Tuesday, May 31, 2011

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed Nationalpost.com

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations
    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account


     It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

    Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

    PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.


    Download

    Original Message


    -----Original Message-----
    From: Peter Goodspeed [mailto:gpeter@nationalpost.com]
    Sent: Monday, May 16, 2011 10:02 PM
    To: xxxxxxxxxxx
    Subject: Bin Laden’s successor may launch new strike

    Dear,

    Wellcome to Subscribe our Journals.Please find attached the analysis

    of "Bin Laden¡¯s successor may launch new strike".

    Best regards,

    National Post
    Peter Goodspeed
    1450 Don Mills Road, Suite 300
    Don Mills, Ontario
    Canada
    M3B 3R5
     ___________________________


    Message Headers

    Received: (qmail 10512 invoked from network); 17 May 2011 02:00:58 -0000
    Received: from unknown (HELO nationalpost.com) (63.221.138.44)
      by xxxxxxxxxx with SMTP; 17 May 2011 02:00:58 -0000
    From: "Peter Goodspeed"
    Subject: Bin =?GB2312?B?TGFkZW6hr3M=?= successor may launch new strike
    To: xxxxxxxxxxxxxxxx
    Content-Type: multipart/mixed;
        boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="GB2312"
    MIME-Version: 1.0
    Reply-To: gpeter@nationalpost.com
    Date: Tue, 17 May 2011 10:01:40 +0800
    X-Priority: 3
    X-Mailer: FoxMail 3.11 Release [cn]
     _____________________________________

    Sender IP

    Beyond the Network America in Hong Kong
    63.221.138.4
    Host reachable, 252 ms. average

    63.216.0.0 - 63.223.255.255

    Beyond The Network America, Inc.
    450 Springpark PL
    Suite 100
    Herdon
    VA
    20170
    United States

    Downes, Chris
    +1-703-621-1619
    cdownes@pccwglobal.com
    PCCW US NOC
    +1-703-621-1637
    usnoc@pccwglobal.com

    PCCW AUP Department
    +1-703-621-1637
    abuse.ops@pccwglobal.com
    Hostname:    63.221.138.4
    ISP:    Beyond The Network America
    Organization:    Beyond The Network America
    Proxy:    None detected
    Type:    Corporate
    Assignment:    Static IP
    Blacklist:   
    Geolocation Information
    Country:    Hong Kong 
    City:    Hong Kong   

    Nationalpost.com was spoofed, the real hosting location of this domain is in Canada
    nationalpost.com

    199.71.40.135
    goto.canada.com
    Info:
    Postmedia Network Inc.
    Peter deGroot
    1450 Don Mills Rd.
    Toronto, ON M3B 2X7
    CAN
    Phone: 1 905 3042195 ()
    Fax..: 1 905 3042195
    Email: Webnames@postmedia.com



    Automated Scans



    File name: Bin Laden
    http://www.virustotal.com/file-scan/report.html?id=d9493b6243a0378859610748590de21dc4df36c287197fde13c507d3895f8be6-1306841333


    Submission date: 2011-05-31 11:28:53 (UTC)
    Result: 16/ 42 (38.1%)
    AntiVir 7.11.8.205 2011.05.31 EXP/CVE-2010-2883.F
    Antiy-AVL 2.0.3.7 2011.05.31 Exploit/Win32.Pidief
    Avast 4.8.1351.0 2011.05.31 JS:Pdfka-gen
    Avast5 5.0.677.0 2011.05.31 JS:Pdfka-gen
    ClamAV 0.97.0.0 2011.05.31 PUA.Script.PDF.EmbeddedJS
    Commtouch 5.3.2.6 2011.05.31 PDF/Obfusc.J!Camelot
    Comodo 8902 2011.05.31 UnclassifiedMalware
    DrWeb 5.0.2.03300 2011.05.31 Exploit.PDF.2197
    eTrust-Vet 36.1.8358 2011.05.31 PDF/Pidief!generic
    F-Prot 4.6.2.117 2011.05.30 JS/ShellCode.DF.gen
    Fortinet 4.2.257.0 2011.05.31 PDF/CoolType!exploit.CVE20102883
    GData 22 2011.05.31 JS:Pdfka-gen 
    Ikarus T3.1.1.104.0 2011.05.31 Exploit.PDF
    Microsoft 1.6903 2011.05.31 Exploit:Win32/CVE-2010-2883.A
    Sophos 4.65.0 2011.05.31 Mal/PDFJs-Z

    MD5   : 8e633588b3ee59de09fe126d99869d2d


    Created files and traffic

     the payload is the same type of trojan described 

    Created files
    C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.dll     MD5:   5D4877E3603149372CA210A8D2B60492
    C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.exe     MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
    C:\Documents and Settings\mila\Start Menu\Programs\Startup\userinit.exe             MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
    C:\Documents and Settings\All Users\Application Data\desktop.BIN ``            MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
     The traffic is also analyzed in the mentioned post
    # The persistence is achieved via relaunching the binary from  the infected user startup folder (Start Menu\Programs\Startup\userinit.exe), also the there is a copy of the file gets created as All Users\Application Data\desktop.BIN
    # Userinit.exe creates  folder logs in %userprofile%\Local Settings\Application Data\Windows\Logs. A shortcut like in the image below shows up in that directory for a split second but I did not capture it. This is the file that gets transmitted with HTTP POST, M​DAwMGhIR​UwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09

        **POST /wi​ndowsupd​atev7/se​arch%3Fh​l%3DSABB​AE4AUwA%​3D%26q%3​DMQA5ADI​ ALgAxADY​AOAAuADI​ALgAyAA%​3D%3D%26​meta%3DM​DAwMGhIR​UwuMDk%3​D%26id%3​ Dlfdxfir​cvscxggb​ HTTP/1.​1.

    The last part -lfdxfir​cvscxggb​ - is changing with each GET request and is possibly an encoded directories names on the victim pc

    C2 information 
    DNS queries and traffic to


    www.offlinewebpage.com
    58.68.224.22

    58.68.224.22    HTTP    POST /qduxwfnfozvsrtkjprepggxrpnrvyst.htm HTTP/1.1 
    Reverse IP Lookup Results—3 domains hosted on IP address 58.68.224.22
    Web Site
    live-facebook.com
    live-msn.net
    offlinewebpage.com

    Domain name: OFFLINEWEBPAGE.COM
       Updated Date: 2010-10-05
       Creation Date: 2010-10-05
       Expiration Date: 2012-10-05
    Registrant:
        david Boulevard
        No.17 Ren Rd. zonn District, fifa, akai 116001
            bb aa 116001
            Phone: +86.075184562547 Fax: +86.075184562547
    Administrative Contact:
        david Boulevard new delphi qingwa20112011@163.com
        No.17 Ren Rd. zonn District, fifa, akai 116001

    Registrar of Record: NAME2HOST, INC.
    Domain servers in listed order:
        DNS1.51.NET   118.144.82.171
        DNS2.51.NET   118.145.1.7

    IP Address History
    Event Date     Action     Pre-Action IP     Post-Action IP
    2010-10-06     New     -none-     127.0.0.1
    2011-03-18     Change     127.0.0.1     58.68.224.22
    2011-04-10     New     -none-     58.68.224.22


    Traffic to 
    msn.offlinewebpage.com
    114.248.80.32
    114.248.80.32
    inetnum:    114.240.0.0 - 114.255.255.255
    Hostname:    114.248.80.32
    ISP:    China Unicom Beijing Province Network
    Organization:    China Unicom Beijing Province Network
    Proxy:    None detected
    Type:    Broadband
    Assignment:    Static IP
    Country:    China
    State/Region:    Beijing
    City:    Beijing



    No comments:

    Post a Comment