Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Thursday, July 14, 2011

Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org

Update Jul 13. Considering that this pdf is very low detection, I decided to post some of the target domains here in case it helps them to prevent or identify infections.
The non-gmail domains included:
usjapancouncil.org, spfusa.org, vanderbilt.edu, comdt.uscg.mil, miis.edu
If you work at one of those places and must know the actual recipient, you can contact me. ~ Mila

The message, targeting experts on Japan, China, Taiwan / USA relationship was sent on July 5. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to pu.flower-show.org. This domain has been CnC for poison ivy for a while, consider these posts
Contagio | More flowers with some poison ivy - Feb. 10, 2010

F-secure | Watch Out for flower-show.org - Feb.10, 2010
ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Other PI domains noted are:
pu.flower-show.org - 2011
cecon.flower-show.org - 2010
posere.flower-show.org - 2009

File Information

File name: invtation.pdf
File size : 190514 bytes
MD5   : 7c0eaf8906d631c77066e3ce17a82b73
SHA1  : 94b3114dcc8a6dae15db0bef71f5e81d494171d9
Distribution: email attachment 

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-2883
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

Download

Download the pdf and the dropped files + pcap as a password protected archive (email me if you need the password)

Automated scans

 invitation.pdf
http://www.virustotal.com/file-scan/report.html?id=fe4052a92fe7902888d28fad11b9abbc5106418d95ef5d05ca8a402895e8c85d-1310101885
2011-07-08 05:11:25 (UTC)
2 /43 (4.7%)
ClamAV     0.97.0.0     2011.07.08     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.07.08     PDF/Obfusc.J!Camelot
MD5   : 7c0eaf8906d631c77066e3ce17a82b73

Original message



From: Muhamad Fakhruddin bin Fauzi [mailto:pvdinh65@yahoo.com]
Sent: Tuesday, July 05, 2011 3:16 AM
xxxxxxxxxxxx
Subject: Invitation Letter

Dear Sir/Madam,
I'm greatly honored to invite you to the seminar about technology,which will be held on 28th,July.We would appreciate it if you would take your spare time to share the occasion with us.  The detail information is in the attachment. Please confirm your participation at your earlist convenience. Looking forward to your reply.Thanks very much.

Best Regards,
pvdinh

Message headers

Received: (qmail 28436 invoked from network); 5 Jul 2011 07:16:31 -0000
Received: from nm1-vm3.bullet.mail.ne1.yahoo.com (HELO nm1-vm3.bullet.mail.ne1.yahoo.com) (98.138.91.131)
  by xxxxxxxxxxxxxxx
Received: from [98.138.90.55] by nm1.bullet.mail.ne1.yahoo.com with NNFMP; 05 Jul 2011 07:16:30 -0000
Received: from [98.138.88.234] by tm8.bullet.mail.ne1.yahoo.com with NNFMP; 05 Jul 2011 07:16:30 -0000
Received: from [127.0.0.1] by omp1034.mail.ne1.yahoo.com with NNFMP; 05 Jul 2011 07:16:30 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 40737.75733.bm@omp1034.mail.ne1.yahoo.com
Received: (qmail 22207 invoked by uid 60001); 5 Jul 2011 07:16:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1309850189; bh=qpkMppxIcWPis1zYmHKjLK3vzcRE0UFTnnasOFfbkoY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=fEUZOMnSPlt6w7mAzcRadAZn9133FwvOQa1TQVnaiRmRK9mWScOpG8P3T26P4FkFRwyahRAylVuBKj2T7gyv/i8EKKKRQEYSBztYMBu0dGgXNAoVyjEd3+8gXUFca4v4Qu6Cpy6qGKjdh/xzVqcM1dBBBVf1lm6BEi2APHDJ/9k=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type;
  b=LfzSHYHVdYSexZ03YCJKZxtRLQfDk4ERcUbPpBHcRDinA3Wppt32hdUVsP9673zWk1UAolsnbKSEtX0qFtSCP2Q8Mg5RgVe41Hju1Nz9cF8tinQt8J/39oeZqVSpMUtoDoUqU8VZVBo4rDiAsQPldwRcH8cLdCFNqBnUekgNwps=;
X-YMail-OSG: cWRGZYUVM1kGJ_efqS03n0uZHWDeW7F3ssL8PI8l6Dvqjd5
 thCVlf11dTxvcb9oL6kv0NLet.xPVz6ODRhHKGx2gwCAHAC.mjTLhHZqf9SA
 M.K9frvfpYXOb.QeasjobNxZZiMGHGa3U.Q8PdmbqhPnpQXf7YNAMOzXcFWW
 9dO12LrmziPFBbVdnNudtiggk3szk8QhUQulMuBHcTAAgKQ2fqC_ymxSoYwI
 IE8HuPgoKEAlU5AhCcxkzl7rHaVQ4cS5mcX6c2CcU8AGrOI_DIZHvOv29jUn
 YIf2.CBgRFJLUAGNWtT68ZYPT_1HT0WXk19UVur0iM9.Lx5JmuvucKieP0oo
 y2WqaIqgKeloywh9c
Received: from [112.121.171.94] by web121805.mail.ne1.yahoo.com via HTTP; Tue, 05 Jul 2011 00:16:29 PDT
X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/0.8.112.307740
Message-ID: <1309850189.20843.YahooMailClassic@web121805.mail.ne1.yahoo.com>
Date: Tue, 5 Jul 2011 00:16:29 -0700
From: Muhamad Fakhruddin bin Fauzi
Subject: Invitation Letter
To: xxxxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1586270552-1309850189=:20843"

112.121.171.94
Host reachable, 558 ms. average
112.121.160.0 - 112.121.191.255
Simcentric Solutions, Internet Service Provider
Hong Kong
Simcentric Solutions IP Administrator
15th Floor, CRE Building, Wan Chai
phone: +852 29976646
ipadmin@simcentric.com

 

Payload

 The malicious binary is injected in EXPLORER.EXE

Clean decoy PDF is a W4 form



%Temp%\Adobe.pdf  - W4 form

deleted_files
%Temp%\Winword.exe (same md5 as messanger.exe)

    *  C:\WINDOWS\system32\messanger
     key log text



    * C:\WINDOWS\system32\messanger.exe
File: messanger.exe
Size: 8192
MD5:  F0EE1F777D1C6A009C37CBCBF81F3A5A


http://www.virustotal.com/file-scan/report.html?id=6629f89df9da7aa7413c11f95b38dc0de4c6a9605c1802937ecda565540d8d11-1310521037
messanger.exe
Submission date:
23 /43 (53.5%)
AhnLab-V3     2011.07.13.00     2011.07.12     Backdoor/Win32.Hupigon
AntiVir     7.11.11.93     2011.07.12     SPR/RAdmin.Poison.B
Avast     4.8.1351.0     2011.07.12     Win32:Malware-gen
Avast5     5.0.677.0     2011.07.12     Win32:Malware-gen
BitDefender     7.2     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
CAT-QuickHeal     11.00     2011.07.11     Backdoor.Poison.a
ClamAV     0.97.0.0     2011.07.13     Trojan.PoisonIvy-1
Comodo     9364     2011.07.13     ApplicUnsaf.Win32.RemoteAdmin.Poisonivy.ui01
DrWeb     5.0.2.03300     2011.07.13     Trojan.DownLoader.10622
Emsisoft     5.1.0.8     2011.07.13     Backdoor.Win32.Poison!IK
F-Secure     9.0.16440.0     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
GData     22     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
Ikarus     T3.1.1.104.0     2011.07.13     Backdoor.Win32.Poison
Jiangmin     13.0.900     2011.07.12     Backdoor/Hupigon.xjq
Kaspersky     9.0.0.837     2011.07.13     HEUR:Trojan.Win32.Invader
McAfee-GW-Edition     2010.1D     2011.07.12     Heuristic.LooksLike.Win32.Poison.I
Microsoft     1.7000     2011.07.12     Backdoor:Win32/Poison.gen!A
NOD32     6289     2011.07.13     a variant of Win32/Poison.NEL
Norman     6.07.10     2011.07.12     W32/PoisonIvy.gen1
nProtect     2011-07-12.03     2011.07.12     Backdoor/W32.Hupigon.8192.I
Rising     23.66.00.03     2011.07.11     Backdoor.Poison.ixq

some strings from messanger.exe

=\4@
messanger.exe
synnia
{019DF9EB-D773-AD5D-0603-080608050105}
pu.flower-show.org
ws2_32
rdgSxQc12
nZi1cM,Aw
stubPath
SOFTWARE\Classes\http\shell\open\command
SoftwARe\Microsoft\Active Setup\Installed ComPonents\
Progman
ntdll
advpaCK
advapi32
user32
ExitProcess
kernel32.dll


Traffic

Download pcap file here

domain
pu.flower-show.org
  
CnC IP is the same as the sender IP
112.121.171.94
Host reachable, 558 ms. average
112.121.160.0 - 112.121.191.255
Simcentric Solutions, Internet Service Provider
Hong Kong
Simcentric Solutions IP Administrator
15th Floor, CRE Building, Wan Chai
phone: +852 29976646
ipadmin@simcentric.com 

No comments:

Post a Comment