Tuesday, May 3, 2011

May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333

Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File   Laden's Death.doc
MD5   dad4f2a0f79db83f8976809a88d260c5
SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File size : 163065 bytes
Type:  DOC
Distribution: Email attachment

Post Updates

May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

It was sent to many targets in the US Government today.

Also see the same payload in the following messages

http://contagiodump.blogspot.com/2010/09/sep14-cve-2010-2883-adobe-0-day-fwd.html

http://contagiodump.blogspot.com/2010/09/cve-2009-4324-cve-2010-1297-cve-2009.html



Download

Message


Tue, 03 May 2011 11:34:06 -0400 (EDT)
Source-IP: 220.228.120.62 
Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
From: XXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXX
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


This is a multi-part message in MIME format.

------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: text/plain;
        format=flowed;
        charset="big5";
        reply-type=original
Content-Transfer-Encoding: 7bit

To whom it may concern.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: application/octet-stream;
        name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Laden's Death.doc"

Sender

220.228.120.62 (there are other IPs from that company used as well)

Lotus Notes mail server, apparently compromised

Hostname:    notess1.protech.com.tw
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    PROTECHSYSTEMSCO.,LTD.
Assignment:    Static IP
Country:    Taiwan


Automated Scans

File name: Laden's Death.doc
Submission date:2011-05-03 15:34:52 (UTC)
http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304436892#
1/ 41 (2.4%)
Commtouch    5.3.2.6    2011.05.03    CVE-2010-3333!Camelot
Show all
MD5   : dad4f2a0f79db83f8976809a88d260c5
SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
661UswH/fNGy2XB
File size : 163065 bytes
First seen: 2011-05-03 15:34:52
Last seen : 2011-05-03 15:34:52

Analysis

May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit


Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)



File name:exe_decoded.bin
http://www.virustotal.com/file-scan/report.html?id=a40b5cf0689aebaaf2352b61e8a9f4544ec69ef8ea3dc558f53646964a85755b-1304567158
Submission date:2011-05-05 03:45:58 (UTC)
Result:17 /40 (42.5%)

AntiVir     7.11.7.150     2011.05.04     BDS/Protux.tg
BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
Commtouch     5.3.2.6     2011.05.05     W32/Virut.AI!Generic
rWeb     5.0.2.03300     2011.05.05     BackDoor.Diho.163
eTrust-Vet     36.1.8307     2011.05.04     -
F-Prot     4.6.2.117     2011.05.04     W32/Virut.AI!Generic
GData     22     2011.05.05     Trojan.Generic.KDV.211541
Ikarus     T3.1.1.103.0     2011.05.05     Backdoor.Win32.Protux
Kaspersky     9.0.0.837     2011.05.05     Backdoor.Win32.Protux.tg
McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
NOD32     6095     2011.05.05     Win32/Protux.NAK
Panda     10.0.3.5     2011.05.04     Suspicious file
PCTools     7.0.3.5     2011.05.04     Trojan.Generic
SUPERAntiSpyware     4.40.0.1006     2011.05.05     -
Symantec     20101.3.2.89     2011.05.05     Trojan Horse
TrendMicro     9.200.0.1012     2011.05.04     PAK_Generic.001
TrendMicro-HouseCall     9.200.0.1012     2011.05.05     BKDR_PROTUX.GE
VBA32     3.12.16.0     2011.05.04     Backdoor.Protux.ta
Additional information
Show all
MD5   : 30c8c4c9943044287cf06996863c2261
SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

----------------------------------------------------------------------------------------------------------
See the payload analysis here  http://www.cyberesi.com/2011/05/03/ladens-death-doc-cve-2010-3333/

Hermes Bojaxhi from CyberESI  http://www.cyberesi.com provided the following details about the payload

File Name:  dhcpsrv.dll
File Size:  44504 bytes
MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
Sections (4):
 Name      Entropy  MD5
 .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
 .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
 .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
 .reloc    5.7      e437cc92e10504181d7b712478db6af3


beacons to these domains:

checkerror.ucparlnet.com

ssi.ucparlnet.com
www.dnswatch.info
picture.ucparlnet.com
==============
C2 domain info

checkerror.ucparlnet.com   -  203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan
ssi.ucparlnet.com  - 58.34.152.233  ChinaNet Shanghai Province Network China
www.dnswatch.info - 82.96.118.210
Probe Networks Planet-Hosting.cz Germany
picture.ucparlnet.com -
203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan

ucparlnet.com IP Address hosting history

Event Date Action Pre-Action IP Post-Action IP
2010-08-10 New -none- 58.34.152.162
2010-08-13 Change 58.34.152.162 58.37.54.66
2010-08-23 Change 58.37.54.66 58.34.148.241
2010-09-03 Change 58.34.148.241 220.246.76.125
2010-09-24 Change 220.246.76.125 127.0.0.1
2010-10-25 Change 127.0.0.1 58.37.182.29
2010-11-28 Change 58.37.182.29 58.34.149.104
2010-12-09 Change 58.34.149.104 58.34.152.202
2010-12-31 Change 58.34.152.202 127.0.0.1
2011-02-24 Change 127.0.0.1 125.141.233.16
2011-04-10 New -none- 125.141.233.16

dnswatch.info  - is not a malicious domain


1 comment:

  1. Looks like that malware was also used about 2 years ago to target some foreign correspondants in China: http://www.infowar-monitor.net/2009/09/targeted-malware-attack-on-foreign-correspondents-based-in-china/

    ReplyDelete