Monday, June 20, 2011

Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z



Common Vulnerabilities and Exposures (CVE)number

CVE-2011-2100 Adobe Acrobat and Reader DLL Loading Arbitrary Code Execution Vulnerability.

Untrusted search path vulnerability in Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory. 

It was patched by Adobe on June 14, 2011.
References and related articles

  General File Information

 Update Jun 20: The previous download had a messed up thumbs.db, smaller than 34 kb. If you downloaded it before June 20, 2011 and still care about the correct file, redownload it again, the correct md5 is 2898107be3c4ac71cd16898b6a08fe87
Update 2. And password now fixed too.
My apologies for the inconvenience.  

http://www.virustotal.com/file-scan/report.html?id=692dee980ff5082c8c01319238de6980673711c1a49c597c42b76426d2e9ac5f-1305606177File name: Thumbs.db
Submission date: 2011-05-17 04:22:57 (UTC)
Current status: finished
Result: 16 /42 (38.1%)
Compact Print results Antivirus Version Last Update Result
Antiy-AVL 2.0.3.7 2011.05.17 Trojan/Win32.Pincav.gen
BitDefender 7.2 2011.05.17 Trojan.Generic.5867729
Comodo 8729 2011.05.17 Heur.Suspicious
DrWeb 5.0.2.03300 2011.05.17 Trojan.DownLoader2.35509
F-Secure 9.0.16440.0 2011.05.17 Trojan.Generic.5867729
Fortinet 4.2.257.0 2011.05.17 W32/Pincav.BEMR!tr
GData 22 2011.05.17 Trojan.Generic.5867729
Kaspersky 9.0.0.837 2011.05.17 Trojan.Win32.Pincav.bemr
Microsoft 1.6802 2011.05.16 Backdoor:Win32/Poisonivy.E
nProtect 2011-05-16.01 2011.05.16 Trojan.Generic.5867729
Panda 10.0.3.5 2011.05.16 Generic Backdoor
PCTools 7.0.3.5 2011.05.17 Backdoor.Darkmoon!rem
Symantec 20101.3.2.89 2011.05.17 Backdoor.Darkmoon
TrendMicro 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
TrendMicro-HouseCall 9.200.0.1012 2011.05.17 TROJ_GEN.R47C2DP
VBA32 3.12.16.0 2011.05.12 Trojan.Pincav.bemr
Additional informationShow all 
MD5   : 2898107be3c4ac71cd16898b6a08fe87

Files:
Agenda.7z containing
  1. oleacc.dll  Size: 32768  MD5:  BADD488212891EBC1D76BE901E70D4A1
  2. Speaker information1.pdf Size: 12253 MD5:  7EA84B62DA84DCD8B6F577D670C86F68
  3. Thumbs.db  Size: 34816   MD5:  2898107be3c4ac71cd16898b6a08fe87

Distribtion: Email attachment
 
 The PDF was detected on April 13 in a 7z archive, which included
1)  2 clean pdfs (have some info about the victim and not included for the victim protection sake)
2) oleacc.dll  Size: 32768  MD5:  BADD488212891EBC1D76BE901E70D4A1
3) Speaker information1.pdf Size: 12253 MD5:  7EA84B62DA84DCD8B6F577D670C86F68
4) Thumbs.db  34816 bytes 2898107be3c4ac71cd16898b6a08fe87

Thumbs.db and oleacc.dll are hidden, most computers have "Hide Protected Operating System files (Recommended) option checked so a regular user would not be able to see any files but PDFs.
 

Download

Original Message

Text of the message


Message Headers

Sorry, I do not have headers in this case.

Analysis Notes and Automatic scans

Here are some notes from April 2011

Speaker Information1.pdf  
was 0/42 on Virus total in April. It has embedded flash. The extracted shellcode VT scan is posted below shellcode.exe_ 
 
1. Speaker Information1.pdf  7ea84b62da84dcd8b6f577d670c86f68
http://www.virustotal.com/file-scan/report.html?id=04290fc7c744102b3566a6cec1f2b6811b5db88bbd0584b46bc638b65e61276a-1307761984
Submission date: 2011-06-11 03:13:04 (UTC)
5 /42 (11.9%)
ClamAV     0.97.0.0     2011.06.10     PUA.Script.PDF.EmbeddedJS-1
Ikarus     T3.1.1.104.0     2011.06.10     Exploit.SWF.Agent
Kaspersky     9.0.0.837     2011.06.10     Exploit.SWF.Agent.eb
TrendMicro     9.200.0.1012     2011.06.10     TROJ_PIDIEF.ECJ
TrendMicro-HouseCall     9.200.0.1012     2011.06.11     TROJ_PIDIEF.ECJ
MD5   : 7ea84b62da84dcd8b6f577d670c86f68


File name:
shellcode.exe_
xhttp://www.virustotal.com/file-scan/report.html?id=aa82f446eb47abbf68bb50ee2cd53d5a75cba484e36fc04496f9695913fd2845-1303047440
8 /41 (19.5%)
AntiVir     7.11.6.143     2011.04.15     TR/Kazy.17938
AVG     10.0.0.1190     2011.04.17     Agent_r.OV
CAT-QuickHeal     11.00     2011.04.17     Trojan.Agent.ATV
Comodo     8375     2011.04.17     TrojWare.Win32.TrojanDownloader.Small.aolo0
Kaspersky     7.0.0.125     2011.04.17     Trojan-Downloader.Win32.Small.buiw
    Heuristic.BehavesLike.Win32.Downloader.J
TrendMicro     9.200.0.1012     2011.04.17     PAK_Generic.001
TrendMicro-HouseCall     9.200.0.1012     2011.04.17     PAK_Generic.001
MD5   : 9819316da58c5c9bdd4a2cb58bcc469e

2) oleacc.dll  Size:  BADD488212891EBC1D76BE901E70D4A1

  •  Speaker information1.pdf  - has JS pop up "Please Update your PDF viewer" - see JSpopup.JPG




  •  If oleacc.dll is in the same directory as the pdf, it will use it on close. In other words, when you close, the reader crashes and hooks up to this dll (as you guessed, this is a different dll from the 160kb authentic oleacc.dll in system32.) Please see the screenshot of the fully patched (as of April 2011) Adobe Reader 9.4. Other versions are vulnerable as well. See the Security advisories for more details. Note, I could not trigger a crash on Reader X

 

See open handles for the legitimate AcroRd32.exe on the system at the time of the launch
Handle v3.45
Copyright (C) 1997-2011 Mark Russinovich


------------------------------------------------
AcroRd32.exe pid: 2668 XPSP3\Mila

   10: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   40: File  (RW-)   C:\Program Files\Adobe\Reader 9.0\Reader
   44: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
   48: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
   4C: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   50: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   54: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   58: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   60: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
   64: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
   A8: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
   D4: Section       \BaseNamedObjects\
CiceroSharedMemDefaultS-1-5-21-57989841-1957994488-251377027-1003
   F0: Section       \BaseNamedObjects\CTF.
TimListCache.FMPDefaultS-1-5-21-57989841-1957994488-251377027-1003SFM.DefaultS-1-5-21-57989841-1957994488-251377027-1003
  100: Section       \BaseNamedObjects\
ShimSharedMemory
  114: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  118: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  17C: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  19C: Section       \BaseNamedObjects\MSCTF.
Shared.SFM.AII
  1CC: File  (R--)   C:\Documents and Settings\Mila\Desktop\7zip\
Agenda\Agenda\Speaker Information1.pdf
  1D0: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  1E4: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  1E8: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  254: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  270: Section       \BaseNamedObjects\UrlZonesSM_
Mila
  284: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  28C: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  2D4: Section       \BaseNamedObjects\A3D_6695858
  328: Section       \BaseNamedObjects\RotHintTable
  330: Section       \BaseNamedObjects\MSCTF.
GCompartListSFM.DefaultS-1-5-21-57989841-1957994488-251377027-1003
  340: Section       \BaseNamedObjects\
mmGlobalPnpInfo
  398: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  3D8: File  (RW-)   C:\Documents and Settings\Mila\Desktop\7zip\
Agenda\Agenda
  3DC: File  (RWD)   C:\Program Files\Adobe\Reader 9.0\Resource\CMap
  3E8: Section       \BaseNamedObjects\MSCTF.
Shared.SFM.EJG
  3EC: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  408: File  (RWD)   C:\Documents and Settings\Mila\Application Data\Adobe\Acrobat\9.0
  418: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700
  420: File  (RWD)   C:\Program Files\Adobe\Reader 9.0\Resource\Font
  428: File  (RWD)   C:\Program Files\Adobe\Reader 9.0\Resource\CMap
  448: File  (RW-)   C:\WINDOWS\WinSxS\x86_
Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
  458: File  (RW-)   C:\Documents and Settings\Mila\Desktop\7zip\Agenda\Agenda\oleacc.dll
  • If this dll is not present in the same directory, there is no reader crash or freezing, it just closes.
  • Oleacc.dll is not in use until the crash. It usually in use only by office documents. In this case adobe reader has both the legitimate in system32 and the fake one in use 
  • A3DUtility.exe launches for this pdf only (perhaps due to flash content)
3. Thumbs.db  Size: 34816 bytes 2898107be3c4ac71cd16898b6a08fe87

 thumbs.db is actually a Win32 executable. When run, it attempts a connection to 115.89.225.109  (many thanks to Andre' DiMino for this info (rename thumbs.db to thumbs.exe and run to see)

115.89.225.109     115.88.0.0/13   2011-01-11 11:18:32     r.koreacount.com
115.89.225.109     115.88.0.0/13   2010-11-19 20:25:41     r.gkoreag.com


oleacc.dll!DllMain() -> calls WinExec in Thumbs.db

Hostname:    115.89.225.109
ISP:    LG DACOM Corporation
Organization:    LG DACOM Corporation
Assignment:    Static IP
Country:    Korea
City:    Seoul
LG Dacom provides high-speed Internet and telephone services. The company is a leading Korean ISP and one of the largest providers of consumer Internet service in Asia.



koreacount.com  - Not currently registered
 Domain:     koreacount.com - Whois History
Cache Date:    2011-05-20
Registrar:    BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Server:    whois.dns.com.cn
Created:    2010-03-22
Updated:    2011-05-01
Expires:     2011-03-22
defastdns@netdove.net isoidc@126.com

Domain Name.......... koreacount.com
  Creation Date........ 2010-03-22 18:54:29
  Registration Date.... 2010-03-22 18:54:29
  Expiry Date.......... 2011-03-22 18:54:29
  Organisation Name.... shuan bmyu
  Organisation Address. bring small road 10
  Organisation Address.
  Organisation Address. bring
  Organisation Address. 123456
  Organisation Address. XZ
  Organisation Address. CN

  Name Server.......... ns2.dns.com.cn
  Name Server.......... ns1.dns.com.cn




gkoreag.com
Cache Date:    2011-05-11
Registrar:    XIN NET TECHNOLOGY CORPORATION
Server:    whois.paycenter.com.cn
Created:    2010-01-21
Updated:    2011-01-19
Expires:     2012-01-21
Reverse Whois:     Click on an email address we found in this whois record
to see which other domains the registrant is associated with:
gameking888@gmail.com

Domain Name      : gkoreag.com
PunnyCode        : gkoreag.com
Creation Date    : 2010-01-21 16:39:29
Updated Date     : 2011-01-19 14:18:50
Expiration Date  : 2012-01-21 16:39:25

Registrant:
  Organization   : StarOut Soft
  Name           : Wang ShanShi
  Address        : xizhangStar Streetno10
  City           : xizhang
  Province/State : Xizang
  Country        : CN
  Postal Code    : 100000

Administrative Contact:
  Name           : StarOut Soft
  Organization   : Wang ShanShi
  Address        : xizhangStar Streetno10
  City           : xizhang
  Province/State : Xizang
  Country        : CN
  Postal Code    : 100000
  Phone Number   : 86-86-67341289
  Fax            : 86-86-67341289http://www.blogger.com/post-edit.g?blogID=7885177434994542510&postID=2440915114844478381&from=pencil
  Email          : gameking888@gmail.com

Update June 20 The following information was kindly shared by ScriptKiddieSec 

gameking888@gmail.com owns one more domain ckb2b.org

Wang ShanShi
StarOut Soft
xizhangStar Streetno10
xizhang
Xizang
100000
China
Phone: +86.8667341289
Fax: +86.8667341289
E-mail: gameking888@gmail.com

NS.XINNETDNS.COM
NS.XINNET.CN

D161547596-LROR
Created: 19-Feb-2011 07:22:42 UTC
Updated: 21-Apr-2011 03:51:08 UTC
Expires: 19-Feb-2012 07:22:42 UTC
Source: whois.publicinterestregistry.net

Completed at 6/20/2011 6:56:26 AM
Processing time: 3.51 seconds
View source

canonical name    ckb2b.com.cn.

addresses     211.144.144.45
Domain Whois record
Queried whois.cnnic.net.cn with "ckb2b.com.cn"...
Domain Name: ckb2b.com.cn
ROID: 20071207s10011s98260436-cn
Domain Status: ok
Registrant Organization: 丹东瀚通国际货运代理有限公司
Registrant Name: 解文强
Administrative Email: intyuming@mainone.cn
Sponsoring Registrar: 铭万信息技术有限公司
Name Server:ns3.dns-china.cn
Name Server:ns4.dns-china.cn
Registration Date: 2007-12-07 10:27
Expiration Date: 2014-12-07 10:27


Gameking888 created a copy of ckb2b.com.cn for ckb2b.org

Domain Name:CKB2B.ORG
Created On:19-Feb-2011 07:22:42 UTC
Last Updated On:21-Apr-2011 03:51:08 UTC
Expiration Date:19-Feb-2012 07:22:42 UTC





5 comments:

  1. Hi Mila, did you attach the correct thumbs.db? This sample matching the hash above does not appear to be a valid PE.

    ReplyDelete
  2. yep you are right, i fixed it now, not sure when the thumbs went bad they they did. yikes, thanks for noting.
    mila

    ReplyDelete
  3. no problem, perhaps explorer replaced it. Cheers :)

    ReplyDelete