Pages

Tuesday, June 28, 2011

Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Trojan Taidoor


-- This message came from a compromised account of mail.ppboces.org - mail server for Pikes Peak Board of Cooperative Educational Services in Colorado Springs, Co.It has two attachments exploiting CVE-2011-0611.
 --The payload is Trojan Taidoor / Rubinurd, which is a frequently used trojan for targeted attacks. (see more with Taidoor here) For attribution reasons, I would like to know if this is a private custom trojan or something commercial and thus used by more than one group of attackers. If you happen to know, let me know. The PDF and the payload have Chinese language in the file metadata and code.
-- The CC IP addresses are 62.38.148.117 ( 443 80) -Hellas On Line S.A., Greece, Attiki and 64.167.26.66 (80) - SBC Internet Services, Costa Mesa, CA


Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

General File information

File Name: 90-2011 Robert Beckman.pdf
MD5   : 6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes  
Distribution: Email attachment

File Name:  91-2011 Sam Bateman.pdf
MD5   :  6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes

Download

Original Message



From: Hxxxxxxxx, Mxxxxxxxx (xxxxxxxxx) [mailto:mhxxxxxxxxxxxx@ppboces.org]
Sent: Monday, June 27, 2011 8:46 AM
To: dothanhhai80@gmail.com
Subject: Two Views On The South China Sea

Dear all,

1. We are pleased to attach for your reading pleasure two views on the South China Sea.

2. Synopsis I: Robert Beckman on the South China Sea: Worsening Dispute or Growing Clarity in Claims?

In May 2009 Malaysia and Vietnam made submissions to extend their continental shelves beyond 200 nautical miles into the South China Sea, and China objected to their submissions. While adding a layer of complexity to the South China Sea disputes, the submissions and objections also clarified the claims of the competing states.

3. Synopsis 2: Sam Bateman on the South China Sea: When the Elephants Dance.

The situation in the South China Sea has deteriorated recently. The three key players -- China, the United States and Vietnam -- can all accept some
responsibility for the deterioration and should now mediate their differences.

xxxxxxxxxxxxx
Executive  Assistant  to  Archie  Neil
Pikes Peak BOCES
4825 Lorna  Place
Colorado Springs, CO 80915
719-622-2089
719-380-9685 fax

Message Headers

Received: (qmail 12816 invoked from network); 27 Jun 2011 12:46:08 -0000
Received: from 63-253-126-17.ip.mcleodusa.net (HELO MAIL.PPBOCES.ORG) (63.253.126.17)
  by xxxxxxxxx with SMTP; 27 Jun 2011 12:46:08 -0000
Return-Path: mhxxxxxxs@ppboces.org
X-Envelope-From: mhxxxxxxxxx@ppboxxxxxxxxx

Received: From bocesex01.ppboces.local (172.18.0.20) by MAIL.PPBOCES.ORG (MAILFOUNDRY) id +zJm6qC8EeCuLQAw; Mon, 27 Jun 2011 12:57:15 -0000 (GMT)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----_=_NextPart_001_01CC34C8.AD469615"
Subject: Two Views On The South China Sea
Date: Mon, 27 Jun 2011 06:45:59 -0600
Message-ID: <92E09D8019C5384A97503350032F27AC01C6F84B@bocesex01.ppboces.local>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Two Views On The South China Sea
Thread-Index: AcwZipt/3F+WVOQ6Rh2SHXBf8g3DNgbPY69E
References: <92E09D8019C5384A97503350032F27AC0170C2C7@bocesex01.ppboces.local>
From: xxxxxxxxxx@ppboces.org
To:

S

63.253.126.17

Mail.ppboces.org point to 63.253.126.17. Miamiyoder.org, calhanschool.org and ppboces.org use this as a mail server

Hostname:    63-253-126-17.ip.mcleodusa.net
ISP:    PaeTec Communications
Organization:    PIKES PEAK BOCES
Type:    Corporate
Assignment:    Static IP
Country:    United States us flag
State/Region:    Colorado
City:    Colorado Springs

This appears to be compromised account on  Mail.ppboces.org


Automated Scans

90-2011 Robert Beckman.pdf
http://www.virustotal.com/file-scan/report.html?id=1a685fae2093096e96b9a41a6aa57320008208b7d8a7e39dcf834146cbc5b5e6-1309229502
Submission date: 2011-06-28 02:51:42 (UTC)
Result: 8 /41 (19.5%)
Avast5 5.0.677.0 2011.06.27 SWF:Dropper
BitDefender 7.2 2011.06.28 Script.SWF.C06
Commtouch 5.3.2.6 2011.06.28 JS/Pdfka.V
eTrust-Vet 36.1.8411 2011.06.28 PDF/CVE-2010-1297.B!exploit
GData 22 2011.06.28 Script.SWF.C06
Microsoft 1.7000 2011.06.27 Exploit:SWF/Shellcode.B
nProtect 2011-06-27.01 2011.06.27 Script.SWF.C06
VirusBuster 14.0.98.0 2011.06.27 Exploit.SWF.Agent2.CGJE
Additional informationShow all
MD5   : a755f5b7bd80091561298d971a8f111d

91-2011 Sam Bateman.pdf
http://www.virustotal.com/file-scan/report.html?id=9bf9677524b519fc1dbc5455f78afce3dfecc1477f52874f3a6272e6eae7bb4b-1309274223
MD5   : 6fdc8f02e7f649a6c0d2a72e421a5bf9
File size : 249913 bytes

PDF information


This appears to be CVE-2011-0611, please correct me if I am wrong and it is CVE-2011-0609

I used
Didier Stevens PDF-Parser.py for dumping uncompressed raw data
pySwfCarve.py for carving out SWF by Giuseppe Bonfa
Trillix flash decompiler  for decompiling flash (make sure your vm is patched)
PE Explorer for the binary

File metadata
The string in Chinese means :"Untitled"



The file checks for Reader versions and offers to upgrade if it is below version 9


Malicious pdf executed on a vulnerable version of Adobe Reader
 

extracted and decompiled flash file is below and you can see the full action script here
 http://pastebin.com/GMQG9gi4 


Payload


Trojan Taidoor - also featured in

This trojan is characterized by the traffic it generates  -


http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string
Local Settings\one of the names listed below
File: COMSysApp.exe
Size: 22016
MD5:  17A6E614E2C95390C60C714F340214F7
List of possible names:
    Alerter.exe
    AppMgmt.exe
    CiSvc.exe
    ClipSrv.exe
    COMSysApp.exe
    dmadmin.exe
    Dot3svc.exe
    EapHost.exe
    HidServ.exe
    hkmsvc.exe
    ImapiService.exe
    Messenger.exe
    mnmsrvc.exe
    MSDTC.exe
    MSIServer.exe
    napagent.exe
    NetDDE.exe
    NetDDEdsdm.exe
    Netlogon.exe
    NtLmSsp.exe
    NtmsSvc.exe
    ose.exe
    RasAuto.exe
    RDSessMgr.exe
    RemoteAccess.exe
    rpcapd.exe
    RpcLocator.exe
    RSVP.exe
    SwPrv.exe
    SysmonLog.exe
    TlntSvr.exe
    upnphost.exe
    UPS.exe
    VSS.exe
    WmdmPmSN.exe
    Wmi.exe
    WmiApSrv.exe
    wuauserv.exe
    xmlprov.exe
  ClipSrv.exe  - or any of the names above
http://www.virustotal.com/file-scan/report.html?id=e9c041225b56260851f75528bdf4b635c8974d6e5fe87b119e448a542354b2fc-1309274036

Submission date: 2011-06-28 15:13:56 (UTC)

Result: 14/ 42 (33.3%)
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.28.02 2011.06.28 Backdoor/Win32.CSon
AntiVir 7.11.10.137 2011.06.28 TR/Hijacker.Gen
AVG 10.0.0.1190 2011.06.28 Generic23.UVP
BitDefender 7.2 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
DrWeb 5.0.2.03300 2011.06.28 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
GData 22 2011.06.28 Gen:Trojan.Heur.TP.bq1@b0OVqSkb
Ikarus T3.1.1.104.0 2011.06.28 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.28 HEUR:Trojan.Win32.Generic
McAfee 5.400.0.1158 2011.06.28 -
Microsoft 1.7000 2011.06.28 VirTool:Win32/Injector.gen!BJ
NOD32 6246 2011.06.28 a variant of Win32/Injector.HET
Norman 6.07.10 2011.06.28 W32/Obfuscated.JA
Rising 23.64.01.03 2011.06.28 Suspicious
VBA32 3.12.16.3 2011.06.28 TrojanDownloader.Rubinurd.f

Strings from the binary - also similar to other samples from the posts above
d{bw
ntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
GetModuleFileNameA
kernel32.dll
abcde
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)

Other files
File: 11.pdf 
Size: 192815
MD5:  7BBE0534746D66FD012CF81219AE27A1
C:\WINDOWS\system32\d3d8caps.dat
File: d3d8caps.dat
Size: 768
MD5:  8C83D908E75F6B6971C7602CF2D26C1A

C:\WINDOWS\system32\d3d9caps.dat
File: d3d9caps.dat
Size: 664
MD5:  B168F0FF0AF0292CB32DF1770A7DE164

location of the pdf\iso88591
File: iso88591
Size: 65536
MD5:  2EBA9C4FDEA2741821A836D2A325D5A5

Traffic

TCP View

Hostname:    adsl-64-167-26-66.dsl.lsan03.pacbell.net
ISP:    SBC Internet Services
Organization:    SBC Internet Services
Country:    United States
State/Region:    California
City:    Costa Mesa


Hostname:    static062038148117.dsl.hol.gr
ISP:    Hellas On Line S.A.
Organization:    Hellas On Line S.A.
Country:    Greece
State/Region:    Attiki


GET /glsma.php?id=0141281911380G7603 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 62.38.148.117:443
Connection: Keep-Alive
Cache-Control: no-cache


No comments:

Post a Comment