Thursday, April 21, 2011

Apr 20 CVE-2011-0611 PDF - SWF China's Charm diplomacy + more from 69.169.145.80 / 124.160.110.242

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File China's Charm diplomacy in BRICS Summit.pdf
MD5: ae39b747e4fe72dce6e5cdc6d0314c02
SHA1: 18306c34c5769f66573b725dce70a353ff549857
SHA256: f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8
File size: 411558 bytes

Type:  PDF
Distribution: Email attachment

 

File The Obama Administration and the Middle East.pdf
MD5: 2368a8f55ee78d844896f05f94866b07
SHA1: f636e24d394e2d6084af877271ef488153b63181
SHA256: 6d05bb31f4ae3f1a2e03879396c301e8bd7f5f53c368e16b006baa459d61c040
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

 

File  Russia's profit from general NATO disunity.pdf
MD5: 4065b98fdcb17a081759061306239c8b
SHA1: bc50074e7b672a59b961f281708b652323a7acc3
SHA256: 3701a5da3f1836d48e10e09b4245d9a53b0ba685732cac69cea0b672cf7b3afb
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

Post updates

 More attacks with the same payload from the same sender. See analysis here http://contagiodump.blogspot.com/2011/04/apr-22-cve-2011-0611-pdf-swf-marshall.html

Download

Adobe Reader 9.4.4 released today, April 21, 2011 will resolve this issue.Adobe Reader 9.4.3 (even with the lastest Flash Player) and below is vulnerable. 


Original Message

MESSAGE 1
From: Thomas Tidwell [mailto:tidwellt2@aol.com]
Sent: Wednesday, April 20, 2011 1:49 PM
Subject: China's Charm diplomacy in BRICS Summit

Dear all,
   
    FYI. Maybe you are interested in the attached file.

    Thanks.

     Thomas Tidwell
    Managing Editor
    New York Times

MESSAGE2
From: Thomas Tidwell [mailto:tidwellt2@aol.com]
Sent: Wednesday, April 20, 2011 1:37 PM
Subject: The Obama Administration and the Middle East


Dear all,
  
    FYI. Maybe you are interested in the attached file.

    Thanks.
 
    Thomas Tidwell
    Managing Editor
    New York Times

 MESSAGE3  
From: Aristizabal Jeydmer [mailto:aristizabal.jeydmer@hotmail.com]
Sent: Wednesday, April 20, 2011 12:19 PM
Subject: Russia's profit from general NATO disunity

Dear all,
     FYI. Maybe you are interested in attached file.


  Thanks
 
Jeydmer Aristizabal
managing editor
New York Times
Aristizabal.Jeydmer@nytimes.com
Aristizabal.Jeydmer@hotmail.com

Message Headers

MESSAGE1
Received: (qmail 10541 invoked from network); 20 Apr 2011 17:49:58 -0000
Received: from imr-ma02.mx.aol.com (HELO imr-ma02.mx.aol.com) (64.12.206.40)
  by sXXXXXXXXXXXXXXXXXXXXX 20 Apr 2011 17:49:58 -0000
Received: from mtaomg-ma04.r1000.mx.aol.com (mtaomg-ma04.r1000.mx.aol.com [172.29.41.11])
    by imr-ma02.mx.aol.com (8.14.1/8.14.1) with ESMTP id p3KHnHcL024225;
    Wed, 20 Apr 2011 13:49:20 -0400
Received: from core-mpb004c.r1000.mail.aol.com (core-mpb004.r1000.mail.aol.com [172.29.191.77])
    by mtaomg-ma04.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id CC43EE00008B;
    Wed, 20 Apr 2011 13:49:19 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: China's Charm diplomacy in BRICS Summit
X-AOL-IP: 69.169.145.80
X-MB-Message-Type: User
MIME-Version: 1.0
From: Thomas Tidwell
Content-Type: multipart/mixed; boundary=
    "--------MB_8CDCD9A68A9BE13_1DC4_C972C_webmail-d081.sysops.aol.com"
X-Mailer: AOL Webmail 33540-STANDARD
Received: from 69.169.145.80 by webmail-d081.sysops.aol.com (205.188.181.107) with HTTP (WebMailUI); Wed, 20 Apr 2011 13:49:19 -0400
Message-ID:  8CDCD9A68A75CB2-1DC4-63171@webmail-d081.sysops.aol.com
X-Originating-IP: [69.169.145.80]
Date: Wed, 20 Apr 2011 13:49:19 -0400
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/69601
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-SCORE: 0:2:386915808:93952408  
X-AOL-SCOLL-URL_COUNT: 0  
x-aol-sid: 3039ac1d290b4daf1c9f388e
69.169.145.80
69.169.128.0 - 69.169.191.255
Broadweave Networks of Utah, LLC
379 North University Ave
Provo
UT
84601
United States
MESSAGE2
Received: (qmail 8444 invoked from network); 20 Apr 2011 17:37:49 -0000
Received: from imr-da06.mx.aol.com (HELO imr-da06.mx.aol.com) (205.188.169.203)
  by xxxxxxxxxxxxxxxxxxx20 Apr 2011 17:37:49 -0000
Received: from mtaomg-ma04.r1000.mx.aol.com (mtaomg-ma04.r1000.mx.aol.com [172.29.41.11])
    by imr-da06.mx.aol.com (8.14.1/8.14.1) with ESMTP id p3KHbP23002582;
    Wed, 20 Apr 2011 13:37:25 -0400
Received: from core-mpb004c.r1000.mail.aol.com (core-mpb004.r1000.mail.aol.com [172.29.191.77])
    by mtaomg-ma04.r1000.mx.aol.com (OMAG/Core Interface) with ESMTP id 92F36E000082;
    Wed, 20 Apr 2011 13:37:24 -0400 (EDT)
X-MB-Message-Source: WebUI
Subject: The Obama Administration and the Middle East
X-AOL-IP: 69.169.145.80
X-MB-Message-Type: User
MIME-Version: 1.0
From: Thomas Tidwell
Content-Type: multipart/mixed; boundary=
    "--------MB_8CDCD98BE59C9FB_1DC4_C917C_webmail-d081.sysops.aol.com"
X-Mailer: AOL Webmail 33540-STANDARD
Received: from 69.169.145.80 by webmail-d081.sysops.aol.com (205.188.181.107) with HTTP (WebMailUI); Wed, 20 Apr 2011 13:37:24 -0400
Message-ID: 8CDCD98BE59C9FB-1DC4-62E44@webmail-d081.sysops.aol.com
X-Originating-IP: [69.169.145.80]
Date: Wed, 20 Apr 2011 13:37:24 -0400
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/69601
X-AOL-VSS-CODE: clean
X-AOL-SCOLL-SCORE: 0:2:384623808:93952408 
X-AOL-SCOLL-URL_COUNT: 0 
x-aol-sid: 3039ac1d290b4daf19d46569
69.169.145.80
69.169.128.0 - 69.169.191.255
Broadweave Networks of Utah, LLC
379 North University Ave
Provo
UT
84601
United States
MESSAGE3
Received: (qmail 4290 invoked from network); 20 Apr 2011 16:19:11 -0000
Received: from snt0-omc1-s20.snt0.hotmail.com (HELO snt0-omc1-s20.snt0.hotmail.com) (65.55.90.31)
  by xxxxxxxxxx; 20 Apr 2011 16:19:11 -0000
Received: from SNT144-W46 ([65.55.90.7]) by snt0-omc1-s20.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
     Wed, 20 Apr 2011 09:19:11 -0700
Message-ID:
Return-Path: aristizabal.jeydmer@hotmail.com
Content-Type: multipart/mixed;
    boundary="_fee42226-5636-4de4-b5f9-4aa5e4951289_"
X-Originating-IP: [124.160.110.242]
From: Aristizabal Jeydmer
Subject: Russia's profit from general NATO disunity
Date: Wed, 20 Apr 2011 09:19:11 -0700
Importance: Normal
MIME-Version: 1.0
BCC:
X-OriginalArrivalTime: 20 Apr 2011 16:19:11.0577 (UTC) FILETIME=[AEE6B490:01CBFF76]
124.160.110.242

124.160.110.240 - 124.160.110.247
China
SHANGHAIZHOUXINXINXIJISHUYOUXIANGONGSI,HANGZHOU,ZHEJIANG
Jianhuaq Qian
ipmaster@zjnetcom.com
No 1336,BinAn Road,Hangzhou, Zhejiang,China
phone: +86-571-28868063
fax: +86-571-28868069



Automated Scans

China's Charm diplomacy in BRICS Summit.pdf
http://www.virustotal.com/file-scan/report.html?id=f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8-1303336959#
Antivirus Version Last update Result
Commtouch 5.3.2.6 2011.04.20 JS/Pdfka.V
eTrust-Vet 36.1.8282 2011.04.20 PDF/CVE-2010-1297.B!exploit
F-Prot 4.6.2.117 2011.04.20 JS/Pdfka.V
Symantec 20101.3.2.89 2011.04.20 Trojan.Pidief
MD5: ae39b747e4fe72dce6e5cdc6d0314c02
SHA1: 18306c34c5769f66573b725dce70a353ff549857
SHA256: f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8
File size: 411558 bytes
Scan date: 2011-04-20 22:02:39 (UTC)


The Obama Administration and the Middle East.pdf
http://www.virustotal.com/file-scan/report.html?id=6d05bb31f4ae3f1a2e03879396c301e8bd7f5f53c368e16b006baa459d61c040-1303386449

Antivirus Version Last update Result
Commtouch 5.3.2.6 2011.04.21 JS/Pdfka.V
eTrust-Vet 36.1.8283 2011.04.21 PDF/CVE-2010-1297.B!exploit
F-Prot 4.6.2.117 2011.04.21 JS/Pdfka.V
Kaspersky 7.0.0.125 2011.04.21 Exploit.SWF.Agent.ec
Symantec 20101.3.2.89 2011.04.21 Trojan.Pidief
MD5: 2368a8f55ee78d844896f05f94866b07
SHA1: f636e24d394e2d6084af877271ef488153b63181
SHA256: 6d05bb31f4ae3f1a2e03879396c301e8bd7f5f53c368e16b006baa459d61c040
File size: 411562 bytes
Scan date: 2011-04-21 11:47:29 (UTC)

 Russia's profit from general NATO disunity.pdfhttp://www.virustotal.com/file-scan/report.html?id=3701a5da3f1836d48e10e09b4245d9a53b0ba685732cac69cea0b672cf7b3afb-1303347607#

Antivirus Version Last update Result
Commtouch 5.3.2.6 2011.04.21 JS/Pdfka.V
eTrust-Vet 36.1.8282 2011.04.20 PDF/CVE-2010-1297.B!exploit
F-Prot 4.6.2.117 2011.04.21 JS/Pdfka.V
Symantec 20101.3.2.89 2011.04.21 Trojan.Pidief
MD5: 4065b98fdcb17a081759061306239c8b
SHA1: bc50074e7b672a59b961f281708b652323a7acc3
SHA256: 3701a5da3f1836d48e10e09b4245d9a53b0ba685732cac69cea0b672cf7b3afb
File size: 411562 bytes
Scan date: 2011-04-21 01:00:07 (UTC)

Payload analysis


 Analysis of the payload by Hermes Bojaxhi from CyberESI  http://www.cyberesi.com/2011/04/25/chinas-charm-diplomacy-in-brics-summit-pdf-cve-2011-0611/

Network activity



TCP traffic to

68.16.99.165
BellSouth.net Inc.
575 Morosgo Drive
Atlanta
GA
30324
United States

and

68.16.73.246
SYNTHETIC MATERIALS - BNA
244 Old Highway 149
Cumberland City
TN
37050
United States

No comments:

Post a Comment