Pages

Wednesday, June 29, 2011

Jun 22 CVE-2011-0611 PDF-SWF "Fruits of economic growth" with revoked COMODO cert and Trojan Taidoor



Message is signed by a certificate "Issued by COMODO Client Authentication and Secure Email CA" and the certificate is revoked.
The sender address is a spoofed Gmail address of SEF News sef1941@gmail.com but it was sent from a HINET server in Taiwan, not from Gmail. The exploit used is CVE-2011-0611, with the same malicious SWF as described in the previous post Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor.
The payload is the same too Trojan Taidoor / Rubinurd (see more with Taidoor here) with CC server 213.42.74.85- Dubai, UAE

Update June 29  As screenshots of the certificate show, it was not expired. The Comodo Certificate Revocation List showed that the certificate was revoked less than 12 hours before it was sent, which means it was stolen and ready to be used while it was still valid. Perhaps it was used while still valid for a while before I got it.
Digitally signed messages are used to gain trust of the recipient. Contagio has examples of stolen valid and invalid certificates used to signed malicious binaries in order to bypass white-listing applications and other filters. Speaking of CRL, here are two articles related to web certificates.

Revocation doesn't work (18 Mar 2011) Imperial Violet
Detecting Certificate Authority compromises and web browser collusion (22 Mar 2011) Tor Blog by ioerror


Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

 General File Information

File Name: ____________.pdf
MD5: 8E3D7FCFA89307C0D3B7951BD36B3513
File Size: 249913 bytes
Distribution: Email attachment

 File Download

 Download the original document as a password protected archive (contact me if you need the password)


  Original Message

From: SEF News [mailto:sef1941@gmail.com]
Sent: Wednesday, June 22, 2011 4:15 AM
To: leticia@trade.gov.tw
Subject: 與全民分享經濟成長的果實

與全民分享經濟成長的果實 (Google translate: All the people sharing the fruits of economic growth)

 Invalid Comodo certificate:  Certificate Issued by COMODO Client Authentication and Secure Email CA

Error:
The message contents may have been altered.
The certificate used to create this signature is on a valid Certificate Revocation List.
Signed by sef1941@gmail.com using RSA/SHA1 at 4:15:25 AM 6/22/2011.

CN = COMODO Client Authentication and Secure Email CA
O = COMODO CA Limited
L = Salford
S = Greater Manchester
C = GB

KeyID=7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b
RFC822 Name=sef1941@gmail.com

Update June 29

Revocation List showed that the certificate was revoked less that 12 hours before it was sent, which means it was stolen and ready to be used while it was still valid. Perhaps it was used while still valid for a while before I got it. 

Wed, 22 Jun 2011 16:15:25 +0800 - Message sent
Tue, 21, Jun 2011 20:55:16  - Certificate revoked (I assume it is UTC +0000 )


Here is all the info about the certificate (For Windows, download Server 2003 Admin pack and run certutil.exe to dump all the info including Certificate Revocation List URL) 

current list is here http://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl

or you can download it from here, as it will change later.

402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
X509 Certificate:
Version: 3
Serial Number: 23df4e20dc85b984c58a6bde280db1ac
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=COMODO Client Authentication and Secure Email CA
    O=COMODO CA Limited
    L=Salford
    S=Greater Manchester
    C=GB
NotBefore: 6/21/2011 8:00 PM
NotAfter: 6/21/2012 7:59 PM
Subject:
    E=sef1941@gmail.com
Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
    0000  30 82 01 0a 02 82 01 01  00 c9 06 5f 5a ee 49 39
    0010  0a c9 87 12 31 1c 7e 97  ae 01 38 36 48 9f fa 7d
    0020  e1 6d 3e 2f 88 aa af d7  5b 61 51 b2 69 21 a0 b4
    0030  31 55 07 cb a9 c7 cc 82  ca 32 7b af 44 98 be a4
    0040  20 3b 3f bc de 41 b7 c1  3b dd fd 03 2f 26 9d f3
    0050  e3 a7 3c d8 f9 68 0c 08  4e c2 ea 36 fe b4 96 c5
    0060  22 ce 2a d9 8f f5 d0 6f  f8 f6 68 f0 b7 74 d2 87
    0070  41 54 9a cf 58 2c 16 91  8f 14 84 e5 c0 0a 74 1a
    0080  d2 28 c2 95 69 db 0d 63  ea 3c d1 35 01 01 29 8e
    0090  d0 59 40 fc fb c5 b0 4d  4d 81 28 b9 f6 07 4c cd
    00a0  74 13 7d 3d dd 58 b6 df  71 af 14 19 57 7a 94 ae
    00b0  07 69 48 81 87 ea 8c 45  ea 8b 63 81 ed b9 46 e9
    00c0  10 e6 12 0b fc 42 13 ea  b5 1f c1 5e 17 fd 42 eb
    00d0  4d 6a 8b 8a b9 3f 9e 5e  7c 43 93 d5 70 d4 5a d9
    00e0  8a ed af 3c 78 53 eb 23  93 78 ac 94 e1 bb 1a 00
    00f0  53 64 9c eb 1b 9c 0d 00  0a f0 ee 74 59 f4 d1 c6
    0100  e2 35 be 84 2d ed ca 98  41 02 03 01 00 01
Certificate Extensions: 10
    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b
    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        33 88 c6 12 dc 39 35 0b 37 b7 56 c2 0e 16 26 42 80 dd 81 c5
    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)
    2.5.29.19: Flags = 1(Critical), Length = 2
    Basic Constraints
        Subject Type=End Entity
        Path Length Constraint=None
    2.5.29.37: Flags = 0, Length = 19
    Enhanced Key Usage
        Secure Email (1.3.6.1.5.5.7.3.4)
        Unknown Key Usage (1.3.6.1.4.1.6449.1.3.5.2)
    2.16.840.1.113730.1.1: Flags = 0, Length = 4
    Netscape Cert Type
        SMIME (20)
    2.5.29.32: Flags = 0, Length = 3f
    Certificate Policies
        [1]Certificate Policy:
             Policy Identifier=1.3.6.1.4.1.6449.1.2.1.1.1
             [1,1]Policy Qualifier Info:
                  Policy Qualifier Id=CPS
                  Qualifier:
                       https://secure.comodo.net/CPS
    2.5.29.31: Flags = 0, Length = 50
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=http://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl
    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 7c
    Authority Information Access
        [1]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=http://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt
        [2]Authority Info Access
             Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
             Alternative Name:
                  URL=http://ocsp.comodoca.com
    2.5.29.17: Flags = 0, Length = 15
    Subject Alternative Name
        RFC822 Name=sef1941@gmail.com
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  b5 fe 79 a5 df 8b 3f 51  0d 0a 19 af 6b 76 c5 87
    0010  6a b9 ce 2d e0 df c9 05  09 ec 8b e7 f6 f1 12 0f
    0020  6e 98 b8 31 69 b8 d0 e2  ac 56 24 d2 a3 b0 90 b8
    0030  06 18 4d d1 66 2f 4c 7e  60 27 ae c4 22 a9 a1 f0
    0040  94 bb ce ee 2a bd 5b 76  85 96 0b de 79 e9 4e f1
    0050  32 f6 34 32 05 1e e8 47  1e cf 0c a0 5d d3 e4 93
    0060  1f 69 56 44 a5 44 9d 0e  0d 7b 87 b5 72 20 01 be
    0070  a5 ec 22 de 6b 66 d8 f4  66 00 72 3d d7 a7 07 98
    0080  19 c3 5a 6e aa df c3 44  bb bb 30 a3 ca d0 09 45
    0090  47 97 a5 e7 90 b2 41 19  be 1f 3f 74 c4 b4 80 b9
    00a0  aa 81 6c b9 4f a0 7c 59  df f8 b3 35 02 51 2b df
    00b0  fc 35 bf 0b 79 d8 9a 77  fb 9f 56 2b 7c b6 b8 96
    00c0  14 20 89 0d f7 b2 b6 9c  01 d8 cd d8 7d 49 d8 02
    00d0  18 d9 ee d4 e1 c9 6c 0a  cb e1 3e 81 69 3d 2f d4
    00e0  eb e8 5c e9 7b e2 19 d8  0b cc fd a4 af c4 55 fc
    00f0  80 68 d7 79 c1 6a 7d 63  42 95 bf 9f a2 23 04 36
Non-root Certificate
Key Id Hash(sha1): 03 f7 f2 3b 11 92 32 e2 8b 05 55 6d 33 ed f1 0d 8a 91 8d e2
Subject Key Id (precomputed): 33 88 c6 12 dc 39 35 0b 37 b7 56 c2 0e 16 26 42 80 dd 81 c5
Cert Hash(md5): c8 a7 aa 7f 6e 5f fd be 40 36 45 4c fe f3 3a f0
Cert Hash(sha1): 42 2d e1 6d 46 b0 d6 e8 9c 62 7d e8 a2 28 4f de 2a 89 15 e1
CertUtil: -dump command completed successfully.
=============

Headers

Received: (qmail 1844 invoked from network); 22 Jun 2011 08:15:30 -0000
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by XXXXXXXXXXXXX  with SMTP; 22 Jun 2011 08:15:30 -0000
Received: from FuckYouMan (61-221-34-242.HINET-IP.hinet.net [61.221.34.242])
    by msr6.hinet.net (8.14.2/8.14.2) with SMTP id p5M8F0St022693;
    Wed, 22 Jun 2011 16:15:01 +0800 (CST)
Message-ID: <010601cc30b4$90aaa210$5c00a8c0@FuckYouMan>
From: "SEF News"
To: xxxxxxxxxxxxxxxxxxxxx
Subject: =?big5?B?u1Cl/qXBpMCoybhnwNmmqKr4qrqqR7nq?=
Date: Wed, 22 Jun 2011 16:15:25 +0800
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
    micalg=SHA1; boundary="----=_NextPart_000_00FF_01CC30F7.9854C750"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138

 Sender

61.221.34.242
61-221-34-242.hinet-ip.hinet.net
Host reachable, 283 ms. average
61.221.34.240 - 61.221.34.247
O Lien Co., Ltd.
Taipei Taiwan
TW

 

 PDF Information

Exploit used is CVE-2011-0611. The malicious SWF action script is identical to the one found in the previous message I posted. See analysis here: Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor

  Just like in  the file discussed in the post above, the file checks for Reader versions and offers to upgrade if it is below version 9

 Payload and Traffic

As expected, the payload is also identical to the message described above - see more details here

 %userprofile%\Local Settings\%Name from the list below%

List of possible names:
    Alerter.exe
    AppMgmt.exe
    CiSvc.exe
    ClipSrv.exe
    COMSysApp.exe
    dmadmin.exe
    Dot3svc.exe
    EapHost.exe
    HidServ.exe
    hkmsvc.exe
    ImapiService.exe
    Messenger.exe
    mnmsrvc.exe
    MSDTC.exe
    MSIServer.exe
    napagent.exe
    NetDDE.exe
    NetDDEdsdm.exe
    Netlogon.exe
    NtLmSsp.exe
    NtmsSvc.exe
    ose.exe
    RasAuto.exe
    RDSessMgr.exe
    RemoteAccess.exe
    rpcapd.exe
    RpcLocator.exe
    RSVP.exe
    SwPrv.exe
    SysmonLog.exe
    TlntSvr.exe
    upnphost.exe
    UPS.exe
    VSS.exe
    WmdmPmSN.exe
    Wmi.exe
    WmiApSrv.exe
    wuauserv.exe
    xmlprov.exe
 

23/42 - Virustotal on June 29, 2011 http://www.virustotal.com/file-scan/report.html?id=54003bd1025a8cadce96dea30fda16dac75e898beac10c13794204200dc3f153-1309203930 12/ 42 Virustotal on June 24, 2011  http://www.virustotal.com/file-scan/report.html?id=54003bd1025a8cadce96dea30fda16dac75e898beac10c13794204200dc3f153-1308889375

          o http://213.42.74.85/ywjfr.php?id=007164111D3048C607
          o http://213.42.74.85/cipaa.php?id=006655111D3048C607
          o http://213.42.74.85/zeits.php?id=012376111D3048C607
          o http://213.42.74.85/qqjnl.php?id=030576111D3048C607

213.42.74.85
Host reachable, 318 ms. average

213.42.74.80 - 213.42.74.95
Complease Trading LLC
P.O. Box 23351, Dubai, UAE

Wolfgang Vondracek
Complease Trading LLC
wvondrac@emirates.net.ae
phone: +971 4 3511616
fax: +971 4 3525720

COMPLEASE-EMIRNET
Updated: 12-Jun-2002
Source: whois.ripe.net

Clean PDF contents
%temp%\11.pdf

與全民分享經濟成長的果實
根據行政院主計處統計資料顯示,去(2010)年台灣經濟成長達
兩位數 10.88%,創下 24 年來的新高。另根據瑞士洛桑國際管理學院
see the rest here Yahoo News http://tw.news.yahoo.com/article/url/d/a/110629/53/2u5bp.html  or with Google Translation.

No comments:

Post a Comment