Monday, June 13, 2011

May 31 CVE-2010-3333 DOC President Obama's Speech.doc from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability 

  General File Information

File President Obama's Speech.doc
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)

See others




Download

Original Message



-----Original Message-----
From: Daily News [mailto:Everyday@mail.dailynews.com]
Sent: Tuesday, May 31, 2011 9:56 AM
To: XXXXXXXXXXX
Subject: President Obama's Speech


THE PRESIDENT: Thank you. Thank you. Thank you very much. Thank you.
Please, have a seat. Thank you very much. I want to begin by thanking Hillary Clinton, who has traveled so much these last six months that she is approaching a new landmark - one million frequent flyer miles.  I count on Hillary every single day, and I believe that she will go down as one of the finest Secretaries of State in our nation's history.

The State Department is a fitting venue to mark a new chapter in American diplomacy. For six months, we have witnessed an extraordinary change taking place in the Middle East and North Africa. Square by square, town by town, country by country, the people have risen up to demand their basic human rights. Two leaders have stepped aside. More may follow. And though these countries may be a great distance from our shores, we know that our own future is bound to this region by the forces of economics and security, by history and by faith.

Today, I want to talk about this change - the forces that are driving it and how we can respond in a way that advances our values and strengthens our security.

etc... text of the speech follows..

Message Headers

Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
 by xxxxxxxxxxxxxx

Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
                Tue, 31 May 2011 09:56:41 -0400
Subject: Fw:President Obama's Speech
Date: Tue, 31 May 2011 09:56:41 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_000C_01CC1F78.350AAB50"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Daily News"
xxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: Everyday@mail.dailynews.com 

Sender

IP numbers of host (1) 66.147.51.202
PTRs of IP numbers (1) mail.louisvilleheartsurgery.com
Host names sharing IP with A records (1) mail.louisvilleheartsurgery.com
A of PTR of A (1) 66.147.51.202
The sender email address was used cbricks@gmail.com , which is a spoof of gmail 
  


Automated Scans

File name: President Obama's Speech.doc
Submission date: 2011-06-14 01:29:39 (UTC)
Result: 18/ 42 (42.9%)
http://www.virustotal.com/file-scan/report.html?id=7e9be305cdf932eadf9a7fa53c9f50ae951a27ee1c0b0c583c93c814bea4be8c-1308014979
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.14.00 2011.06.13 Dropper/Cve-2010-3333
AntiVir 7.11.9.168 2011.06.14 EXP/CVE-2010-3333
Antiy-AVL 2.0.3.7 2011.06.13 Exploit/MSWord.CVE-2010-3333
BitDefender 7.2 2011.06.14 Exploit.RTF.Gen
ClamAV 0.97.0.0 2011.06.14 PUA.RFT.EmbeddedOLE
Commtouch 5.3.2.6 2011.06.14 CVE-2010-3333!Camelot
DrWeb 5.0.2.03300 2011.06.14 Exploit.Rtf.based
F-Secure 9.0.16440.0 2011.06.14 Exploit.RTF.Gen
Fortinet 4.2.257.0 2011.06.13 Data/CVE20103333.A!exploit
GData 22 2011.06.14 Exploit.RTF.Gen
Ikarus T3.1.1.104.0 2011.06.14 Exploit.Win32.CVE-2010
Kaspersky 9.0.0.837 2011.06.13 Exploit.MSWord.CVE-2010-3333.p
Microsoft 1.6903 2011.06.13 Exploit:Win32/CVE-2010-3333
PCTools 7.0.3.5 2011.06.10 HeurEngine.MaliciousExploit
Symantec 20111.1.0.186 2011.06.14 Bloodhound.Exploit.366
TrendMicro 9.200.0.1012 2011.06.13 Possible_ARTIEF
TrendMicro-HouseCall 9.200.0.1012 2011.06.14 Possible_ARTIEF
VIPRE 9576 2011.06.14 Exploit.MSWord.CVE-2010-3333.c (v)
MD5   : 35c33bbd97d7f5629d64153a1b3e71f1


Created files

This trojan is characterized by the traffic it generates  -


http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

 Local Settings\Temp\2.doc
 Local Settings\UPS.exe  5EA58C5F12405A4E959234134123380D 
(same file as %Temp%\~Svchost.exe  5EA58C5F12405A4E959234134123380D from May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor )
created and deleted
 Local Settings\Temp\\~dfds3.reg



2.doc - decoy clean file




Text of the document is the Obama's speech in Chinese.

The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office

Kingsoft Office, commonly known simply as KSO, developed by Zhuhai based Chinese software developer Kingsoft, is an alternative to Microsoft Office. The product has had a long history of development in China, where it is still sold as WPS Office. "Kingsoft Office" is the company's attempt to crack, primarily, the Western and Japanese markets. Since Kingsoft Office 2005, the user interface bears resemblance to the Microsoft Office products, and the suite reads and writes the files generated by Office in addition to its native documents. The personal edition is free for download.

~dfds3.reg
this is to achieve persistence in the system upon reboot
contents of the file:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPS"="C:\\Documents and Settings\\mila\\Local Settings\\UPS.exe"
 

UPS.exe 5EA58C5F12405A4E959234134123380D
UPS.exe

Submission date: 2011-06-13 21:48:47 (UTC)
Result: 22/ 42 (52.4%)
http://www.virustotal.com/file-scan/report.html?id=bb40b1e17e37e0fba0f40d42d2064e97d32cb20f1fc3ea49f33781c570182196-1308001727
AhnLab-V3 2011.06.14.00 2011.06.13 Win-Trojan/Injector.17925.E
AntiVir 7.11.9.167 2011.06.13 TR/Crypt.ZPACK.Gen
Avast 4.8.1351.0 2011.06.13 Win32:Malware-gen
Avast5 5.0.677.0 2011.06.13 Win32:Malware-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYWE
BitDefender 7.2 2011.06.13 Trojan.CryptRedol.Gen.3
DrWeb 5.0.2.03300 2011.06.13 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.13 Trojan.CryptRedol.Gen.3
Fortinet 4.2.257.0 2011.06.13 W32/Sasfis.BKXQ!tr
GData 22 2011.06.13 Trojan.CryptRedol.Gen.3
Ikarus T3.1.1.104.0 2011.06.13 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkxq
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6204 2011.06.13 Win32/TrojanDownloader.Agent.PTT
Norman 6.07.10 2011.06.13 W32/Malware.TJAQ
nProtect 2011-06-13.02 2011.06.13 Trojan.CryptRedol.Gen.3
Panda 10.0.3.5 2011.06.13 Trj/CI.A
PCTools 7.0.3.5 2011.06.10 Trojan.Gen
Rising 23.62.00.03 2011.06.13 Suspicious
Sophos 4.66.0 2011.06.13 Troj/Mdrop-DMI
Symantec 20111.1.0.186 2011.06.13 Suspicious.Cloud.5
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
MD5   : 5ea58c5f12405a4e959234134123380d

Strings excerpt

V/_z
>d/R(
ntdll.dll
NtUnmapViewOfSection
%s "%s"
exe.secivres
abcde

Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)





Traffic

CnC server  -  same  as in

SSL to / from 99.1.23.71:443  and 65.87.199.102:443
examples 

GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache

From threatexpert

http://99.1.23.71:443/epzkq.php?id=018399121212121212
http://99.1.23.71:443/vkreb.php?id=017322121212121212
http://65.87.199.102:443/vkreb.php?id=020437121212121212


Other examples from the previous post are
GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache 
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
   
99.1.23.71 appears to be a compromised IIS server used as CnC , which belongs to  Sun Country Medical Equipment

99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States 
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com

SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net


65.87.199.102  - appears to be a compromised server used as CnC  - hosting webserver from Gatortech.com, hosting and small business outsource company
vortex.gatortech.com
ISP:    Synergy Networks
Organization:    Synergy Networks
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Blacklist:   
Geolocation Information
Country:    United States us flag
State/Region:    Florida
City:    Naples
 http://www.robtex.com/ip/65.87.199.102.html

65.87.199.102 Dudleycarson.com, sarasota-gulfcoast.com, yourhometownsweethearts.com, allstarrealtytony.com, rightwaysales.com and at least 63 other hosts point to 65.87.199.102.

  From Threat expert report http://www.threatexpert.com/report.aspx?md5=5ea58c5f12405a4e959234134123380d
File System Modifications
The following file was created in the system:
#Filename(s)File SizeFile Hash
1 [file and pathname of the sample #1] 17,925 bytes MD5: 0x5EA58C5F12405A4E959234134123380D
SHA-1: 0xB5C466CB36FEA327DA8B3DAF13E3CAE5EBB05DF6
China
  • The data identified by the following URLs was then requested from the remote web server:
    • http://99.1.23.71:443/iiohf.php?id=029590121212121212
    • http://65.87.199.102:443/iiohf.php?id=024326121212121212
    • http://99.1.23.71:443/figuq.php?id=025431121212121212
    • http://65.87.199.102:443/figuq.php?id=017975121212121212
    • http://99.1.23.71:443/heisp.php?id=014218121212121212
    • http://65.87.199.102:443/heisp.php?id=013836121212121212
    • http://99.1.23.71:443/qtcbv.php?id=022665121212121212
    • http://65.87.199.102:443/qtcbv.php?id=003529121212121212
    • http://99.1.23.71:443/hlobe.php?id=004518121212121212
    • http://65.87.199.102:443/hlobe.php?id=009835121212121212
    • http://99.1.23.71:443/epzkq.php?id=018399121212121212
    • http://65.87.199.102:443/epzkq.php?id=012316121212121212
    • http://99.1.23.71:443/tlhdt.php?id=015598121212121212
    • http://65.87.199.102:443/tlhdt.php?id=026804121212121212
    • http://99.1.23.71:443/vyqld.php?id=024007121212121212
    • http://65.87.199.102:443/vyqld.php?id=008414121212121212
    • http://99.1.23.71:443/ttlvm.php?id=013126121212121212
    • http://65.87.199.102:443/ttlvm.php?id=022955121212121212
    • http://99.1.23.71:443/vocpb.php?id=011307121212121212
    • http://65.87.199.102:443/vocpb.php?id=006291121212121212
    • http://99.1.23.71:443/ixoga.php?id=008375121212121212
    • http://65.87.199.102:443/ixoga.php?id=019758121212121212
    • http://99.1.23.71:443/mrhfu.php?id=029330121212121212
    • http://65.87.199.102:443/mrhfu.php?id=010690121212121212
    • http://99.1.23.71:443/uklxd.php?id=002815121212121212
    • http://65.87.199.102:443/uklxd.php?id=008982121212121212
    • http://99.1.23.71:443/mwmco.php?id=031260121212121212
    • http://65.87.199.102:443/mwmco.php?id=028267121212121212
    • http://99.1.23.71:443/mnopi.php?id=028612121212121212
    • http://65.87.199.102:443/mnopi.php?id=023566121212121212
    • http://99.1.23.71:443/janim.php?id=006088121212121212
    • http://65.87.199.102:443/janim.php?id=030408121212121212
    • http://99.1.23.71:443/vkreb.php?id=017322121212121212
    • http://65.87.199.102:443/vkreb.php?id=020437121212121212
    • http://99.1.23.71:443/ashlg.php?id=002182121212121212
    • http://65.87.199.102:443/ashlg.php?id=016018121212121212
    • http://99.1.23.71:443/ygzad.php?id=011976121212121212
    • http://65.87.199.102:443/ygzad.php?id=020329121212121212
    • http://99.1.23.71:443/bpomm.php?id=020982121212121212
    • http://65.87.199.102:443/bpomm.php?id=002109121212121212
    • http://99.1.23.71:443/rjjoe.php?id=008994121212121212
    • http://65.87.199.102:443/rjjoe.php?id=015622121212121212
    • http://99.1.23.71:443/cslvv.php?id=028657121212121212
    • http://65.87.199.102:443/cslvv.php?id=009700121212121212
    • http://99.1.23.71:443/vghtg.php?id=002106121212121212
    • http://65.87.199.102:443/vghtg.php?id=018698121212121212
    • http://99.1.23.71:443/kbyny.php?id=010796121212121212
    • http://65.87.199.102:443/kbyny.php?id=032222121212121212
    • http://99.1.23.71:443/ypanf.php?id=017108121212121212
    • http://65.87.199.102:443/ypanf.php?id=024083121212121212
    • http://99.1.23.71:443/gmvrl.php?id=018065121212121212
    • http://65.87.199.102:443/gmvrl.php?id=003381121212121212
    • http://99.1.23.71:443/xtjan.php?id=027263121212121212
    • http://65.87.199.102:443/xtjan.php?id=010227121212121212
    • http://99.1.23.71:443/ofypv.php?id=015393121212121212
    • http://65.87.199.102:443/ofypv.php?id=023673121212121212
    • http://99.1.23.71:443/luiae.php?id=005768121212121212
    • http://65.87.199.102:443/luiae.php?id=022611121212121212
    • http://99.1.23.71:443/ksycs.php?id=024451121212121212
    • http://65.87.199.102:443/ksycs.php?id=023453121212121212
    • http://99.1.23.71:443/ydtff.php?id=025174121212121212
    • http://65.87.199.102:443/ydtff.php?id=010519121212121212
    • http://99.1.23.71:443/vskti.php?id=003464121212121212
    • http://65.87.199.102:443/vskti.php?id=030690121212121212
    • http://99.1.23.71:443/tzdhx.php?id=011630121212121212
    • http://65.87.199.102:443/tzdhx.php?id=028644121212121212
    • http://99.1.23.71:443/qgzrs.php?id=026953121212121212
    • http://65.87.199.102:443/qgzrs.php?id=002819121212121212
    • http://99.1.23.71:443/gjyxf.php?id=015749121212121212
    • http://65.87.199.102:443/gjyxf.php?id=012118121212121212
    • http://99.1.23.71:443/nhfwt.php?id=010929121212121212
    • http://65.87.199.102:443/nhfwt.php?id=003353121212121212
    • http://99.1.23.71:443/uokpr.php?id=022892121212121212
    • http://65.87.199.102:443/uokpr.php?id=016839121212121212
    • http://99.1.23.71:443/tfbop.php?id=001928121212121212
    • http://65.87.199.102:443/tfbop.php?id=019181121212121212
    • http://99.1.23.71:443/mctvb.php?id=016834121212121212
    • http://65.87.199.102:443/mctvb.php?id=020153121212121212
    • http://99.1.23.71:443/qkyqc.php?id=017507121212121212
    • http://65.87.199.102:443/qkyqc.php?id=022713121212121212
    • http://99.1.23.71:443/balzi.php?id=010407121212121212
    • http://65.87.199.102:443/balzi.php?id=001853121212121212
    • http://99.1.23.71:443/nacey.php?id=017409121212121212
    • http://65.87.199.102:443/nacey.php?id=007558121212121212
    • http://99.1.23.71:443/udgnd.php?id=000997121212121212
    • http://65.87.199.102:443/udgnd.php?id=030448121212121212
    • http://99.1.23.71:443/lwcnf.php?id=019193121212121212
    • http://65.87.199.102:443/lwcnf.php?id=013732121212121212
    • http://99.1.23.71:443/zlkqq.php?id=023888121212121212
    • http://65.87.199.102:443/zlkqq.php?id=024162121212121212
    • http://99.1.23.71:443/goydj.php?id=029390121212121212
    • http://65.87.199.102:443/goydj.php?id=006897121212121212
    • http://99.1.23.71:443/adljt.php?id=011083121212121212
    • http://65.87.199.102:443/adljt.php?id=022793121212121212
    • http://99.1.23.71:443/bzymc.php?id=017084121212121212
    • http://65.87.199.102:443/bzymc.php?id=004077121212121212
    • http://99.1.23.71:443/otcvx.php?id=020400121212121212
    • http://65.87.199.102:443/otcvx.php?id=021512121212121212
    • http://99.1.23.71:443/yjzbo.php?id=026078121212121212
    • http://65.87.199.102:443/yjzbo.php?id=018125121212121212


No comments:

Post a Comment