Wednesday, June 30, 2010

Jun 30 CVE-2010-1297 PDF 2020 National Defense Industrial Strategy Forum from techdm@csistdup.org.tw


Download  497bd7eb4be6ae9b68c624e3fb594502 2020.pdf  as a password protected archive (contact me if you need the password)

 File 2020.pdf received on 2010.07.04 05:20:15 (UTC)
http://www.virustotal.com/analisis/000c6d021e9678184f059dd1dfacf75558bdd3f62e259e789836005efbf0e6b1-1278220815
Result: 14/41 (34.15%)
a-squared    5.0.0.31    2010.07.03    Exploit.SWF.CVE-2010-1297!IK
AntiVir    8.2.4.2    2010.07.02    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.02    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-Name.Gen
eTrust-Vet    36.1.7684    2010.07.03    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-Name.Gen
GData    21    2010.07.04    Exploit.PDF-Name.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.SWF.CVE-2010-1297
Kaspersky    7.0.0.125    2010.07.04    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-Name.Gen
Sophos    4.54.0    2010.07.04    Mal/PDFEx-D
Additional information
File size: 237302 bytes
MD5...: 497bd7eb4be6ae9b68c624e3fb594502


Headers
Received: from mta-101.dothome.co.kr (HELO mta-101.dothome.co.kr) (211.239.118.134)
  by XXXXXXXXXXXXXXXXX
X-AuthUser: aks@a-one.co.kr
Received: from techdm ([218.234.32.224]:4032)
    by mta-101.dothome.co.kr with [XMail 1.22 PassKorea090507 ESMTP Server]
     ...
    Wed, 30 Jun 2010 23:21:06 +0900
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@techdm212af2ce2>
From: "???K??"
To: XXXXXXXXXXXXXXX
Subject: =?big5?B?MjAyMLDqqL6s7KfesqO3frWmsqS9177CrKGwyg==?=
Date: Wed, 30 Jun 2010 22:07:21 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000B_01CB18A0.9EBCFA10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579


218.234.32.224
 Hostname:    218.234.32.224
ISP:    Hanaro Telecom Co.
Organization:    ARO INFORMATION TECH
Type:    Broadband
Assignment:    Static IP
Country:    Korea, Republic of
State/Region:    Soul-t'ukpyolsi
City:    Seocho


From: §õ¨K©É [mailto:techdm@csistdup.org.tw]
Sent: Wednesday, June 30, 2010 10:07 AM
To: XXXXXXXXXXXX
Subject: 2020國防科技產業策略論壇活動

 中山科學研究院預計於99年7月29日(星期四)AM09:30於本院龍園研究園區W48館
舉辦「2020國防科技產業策略論壇」活動,歡迎聯盟成員及各界人士踴躍報名參加。

一、論壇目的:
中科院預計99年7月29日於龍園研究園區舉辦「2020年國防科技產業策略論壇」活
動,主題為「整合產學科技能量,推動國防科技產業」,子題分別為 (一)結合週
邊園區、發展軍通科技。(二)轉化國防科技、創造產業價值。(三)引進民間資源、
建構自主國防。
本活動將邀請行政院科技顧問組萬執秘其超主持、工業局、技術處、中小企業處及
軍備局等主管擔任共同主持人,聽取國防科技產業聯盟成員(產業及學界)對未來年
國防科技能量釋出及參與國防研發機會之寶貴意見,期望透過此次活動整合出產學
研策略方向與共識,完成2020年我國國防科技產業發展策略報告,提供政府主管產
業(經濟部)及國防決策單位(國防部),作為推動國防產業及發展軍民通用科技政策
之參考。

二、活動日期及地點
1.日期:99年7月29日(星期四)
2.時間:上午09:30至下午15:30
3.地點:龍園研究園區w48館一樓(國際會議廳)

三、報名方式
1.傳真:03-4117119
2.E-mail:techdm@csistdup.org.tw

四、報名截止:99年7月15日

五、聯絡人:李沛怡小姐:電話:03-4712201轉32982

Jun 30 CVE-2009-3129 XLS Mission to China Permanent Contact info


 Download   15a22ac5b7ed9fd640d6220dac0b4488 Permanent Contact info.xls as a password protected archive (contact me if you need the password)




From: Gary Crowley [mailto:gcgarycrowley@yahoo.com]
Sent: Wednesday, June 30, 2010 8:56 PM
To: gcgarycrowley@yahoo.com
Subject: Fw: U.S. Mission to China Permanent Contact info




Dear all

Attached is U.S. Mission to China Permanent Contact.


Result: 8/42 (19.05%)
http://www.virustotal.com/analisis/68809148ea164e7e9c605e51740e229160540c301c1148d5a9732cd62a43022c-1280205402
Antivirus     Version     Last Update     Result
AntiVir    8.2.4.26    2010.07.26    EXP/Excel.CVE-2009-3129
Authentium    5.2.0.5    2010.07.27    MSExcel/Dropper.B!Camelot
Emsisoft    5.0.0.34    2010.07.27    Exploit.Win32.CVE-2009!IK
Ikarus    T3.1.1.84.0    2010.07.27    Exploit.Win32.CVE-2009
Microsoft    1.6004    2010.07.26    Exploit:Win32/CVE-2009-3129
Norman    6.05.11    2010.07.26    ShellCode.M
TrendMicro    9.120.0.1004    2010.07.27    TROJ_DROPPER.QRX
TrendMicro-HouseCall    9.120.0.1004    2010.07.27    TROJ_DROPPER.QRX
Additional information
File size: 56714 bytes
MD5...: 15a22ac5b7ed9fd640d6220dac0b4488
Headers

Received: from [180.150.229.29] by web120112.mail.ne1.yahoo.com via HTTP; Wed, 30 Jun 2010 17:56:09 PDT
X-Mailer: YahooMailClassic/11.1.4 YahooMailWebService/0.8.104.274457
Date: Wed, 30 Jun 2010 17:56:09 -0700
From: Gary Crowley
Subject: Fw: U.S. Mission to China Permanent Contact info
To: gcgarycrowley@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-415109960-1277945769=:30240"

netnum:     180.150.224.0 - 180.150.231.255
netname:    EHOSTIDC
country:    KR
admin-c:    JK1606-AP
tech-c:    JK1606-AP
status:    Allocated Portable
remarks:    www.ehostidc.co.kr
mnt-by:    MNT-KRNIC-AP
mnt-lower:    MNT-KRNIC-AP
changed:    XXXXXXXXXX@apnic.net 20090909
source:    APNIC
person:    Jinyoung Lee
nic-hdl:    JK1606-AP
e-mail:    XXXXXXX@ehostidc.co.kr
address:    Newticastle Geumcheon-gu Gasan-dong Seoul
phone:    +82-2-6277-3316
fax-no:    +82-2-6277-3311
country:    KR
changed:    XXXXXXXXXX@nida.or.kr 20090512
mnt-by:    MNT-KRNIC-AP
source:    APNIC
inetnum:    180.150.224.0 - 180.150.231.255
netname:    EHOSTIDC-KR



Monday, June 28, 2010

Jun 28 CVE-2010-1297 Global Economic Policies and Prospects from xxx.crisisgroup.org


Download  6932d141916cd95e3acaa3952c7596e4  Global.pdf   as a password protected archive (contact me if you need the password)


-----Original Message-----
From: Daniel Pinkston [mailto:XXXXXXXXXXXXXX]
Sent: Monday, June 28, 2010 12:49 PM
To: sitrep@crisisgroup.org
Subject: Global Economic Policies and Prospects

The attachment is quite useful for you .

Sincerely

Daniel  A. Pinkston, Ph.D.
North East Asia Deputy Project Director
ph: +XXXXXXXXXXX
Mobile: XXXXXXXXXXXX

  File Global.pdf received on 2010.07.04 03:03:52 (UTC)
http://www.virustotal.com/analisis/ab8a06d95935b07ad241c17d2c0bd2855e0ee77b24611805cd95fd4871052311-1278212632
Result: 16/41 (39.03%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.31    2010.07.03    Exploit.SWF.CVE-2010-1297!IK
AntiVir    8.2.4.2    2010.07.02    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.02    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-Name.Gen
eTrust-Vet    36.1.7684    2010.07.03    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-Name.Gen
GData    21    2010.07.04    Exploit.PDF-Name.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.SWF.CVE-2010-1297
Kaspersky    7.0.0.125    2010.07.04    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-03.02    2010.07.03    Exploit.PDF-Name.Gen
Sophos    4.54.0    2010.07.03    Mal/PDFEx-D
TrendMicro    9.120.0.1004    2010.07.03    TROJ_PDFSWF.C
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PDFSWF.C
Additional information
File size: 492149 bytes
MD5...: 6932d141916cd95e3acaa3952c7596e4

Headers
Received: from mail.crisisweb.org (HELO mail.crisisweb.org) (217.64.242.146)
  by XXXXXXXXXXXXXXXXXXXXXXXXXXX
Received: from apaitpdc.apaitonline.org ([12.11.239.25]) by mail.crisisweb.org with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 28 Jun 2010 18:49:32 +0200
Received: from 127.0.0.1 ([127.0.0.1]) by apaitpdc.apaitonline.org with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 28 Jun 2010 09:49:13 -0700
To: ""
From: "Daniel Pinkston"
Subject: Global Economic Policies and Prospects
X-Mailer: Ghost Mail 5.1 http://ay.home.ml.org/
X-Priority: 3 (Normal)
Return-Path: XXXXXXXXXXXXXXXXXXXXXXXXX
Message-ID:
X-OriginalArrivalTime: 28 Jun 2010 16:49:13.0640 (UTC) FILETIME=[D6BDB280:01CB16E1]
Date: Mon, 28 Jun 2010 09:49:13 -0700
X-TM-AS-Product-Ver: SMEX-8.6.0.1168-6.000.1038-17472.004
X-TM-AS-Result: No--11.273500-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
MIME-Version: 1.0
X-ConvertedToMime: 1


12.11.239.25
Hostname:    apaitpdc.apaitonline.org
ISP:    AT&T WorldNet Services
Organization:    ACC-ASIAN PACIFIC AIDS INTERVENT
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Services:    Web Server (1 or more domains)
Geolocation Information
State/Region:    California
City:    Los Angeles


Sunday, June 27, 2010

Malware Analysis and Forensics tools links


Beginner Malware Analysis and Reverse Engineering
Informational slides about malware 

How-To Forensics and RE links

Malware Analysis and Forensics tools


Scan websites for malware
AV Scanners
ReCon2010 Slides (many many thanks to ARTeam) 

DigitalNinjitsu.com  - A (great) resource for security professionals to perform research.

Malware Analysis -- Links and resources for malware samples

 



Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658. 

Download  6e14c7a424c2eef7f37810ff65650837 ATT27173.pdf as a password protected archive (contact me if you need the password)



 File ATT27173.pdf received on 2010.07.04 05:42:18 (UTC)
http://www.virustotal.com/analisis/6ed5186f31852eb5533670ae0d08737940148fe8587bdc44c5474426d92362c7-1278222138
Result: 11/41 (26.83%)
Antivirus     Version     Last Update     Result
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.06.30    Win32.Pidief.D
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-JS.Gen
GData    21    2010.07.04    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.cnj
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.JS.BufferOverflow.D
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.D
Additional information
File size: 132181 bytes
MD5...: 6e14c7a424c2eef7f37810ff65650837


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=6e14c7a424c2eef7f37810ff65650837&type=js

Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927

From: ³Å¼¢©t [mailto:guanpen@gio.gov.tw]
Sent: Sunday, June 27, 2010 9:23 PM
To: achengster@gmail.com
Subject: 兩岸海上合作芻議

釐清當前兩岸合作的理由、方式、目的、地點與自我檢討。
 -----------------------------------------------------------------
中華孫子兵法研究學會
會長傅慰孤

Terrible machine translation :)
From: ³ Å ¼ ¢ © t
[mailto: guanpen@gio.gov.tw]
 Sent: Sunday,June 27, 2010 9:23 PM 
To: achengster@gmail.com 
Subject: Discussion on cross-strait maritime cooperation

Clarify the reasons for the current cross-strait cooperation, methods, purpose, location and self-examination.
 
-------------------------------------------------- ---------------Research Institute of Chinese Art of WarFu Wei-ku, president of


Saturday, June 26, 2010

Ru-Eng-Eng Glossary. Russian (human computer slang) -> English (Google machine) -> English (human computer slang)


Many of us use machine Google and other machine translation services to read sites and forums in other languages. As you know, the main problem with any machine translation is that it needs additional human translation afterwords because it cannot recognize many colloquial, misspelled, technical, transliterated, or slang words.

Not everyone knows about Google Translator Toolkit allowing you to upload your documents or to select an URL and save the results for future reference (see Google video below) You can also add your own glossaries to enhance and customize the translation results. I find that they do not work as you would expect (do not get automatically used sort of like your personal dictionaries in MS Office) but they are still semi useful for creating custom vocabulary lists to assist you in translation of "Google machine English" into human English.

I made a quick draft of a custom Ru-GoogleEng-Eng glossary with less than 100 words and you can see a few screenshots below. The English words in bold in the first column are the words offered by Google Translate - these are wrong words and in no way reflect the correct Russian and English versions that you can see in the other two columns. 

There are a couple of ways of using Google Translate kit site - download the csv to your computer and use a plain search for words through the file or to use Google translate toolkit (if you have Gmail, just go to http://translate.google.com/toolkit to see it for searching through the uploaded custom glossary. Other languages can be added too.


 
Download csv Glossary importable to Google translate kit (unicode UTF-8)
Download a HTML page - glossary

screenshot 1  
(1st column shows WRONG translation consistently offered by Google translate , 
2nd column - part of speech and case, 
3rd column - correct English and Russian pairs. 
(Let me know if you have any corrections or comments)


Thursday, June 24, 2010

Jun 17 Win XP (SP2, SP3) 0-Day - CVE-2010-1885 Samples and analysis links

Image from Trendlabs malware blog


Download CVE-2010-1885 files listed below as a password protected archive (contact me if you need the password)


 File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared     5.0.0.30     2010.06.24     Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
AntiVir     8.2.4.2     2010.06.23     EXP/CVE-2010-1885
Avast     4.8.1351.0     2010.06.23     HTML:CVE-2010-1885-A
Avast5     5.0.332.0     2010.06.23     HTML:CVE-2010-1885-A
AVG     9.0.0.836     2010.06.23     Generic2_c.AMOL
BitDefender     7.2     2010.06.24     Exploit.CVE-2010-1885.A
CAT-QuickHeal     10.00     2010.06.23     HCP/CVE-2010-1885
Comodo     5198     2010.06.23     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.06.24     Exploit.Hcp
eSafe     7.0.17.0     2010.06.23     Win32.Exploit.HelpOv
eTrust-Vet     36.1.7663     2010.06.24     HTML/HCP.A
F-Secure     9.0.15370.0     2010.06.24     Exploit.CVE-2010-1885.A
GData     21     2010.06.24     Exploit.CVE-2010-1885.A
Ikarus     T3.1.1.84.0     2010.06.24     Exploit.Win32.CVE-2010-1885
Kaspersky     7.0.0.125     2010.06.24     Exploit.HTML.CVE-2010-1885.a
McAfee     5.400.0.1158     2010.06.24     Exploit-HelpOverflow
McAfee-GW-Edition     2010.1     2010.06.23     Exploit-HelpOverflow
Microsoft     1.5902     2010.06.23     Exploit:Win32/CVE-2010-1885.A
NOD32     5223     2010.06.23     HTML/Exploit.CVE-2010-1885
nProtect     2010-06-23.02     2010.06.23     Exploit.CVE-2010-1885.A
PCTools     7.0.3.5     2010.06.24     Exploit.CVE_2010_1885
Sophos     4.54.0     2010.06.24     Mal/HcpExpl-A
Sunbelt     6498     2010.06.24     Exploit.HTML.HCP.a (v)
Symantec     20101.1.0.89     2010.06.24     Bloodhound.Exploit.337
TrendMicro     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
ViRobot     2010.6.21.3896     2010.06.24     JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5   : 62f4daf19da62595609d6a0c0089fcac



Tuesday, June 22, 2010

Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy

Adobe will fix this vulnerability on June 29

Download   e3f5ef4fa17b4e08388ae4b0e2373728  100621.pdf  as a password protected archive (contact me if you need the password)



-----Original Message-----
From: 大川 正人 [mailto:maseto.okawa@cas.go.jp]
Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: 最近の日米経済関係について
Importance: High
......
�i‘ã•\�j03-5453-2111�i“à�ü�j82657
�i’¼’Ê�j03-3581-4445
�iFAX�j03-3581-5601
masato.okawa@cas.go.jp
=====================================
----- Original Message -----From: Ookawa Masato [mailto: maseto.okawa @ cas.go.jp]Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: About the recent US-Japan Economic RelationsImportance: High


 Headers
Received: from unknown (HELO cas.go.jp) (60.26.142.253)
Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
  with SMTP id 4C7BCC96; Mon, 21 Jun 2010 12:28:56 +0800
From: =?ISO-2022-JP?B?GyRCQmdAbiEhQDU/TRsoQg==?=
Subject: =?ISO-2022-JP?B?GyRCOkc2YSRORnxKRjdQOlE0WDc4JEskRCQkJEYbKEI=?=
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="iso-2022-jp"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: maseto.okawa@cas.go.jp
Date: Mon, 21 Jun 2010 12:29:29 +0800
X-Priority: 2
X-Mailer: Foxmail 4.1 [cn]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

 60.26.142.253
ISP:    China Unicom Tianjin province network
Organization:    China Unicom Tianjin province network
Type:    Broadband
Assignment:    Static IP
Country:    China cn flag
State/Region:    Tianjin       


     File 100621.pdf received on 2010.06.22 00:33:39 (UTC)
http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1277166819
Result: 9/41 (21.95%)
a-squared     5.0.0.30     2010.06.21     Exploit.JS.Pdfka!IK
AntiVir     8.2.2.6     2010.06.21     HTML/Malicious.PDF.Gen
BitDefender     7.2     2010.06.22     Exploit.PDF-JS.Gen
GData     21     2010.06.22     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.84.0     2010.06.21     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.21     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.21     JS.Pdfka.Gen.11
Additional information
File size: 969411 bytes
MD5   : e3f5ef4fa17b4e08388ae4b0e2373728      


Many thanks to JM for sharing the following information
Dropped files
100621.PDF (95210e66bc040ee0f6b5601390658007 – benign decoy, notice the size difference 105 kb
SUCHOST.EXE (abf8e40d7c99e9b3f515ec0872fe099e – 45k)  - appears to be Poison Ivy RAT

VT Result: 19/41 (46.34%)

SUCHOST.EXE
http://www.virustotal.com/analisis/8264a96a954c9a3f661bd21b9493377a710aaac1e96fe276d8d9095ea286c84a-1277147963
AhnLab-V3   2010.06.21.02     2010.06.21  Win-Trojan/Agent.45056.AMQ
Antiy-AVL   2.0.3.7     2010.06.18  Trojan/Win32.Agent.gen
Authentium  5.2.0.5     2010.06.21  W32/Trojan2.MIBZ
Avast 4.8.1351.0  2010.06.21  Win32:Malware-gen
Avast5      5.0.332.0   2010.06.21  Win32:Malware-gen
AVG   9.0.0.787   2010.06.21  Agent2.ALLE
BitDefender 7.2   2010.06.21  Trojan.Inject.XI
CAT-QuickHeal     10.00 2010.06.18  Trojan.Agent.dgqy
DrWeb 5.0.2.03300 2010.06.21  Trojan.Siggen1.43943
F-Prot      4.6.1.107   2010.06.20  W32/Trojan2.MIBZ
F-Secure    9.0.15370.0 2010.06.21  Trojan.Inject.XI
GData 21    2010.06.21  Trojan.Inject.XI
Jiangmin    13.0.900    2010.06.15  Trojan/Agent.cule
McAfee-GW-Edition 2010.1      2010.06.21  Heuristic.LooksLike.Trojan.Backdoor.Poison.I
Microsoft   1.5902      2010.06.21  Backdoor:Win32/Poison.AP
NOD32 5216  2010.06.21  a variant of Win32/Poison.NDQ
nProtect    2010-06-21.01     2010.06.21  Trojan/W32.Agent.45056.TM
Panda 10.0.2.7    2010.06.21  Suspicious file
ViRobot     2010.6.21.3896    2010.06.21  Trojan.Win32.Agent.45056.HO


                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

Jun 20 CVE-2010-1297 PDF Adobe 0-Day Meeting agenda from alexis.mo88@gmail.com

Adobe will fix this vulnerability on June 29
 
 From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: xxxxxx
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents!  With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting.  I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis


The PDF file is very similar to the one described in this Symantec blog post


VT
 File Agenda.PDF received on 2010.06.21 05:05:57 (UTC)
Result: 5/41 (12.20%)
AntiVir     8.2.2.6     2010.06.20     HTML/Malicious.PDF.Gen
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.20     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.20     JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5   : fb2523d17b3fa3b19a914bf23a61827c

Monday, June 21, 2010

Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations


Download  e3f5ef4fa17b4e08388ae4b0e2373728 100621.pdf  as a password protected archive (contact me if you need the password)
 


 File 100621.pdf received on 2010.07.04 06:06:32 (UTC)
http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1278223592
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.04    Exploit.JS.Pdfka!IK
AntiVir    8.2.4.2    2010.07.02    HTML/Malicious.PDF.Gen
Comodo    5309    2010.07.04    UnclassifiedMalware
eSafe    7.0.17.0    2010.06.30    Win32.Pidief.J
eTrust-Vet    36.1.7684    2010.07.03    PDF/Pidief.RU
Ikarus    T3.1.1.84.0    2010.07.04    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.clv
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.ca
McAfee-GW-Edition    2010.1    2010.07.02    Exploit-PDF.ca
Microsoft    1.5902    2010.07.03    Exploit:SWF/CVE-2010-1297.E
NOD32    5249    2010.07.04    JS/Exploit.Pdfka.CLV
Norman    6.05.10    2010.07.03    JS/Shellcode.IT
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.04    Troj/PDFJs-KY
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PIDIEF.WL
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PIDIEF.WL
VirusBuster    5.0.27.0    2010.07.03    JS.Pdfka.Gen.11
File size: 969411 bytes
MD5...: e3f5ef4fa17b4e08388ae4b0e2373728


Sunday, June 20, 2010

Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com


Download   fb2523d17b3fa3b19a914bf23a61827c Agenda.PDF as a password protected archive (contact me if you need the password)


From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: XXXXXXXXXXXXXX
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents!  With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting.  I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis

 File Agenda.PDF received on 2010.07.04 16:55:23 (UTC)
http://www.virustotal.com/analisis/5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3-1278262523
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.04    Exploit.JS.Pdfka!IK
AhnLab-V3    2010.07.03.00    2010.07.03    PDF/Exploit
AntiVir    8.2.4.2    2010.07.02    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.07.04    PDF/Pidief.BY
eSafe    7.0.17.0    2010.07.04    Win32.Pidief.J
Ikarus    T3.1.1.84.0    2010.07.04    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.clv
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.07.03    Exploit:SWF/CVE-2010-1297.E
NOD32    5250    2010.07.04    JS/Exploit.Pdfka.CLV
Norman    6.05.10    2010.07.04    JS/Shellcode.IT
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.04    Troj/PDFJs-KY
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
VirusBuster    5.0.27.0    2010.07.04    JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5...: fb2523d17b3fa3b19a914bf23a61827c

Monday, June 14, 2010

Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com



Adobe will fix this vulnerability on June 29


Many thanks To Scott D, JM, AK1010, Villy  for their information, relevant discussions and ideas and Binjo for his shellcode analysis


Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)





Tested on  Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.


Message:







 VT SCAN JUNE 21
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1277107857

  File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:13/41 (31.71%)
a-squared    5.0.0.30    2010.06.22    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.21    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.18    Exploit/SWF.Agent
BitDefender    7.2    2010.06.22    Exploit.SWF.J
Comodo    5178    2010.06.22    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.21    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.22    Exploit.SWF.J
GData    21    2010.06.22    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.22    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.22    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.22    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.22    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972


Javascript code snapshot


On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.

The dropped files are the following:
  • 9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left
  •  D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
  •  TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe








  File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1277182875
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.30    2010.06.22    Backdoor.Win32.Ixeshe!IK
AhnLab-V3    2010.06.22.00    2010.06.22    Backdoor/Win32.Small
AntiVir    8.2.2.6    2010.06.21    BDS/Small.jjf
Avast    4.8.1351.0    2010.06.21    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.21    Win32:Malware-gen
AVG    9.0.0.787    2010.06.21    Small.CCX
BitDefender    7.2    2010.06.22    Trojan.Generic.4211739
Comodo    5178    2010.06.22    Backdoor.Win32.Small.jjf
eSafe    7.0.17.0    2010.06.20    Win32.Small.Nem
F-Secure    9.0.15370.0    2010.06.22    Trojan.Generic.4211739
GData    21    2010.06.22    Trojan.Generic.4211739
Ikarus    T3.1.1.84.0    2010.06.22    Backdoor.Win32.Ixeshe
Kaspersky    7.0.0.125    2010.06.22    Backdoor.Win32.Small.jjf
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32    5216    2010.06.21    probably a variant of Win32/Small.NEM
nProtect    2010-06-21.01    2010.06.21    Trojan.Generic.4211739
Panda    10.0.2.7    2010.06.21    Suspicious file
Sunbelt    6483    2010.06.21    Trojan.Win32.Generic!BT
ViRobot    2010.6.21.3896    2010.06.22    Backdoor.Win32.S.Small.30720.E
VirusBuster    5.0.27.0    2010.06.21    -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c

older scan


http://anubis.iseclab.org/?action=result&task_id=103e66936121161044dbaae530a892283&format=html

=============================================
Traffic information
DNS Queries
ftp.jlesher.xxuz.com       DNS_TYPE_A       21.216.185.67       YES       udp
www.jlesher.xxuz.com      DNS_TYPE_A      110.4.3.2      YES      udp
TCP Connections
216.185.67.21:443

Intersesting traffic, really.  Looks like they configured their Changeip.com domain name ftp.jlesher.xxuz.com  to point to 21.216.185.67.
216.185.67.21, which you can see also being used by this malware is very similar.
 I think they just made a typo and directed it to DoD instead of their machine.
Or they temporarily set that domain to 21.216.185.67 (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..

Unconfirmed theory here is that malware receives DNS replies 21.216.185.67 and 110.4.3.2 and transforms them into 216.185.67.21:443 by transposing 21 for the IP address and  by using the following forumula to turn 110.4.3.2 into the port number a.b.c.d - 110.4.3.2, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking 110.4.3.2 and 21.216.185.67 achieves nothing) and ability to change IP ports by just changing IP address on their domain in Changeip.com.

Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.


 Traffic. Malware IPs are marked - see picture below

DNS query for ftp.jlesher.xxuz.com returns 21.216.185.67
 21.216.185.67 is http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=21.216.185.67

DoD Network Information Center is Department of Defense http://www.nic.mil/
DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.
OrgName: DoD Network Information Center 
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 21.0.0.0 - 21.255.255.255
CIDR: 21.0.0.0/8
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642





 General IP Information
Hostname: 61.177.42.5
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China 
State/Region: Beijing






OLDER SCANS

VT SCAN JUNE 17 (with minor improvement)
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276774425
 File WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result: 9/41 (21.96%)
a-squared    5.0.0.26    2010.06.17    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.17    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.17    Exploit/SWF.Agent
F-Prot    4.6.0.103    2010.06.16    JS/Pdfka.V
Ikarus    T3.1.1.84.0    2010.06.17    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.17    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.17    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.17    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

VT SCAN  JUNE 16
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276571931
BitDefender     7.2     2010.06.15     Exploit.SWF.J
F-Prot     4.6.0.103     2010.06.14     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.06.15     Exploit.SWF.J
GData     21     2010.06.15     Exploit.SWF.J
Kaspersky     7.0.0.125     2010.06.15     Exploit.SWF.Agent.dp
Microsoft     1.5802     2010.06.14     Exploit:SWF/CVE-2010-1297.A
Sophos     4.54.0     2010.06.15     Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5   : 81f31e17d97342c8f3700fdd56019972