Common Vulnerabilities and Exposures (CVE)number
CVE-2011-2100 Adobe Acrobat and Reader DLL Loading Arbitrary Code Execution Vulnerability.
Untrusted search path vulnerability in Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory.
It was patched by Adobe on June 14, 2011.
References and related articles
- APSB11-16 Security updates available for Adobe Reader and Acrobat (Adobe) June 14, 2011
- Microsoft Security Advisory 2269637 Released (Microsoft: DLL preloading attacks post of 21 Aug 2010 )
- Security Focus
Adobe Acrobat and Reader are prone to an
Note: this exploit is hard to trigger. I can see the potential but there was no luck in getting the malware to run on my side. All the screenshots and notes were made in April 2011.
ar
bitrary code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Reader and Acrobat versions prior to 10.1 are affected.
General File Information
Update Jun 20: The previous download had a messed up thumbs.db, smaller than 34 kb. If you downloaded it before June 20, 2011 and still care about the correct file, redownload it again, the correct md5 is 2898107be3c4ac71cd16898b6a08fe87
Update 2. And password now fixed too.
My apologies for the inconvenience.
http://www.virustotal.com/file-scan/report.html?id=692dee980ff5082c8c01319238de6980673711c1a49c597c42b76426d2e9ac5f-1305606177File name: Thumbs.db
Submission date: 2011-05-17 04:22:57 (UTC)
Current status: finished
Result: 16 /42 (38.1%)
Compact Print results Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2011.05.17 Trojan/Win32.Pincav.gen
BitDefender 7.2 2011.05.17 Trojan.Generic.5867729
Comodo 8729 2011.05.17 Heur.Suspicious
DrWeb 5.0.2.03300 2011.05.17 Trojan.DownLoader2.35509
F-Secure 9.0.16440.0 2011.05.17 Trojan.Generic.5867729
Fortinet 4.2.257.0 2011.05.17 W32/Pincav.BEMR!tr
GData 22 2011.05.17 Trojan.Generic.5867729
Kaspersky 9.0.0.837 2011.05.17 Trojan.Win32.Pincav.bemr
Microsoft 1.6802 2011.05.16 Backdoor:Win32/Poisonivy.E
nProtect 2011-05-16.01 2011.05.16 Trojan.Generic.5867729
Panda 10.0.3.5 2011.05.16 Generic Backdoor
PCTools 7.0.3.5 2011.05.17 Backdoor.Darkmoon!rem
Symantec 20101.3.2.89 2011.05.17 Backdoor.Darkmoon
TrendMicro 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
TrendMicro-HouseCall 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
VBA32 3.12.16.0 2011.05.12 Trojan.Pincav.bemr
Additional informationShow all
MD5 : 2898107be3c4ac71cd16898b6a08fe87
Files:
Agenda.7z containing
Update 2. And password now fixed too.
My apologies for the inconvenience.
http://www.virustotal.com/file-scan/report.html?id=692dee980ff5082c8c01319238de6980673711c1a49c597c42b76426d2e9ac5f-1305606177File name: Thumbs.db
Submission date: 2011-05-17 04:22:57 (UTC)
Current status: finished
Result: 16 /42 (38.1%)
Compact Print results Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2011.05.17 Trojan/Win32.Pincav.gen
BitDefender 7.2 2011.05.17 Trojan.Generic.5867729
Comodo 8729 2011.05.17 Heur.Suspicious
DrWeb 5.0.2.03300 2011.05.17 Trojan.DownLoader2.35509
F-Secure 9.0.16440.0 2011.05.17 Trojan.Generic.5867729
Fortinet 4.2.257.0 2011.05.17 W32/Pincav.BEMR!tr
GData 22 2011.05.17 Trojan.Generic.5867729
Kaspersky 9.0.0.837 2011.05.17 Trojan.Win32.Pincav.bemr
Microsoft 1.6802 2011.05.16 Backdoor:Win32/Poisonivy.E
nProtect 2011-05-16.01 2011.05.16 Trojan.Generic.5867729
Panda 10.0.3.5 2011.05.16 Generic Backdoor
PCTools 7.0.3.5 2011.05.17 Backdoor.Darkmoon!rem
Symantec 20101.3.2.89 2011.05.17 Backdoor.Darkmoon
TrendMicro 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
TrendMicro-HouseCall 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
VBA32 3.12.16.0 2011.05.12 Trojan.Pincav.bemr
Additional informationShow all
MD5 : 2898107be3c4ac71cd16898b6a08fe87
Files:
Agenda.7z containing
- oleacc.dll Size: 32768 MD5: BADD488212891EBC1D76BE901E70D4A1
- Speaker information1.pdf Size: 12253 MD5: 7EA84B62DA84DCD8B6F577D670C86F68
- Thumbs.db Size: 34816 MD5: 2898107be3c4ac71cd16898b6a08fe87
Distribtion: Email attachment
Versions affected: See Security Focus. (did not work for Reader X for me)
The PDF was detected on April 13 in a 7z archive, which included
1) 2 clean pdfs (have some info about the victim and not included for the victim protection sake)
2) oleacc.dll Size: 32768 MD5: BADD488212891EBC1D76BE901E70D4
3) Speaker information1.pdf Size: 12253 MD5: 7EA84B62DA84DCD8B6F577D670C86F
4) Thumbs.db 34816 bytes 2898107be3c4ac71cd16898b6a08fe87
2) oleacc.dll Size: 32768 MD5: BADD488212891EBC1D76BE901E70D4
3) Speaker information1.pdf Size: 12253 MD5: 7EA84B62DA84DCD8B6F577D670C86F
4) Thumbs.db 34816 bytes 2898107be3c4ac71cd16898b6a08fe87
Thumbs.db and oleacc.dll are hidden, most computers have "Hide Protected Operating System files (Recommended) option checked so a regular user would not be able to see any files but PDFs.
Download
Message Headers
Sorry, I do not have headers in this case.Analysis Notes and Automatic scans
Here are some notes from April 2011Speaker Information1.pdf
was 0/42 on Virus total in April. It has embedded flash. The extracted shellcode VT scan is posted below shellcode.exe_
1. Speaker Information1.pdf 7ea84b62da84dcd8b6f577d670c86f68
http://www.virustotal.com/file-scan/report.html?id=04290fc7c744102b3566a6cec1f2b6811b5db88bbd0584b46bc638b65e61276a-1307761984
Submission date: 2011-06-11 03:13:04 (UTC)
5 /42 (11.9%)
ClamAV 0.97.0.0 2011.06.10 PUA.Script.PDF.EmbeddedJS-1
Ikarus T3.1.1.104.0 2011.06.10 Exploit.SWF.Agent
Kaspersky 9.0.0.837 2011.06.10 Exploit.SWF.Agent.eb
TrendMicro 9.200.0.1012 2011.06.10 TROJ_PIDIEF.ECJ
TrendMicro-HouseCall 9.200.0.1012 2011.06.11 TROJ_PIDIEF.ECJ
MD5 : 7ea84b62da84dcd8b6f577d670c86f68
File name:
shellcode.exe_
xhttp://www.virustotal.com/file-scan/report.html?id=aa82f446eb47abbf68bb50ee2cd53d5a75cba484e36fc04496f9695913fd2845-1303047440
8 /41 (19.5%)
AntiVir 7.11.6.143 2011.04.15 TR/Kazy.17938
AVG 10.0.0.1190 2011.04.17 Agent_r.OV
CAT-QuickHeal 11.00 2011.04.17 Trojan.Agent.ATV
Comodo 8375 2011.04.17 TrojWare.Win32.TrojanDownloader.Small.aolo0
Kaspersky 7.0.0.125 2011.04.17 Trojan-Downloader.Win32.Small.buiw
Heuristic.BehavesLike.Win32.Downloader.J
TrendMicro 9.200.0.1012 2011.04.17 PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012 2011.04.17 PAK_Generic.001
MD5 : 9819316da58c5c9bdd4a2cb58bcc469e
2) oleacc.dll Size: BADD488212891EBC1D76BE901E70D4
- Speaker information1.pdf - has JS pop up "Please Update your PDF viewer" - see JSpopup.JPG
- If oleacc.dll is in the same directory as the pdf, it will use it on close. In other words, when you close, the reader crashes and hooks up to this dll (as you guessed, this is a different dll from the 160kb authentic oleacc.dll in system32.) Please see the screenshot of the fully patched (as of April 2011) Adobe Reader 9.4. Other versions are vulnerable as well. See the Security advisories for more details. Note, I could not trigger a crash on Reader X
See open handles for the legitimate AcroRd32.exe on the system at the time of the launch
Handle v3.45
Copyright (C) 1997-2011 Mark Russinovich
AcroRd32.exe pid: 2668 XPSP3\Mila
10: File (RW-) C:\WINDOWS\WinSxS\x86_
40: File (RW-) C:\Program Files\Adobe\Reader 9.0\Reader
44: File (RW-) C:\WINDOWS\WinSxS\x86_
48: File (RW-) C:\WINDOWS\WinSxS\x86_
4C: File (RW-) C:\WINDOWS\WinSxS\x86_
50: File (RW-) C:\WINDOWS\WinSxS\x86_
54: File (RW-) C:\WINDOWS\WinSxS\x86_
58: File (RW-) C:\WINDOWS\WinSxS\x86_
60: File (RW-) C:\WINDOWS\WinSxS\x86_
64: File (RW-) C:\WINDOWS\WinSxS\x86_
A8: File (RW-) C:\WINDOWS\WinSxS\x86_
D4: Section \BaseNamedObjects\
F0: Section \BaseNamedObjects\CTF.
100: Section \BaseNamedObjects\
114: File (RW-) C:\WINDOWS\WinSxS\x86_
118: File (RW-) C:\WINDOWS\WinSxS\x86_
17C: File (RW-) C:\WINDOWS\WinSxS\x86_
19C: Section \BaseNamedObjects\MSCTF.
1CC: File (R--) C:\Documents and Settings\Mila\Desktop\7zip\
1D0: File (RW-) C:\WINDOWS\WinSxS\x86_
1E4: File (RW-) C:\WINDOWS\WinSxS\x86_
1E8: File (RW-) C:\WINDOWS\WinSxS\x86_
254: File (RW-) C:\WINDOWS\WinSxS\x86_
270: Section \BaseNamedObjects\UrlZonesSM_
284: File (RW-) C:\WINDOWS\WinSxS\x86_
28C: File (RW-) C:\WINDOWS\WinSxS\x86_
2D4: Section \BaseNamedObjects\A3D_6695858
328: Section \BaseNamedObjects\RotHintTable
330: Section \BaseNamedObjects\MSCTF.
340: Section \BaseNamedObjects\
398: File (RW-) C:\WINDOWS\WinSxS\x86_
3D8: File (RW-) C:\Documents and Settings\Mila\Desktop\7zip\
3DC: File (RWD) C:\Program Files\Adobe\Reader 9.0\Resource\CMap
3E8: Section \BaseNamedObjects\MSCTF.
3EC: File (RW-) C:\WINDOWS\WinSxS\x86_
408: File (RWD) C:\Documents and Settings\Mila\Application Data\Adobe\Acrobat\9.0
418: File (RW-) C:\WINDOWS\WinSxS\x86_
420: File (RWD) C:\Program Files\Adobe\Reader 9.0\Resource\Font
428: File (RWD) C:\Program Files\Adobe\Reader 9.0\Resource\CMap
448: File (RW-) C:\WINDOWS\WinSxS\x86_
458: File (RW-) C:\Documents and Settings\Mila\Desktop\7zip\
- If this dll is not present in the same directory, there is no reader crash or freezing, it just closes.
- Oleacc.dll
is not in use until the crash. It usually in use only by office
documents. In this case adobe reader has both the legitimate in system32
and the fake one in use
- A3DUtility.exe launches for this pdf only (perhaps due to flash content)
thumbs.db is actually a Win32 executable. When run, it attempts a connection to 115.89.225.109 (many thanks to Andre' DiMino for this info (rename thumbs.db to thumbs.exe and run to see)
115.89.225.109 115.88.0.0/13 2011-01-11 11:18:32 r.koreacount.com
115.89.225.109 115.88.0.0/13 2010-11-19 20:25:41 r.gkoreag.com
oleacc.dll!DllMain() -> calls WinExec in Thumbs.db
Hostname: 115.89.225.109
ISP: LG DACOM Corporation
Organization: LG DACOM Corporation
Assignment: Static IP
Country: Korea
City: Seoul
LG Dacom provides high-speed Internet and telephone services. The company is a leading Korean ISP and one of the largest providers of consumer Internet service in Asia.
koreacount.com - Not currently registered
Domain: koreacount.com - Whois History
Cache Date: 2011-05-20
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Server: whois.dns.com.cn
Created: 2010-03-22
Updated: 2011-05-01
Expires: 2011-03-22
defastdns@netdove.net isoidc@126.com
Domain Name.......... koreacount.com
Creation Date........ 2010-03-22 18:54:29
Registration Date.... 2010-03-22 18:54:29
Expiry Date.......... 2011-03-22 18:54:29
Organisation Name.... shuan bmyu
Organisation Address. bring small road 10
Organisation Address.
Organisation Address. bring
Organisation Address. 123456
Organisation Address. XZ
Organisation Address. CN
Name Server.......... ns2.dns.com.cn
Name Server.......... ns1.dns.com.cn
gkoreag.com
Cache Date: 2011-05-11
Registrar: XIN NET TECHNOLOGY CORPORATION
Server: whois.paycenter.com.cn
Created: 2010-01-21
Updated: 2011-01-19
Expires: 2012-01-21
Reverse Whois: Click on an email address we found in this whois record
to see which other domains the registrant is associated with:
gameking888@gmail.com
Domain Name : gkoreag.com
PunnyCode : gkoreag.com
Creation Date : 2010-01-21 16:39:29
Updated Date : 2011-01-19 14:18:50
Expiration Date : 2012-01-21 16:39:25
Registrant:
Organization : StarOut Soft
Name : Wang ShanShi
Address : xizhangStar Streetno10
City : xizhang
Province/State : Xizang
Country : CN
Postal Code : 100000
Administrative Contact:
Name : StarOut Soft
Organization : Wang ShanShi
Address : xizhangStar Streetno10
City : xizhang
Province/State : Xizang
Country : CN
Postal Code : 100000
Phone Number : 86-86-67341289
Fax : 86-86-67341289http://www.blogger.com/post-edit.g?blogID=7885177434994542510&postID=2440915114844478381&from=pencil
Email : gameking888@gmail.com
Update June 20 The following information was kindly shared by ScriptKiddieSec
gameking888@gmail.com owns one more domain ckb2b.org
Wang ShanShi
StarOut Soft
xizhangStar Streetno10
xizhang
Xizang
100000
China
Phone: +86.8667341289
Fax: +86.8667341289
E-mail: gameking888@gmail.com
NS.XINNETDNS.COM
NS.XINNET.CN
D161547596-LROR
Created: 19-Feb-2011 07:22:42 UTC
Updated: 21-Apr-2011 03:51:08 UTC
Expires: 19-Feb-2012 07:22:42 UTC
Source: whois.publicinterestregistry.net
Completed at 6/20/2011 6:56:26 AM
Processing time: 3.51 seconds
View source
canonical name ckb2b.com.cn.
addresses 211.144.144.45
Domain Whois record
Queried whois.cnnic.net.cn with "ckb2b.com.cn"...
Domain Name: ckb2b.com.cn
ROID: 20071207s10011s98260436-cn
Domain Status: ok
Registrant Organization: 丹东瀚通国际货运代理有限公司
Registrant Name: 解文强
Administrative Email: intyuming@mainone.cn
Sponsoring Registrar: 铭万信息技术有限公司
Name Server:ns3.dns-china.cn
Name Server:ns4.dns-china.cn
Registration Date: 2007-12-07 10:27
Expiration Date: 2014-12-07 10:27
Gameking888 created a copy of ckb2b.com.cn for ckb2b.org
Domain Name:CKB2B.ORG
Created On:19-Feb-2011 07:22:42 UTC
Last Updated On:21-Apr-2011 03:51:08 UTC
Expiration Date:19-Feb-2012 07:22:42 UTC
Excellent work as usual Mila
ReplyDeleteGood sharing Mila. :)
ReplyDeleteHi Mila, did you attach the correct thumbs.db? This sample matching the hash above does not appear to be a valid PE.
ReplyDeleteyep you are right, i fixed it now, not sure when the thumbs went bad they they did. yikes, thanks for noting.
ReplyDeletemila
no problem, perhaps explorer replaced it. Cheers :)
ReplyDelete