Mobile and print friendly view |

Sunday, October 23, 2011

Oct 23 CVE-2011-0611 PDF 2011-10-23 Gaddafi death with Taidoor

I will post a few samples without analysis. This one is CVE-2011-0611 PDF with Taidoor Trojan exploiting Gaddafi's death with outgoing connection to

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 Adobe Flash Player before on Windows, Mac OS X, Linux, and Solaris and and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

  General File Information

 File: ATT88422.pdf
Size: 249913
MD5:  1188EA8F0D086A8860A3AAFB54A3FA76


Original Message

From: Mr.chl []
Sent: Sunday, October 23, 2011 3:36 AM
To: xxxxxxxx
Subject: Fw:卡紮菲之死讓咱們更加百感交集


From: Mr.chl [mailto: Mr.chl @]
Sent: Sunday, October 23, 2011 3:36 AM
To: xxxxxxxx
Subject: Fw: Gaddafi's death so that we more mixed feelings

    Gaddafi was arrested, injured Gaddafi, Gaddafi of death ... 20, a battle of Sirte came from the news quickly spread to Misurata, reached Tripoli, reached the World the country. Some cheer, some sad, but some have questioned the accuracy of the message ... ... after a lapse of several hours, the Libyan "National Transitional Council," Executive Committee 席贾布里勒 held a press conference in Tripoli, Libya personally ............

Message Headers

Received: (qmail 2747 invoked from network); 23 Oct 2011 07:37:08 -0000
Received: from (HELO (
  by xxxxxxxxxxxxxxx
Received: from deepin-f12c1fc0 ( [])
    by (8.14.2/8.14.2) with SMTP id p9N7Zd5x021081
    for < xxxxxxxxxxx>; Sun, 23 Oct 2011 15:37:01 +0800 (CST)
Date: Sun, 23 Oct 2011 15:35:37 +0800
From: "Mr.chl" <>
To: "xxxxxxxxxxx
Reply-To: "mi.s8597" <>
Subject: =?gb2312?B?Rnc6v6i8mbfG1q7LwNeM1NuCg7j8vNOw2bjQvbu8rw==?=
X-Priority: 3
X-GUID: DD855E25-0DA9-4004-88A5-7C652E9F02A9
X-Mailer: Foxmail[cn]
MIME-Version: 1.0
Message-ID: <>
Content-Type: multipart/mixed;

 -Hinet Address
CHTD, Chunghwa Telecom Co.,Ltd.
Data-Bldg.6F, No.21, Sec.21, Hsin-Yi Rd.
Taipei Taiwan 100

Automated Scans

VT is currently down but it is  CVE-2011-0611 with Taidoor

Created files

\Local Settings\VSS.exe
File: VSS.exe
Size: 22016
MD5:  6E57520AFE21C8E3E32B0BC097E765E5


GET /uxvdd.php?id=0263801911380616G0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 200 OK
Content-Length: 15
Content-Type: application/octet-stream
Connection: Close
Host reachable, 152 ms. average -
phone: +394223277
fax: +39422327852

No comments:

Post a Comment