Wednesday, October 26, 2011

Oct 17 CVE-2010-2883 PDF Report on the coming Presidential Election in TW


Here is one more sample. Call home to 112.213.126.67 googlemail.proxydns.com












Common Vulnerabilities and Exposures (CVE)number

CVE-2010-2883

Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

  General File Information

File: RR_111015(DRAFT).pdf
Size: 200678
MD5:  E21FD1826FA8D021C845E857BF092A90

Download

Original Message

From: Yamagu Tikeiko [mailto:yamagu.tikeiko@yahoo.com]
Sent: Monday, October 17, 2011 12:46 PM
To:xxxxxxxxxxx
Subject: my recent report on the coming Presidential Election in TW

Hi all,

Attached is my recent report on the coming Presidential Election in TW. I like to have your points of view before the end of the week.


Thanks all,

Yamagu Tikeiko

Message Headers

Received: (qmail 16432 invoked from network); 17 Oct 2011 16:45:52 -0000
Received: from nm8-vm1.bullet.mail.sp2.yahoo.com (HELO nm8-vm1.bullet.mail.sp2.yahoo.com) (98.139.91.195)
xxxx
Received: from [98.139.91.69] by nm8.bullet.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
Received: from [98.139.91.11] by tm9.bullet.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
Received: from [127.0.0.1] by omp1011.mail.sp2.yahoo.com with NNFMP; 17 Oct 2011 16:45:51 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 267923.22950.bm@omp1011.mail.sp2.yahoo.com
Received: (qmail 31877 invoked by uid 60001); 17 Oct 2011 16:45:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1318869950; bh=vVR5GXwhn0xgmLGuqyZCnaSaHzDc3Y0QcL7cH/UIYN8=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=g/m9g8hQG/0pEKuhmn51COxhcYG+9bIZnoIDOamJaGoFeB6yikkhKKyJhl51cm5h1VHoJ7dHeS08OWrUNKoPm+r4MGhs+EzMrwxhysV095MDaX0X2aCW3063g45L7tQT/YhCxxUkQEKyKNf7J51Kh98D/gDgStMqI1ADnTPdTmY=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type;
  b=xR6QzxY1l6CELvBg7I9A0ULDA/y4sv7GKwEgiCUsLpKF+27ldCY9KXu7UTqY+V3jxMB6qF4oOhhQCa2WAM6BPF4zkR9LWCoaQDjVioZkvRgvqnT6iOVPE8GPNe2b76fry2LTDWMWsl+NqDAveuuihhcVZwHpAQh+OjofQkEgb50=;
X-YMail-OSG: T1aSh6wVM1mF_hc_2mHCm3hHlqHAgILyk9FlnghdvV43H2C
 5nv_qdLSzvP9aDCfppHkmkjdv_7cJi_rzLe7ULpGRlTGwp9PWirKEQ4kA4U.
 JJoV082aB809woc6CoTtTdY7ZpwP_6NllY6Lq3LYEWitLSnr2h.5Ds.qe6mn
 fb3jREZGFvJui57wVyDopGFnZ.XEdf1B.bw0Mrx0ImtfIV9Q0FrYcM_RPwrv
 RRwgt436kzke_6Agfq5RgLGet4jerVLiZF.lqbz8BhEo93bN.wMp0EV8Ipy3
 1oLavbo9Qbv3_C5jipLJj1wgeD6MP2lGbu_3FyxrCUdKdZ3VlUrk82sacNzp
 TaRDnNWCpTx97b9VGLqA8VmQF_Ro4T.zFoB1PH_b6j_RC7sP3hkvG97MH3G_
 XIduvUZXfGIu5rQyLGUvc1L7aGKTFbLUyye4-
Received: from [64.27.23.17] by web114210.mail.gq1.yahoo.com via HTTP; Mon, 17 Oct 2011 09:45:50 PDT
X-Mailer: YahooMailWebService/0.8.114.317681
References:
Message-ID: <1318869950.31749.YahooMailNeo@web114210.mail.gq1.yahoo.com>
Date: Mon, 17 Oct 2011 09:45:50 -0700
From: Yamagu Tikeiko <yamagu.tikeiko@yahoo.com>
Reply-To: Yamagu Tikeiko <yamagu.tikeiko@yahoo.com>
Subject: my recent report on the coming Presidential Election in TW
To: xxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="-878282960-1853156358-1318869950=:31749"

Sender


64.27.23.17

64.27.0.0 - 64.27.31.255

CALPOP.COM, INC.
600 W. 7th Street
Suite 360
Los Angeles
CA
90017
United States


Automated Scans

RR_111015(DRAFT).pdf
Submission date:2011-10-17 21:29:54 (UTC)
Result:16 /43 (37.2%)
AntiVir     7.11.16.29     2011.10.17     EXP/CVE-2010-2883.AC
Avast     6.0.1289.0     2011.10.17     JS:Pdfka-gen [Expl]
AVG     10.0.0.1190     2011.10.17     Script/Exploit
BitDefender     7.2     2011.10.17     Exploit.PDF-TTF.Gen
ClamAV     0.97.0.0     2011.10.17     PUA.Script.PDF.EmbeddedJS-1
DrWeb     5.0.2.03300     2011.10.17     Exploit.PDF.2477
eTrust-Vet     36.1.8624     2011.10.17     PDF/CVE-2010-2883.A!exploit
F-Secure     9.0.16440.0     2011.10.17     Exploit.PDF-TTF.Gen
Fortinet     4.3.370.0     2011.10.17     PDF/CoolType!exploit.CVE20102883
GData     22     2011.10.17     Exploit.PDF-TTF.Gen
Kaspersky     9.0.0.837     2011.10.17     Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition     2010.1D     2011.10.17     Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft     1.7702     2011.10.17     Exploit:Win32/CVE-2010-2883.A
NOD32     6551     2011.10.17     PDF/CVE-2010-2883
Norman     6.07.11     2011.10.17     TTF/Exploit!CVE-2010-2883
MD5   : e21fd1826fa8d021c845e857bf092a90



Created files

Temp\spoolsv.exe
 File: spoolsv.exe
Size: 155648
MD5:  132015EE7AF53863E88AFB080F0B4CC8
http://anubis.iseclab.org/?action=result&task_id=1eb450625e1508be4c184a35a99d45fb0&format=html

spoolsv.exe
2011-10-26 11:15:38 (UTC)
Result:7/ 43 (16.3%)
AntiVir    7.11.16.146    2011.10.26    TR/Crypt.XPACK.Gen2
BitDefender    7.2    2011.10.26    Gen:Trojan.Heur.PT.jmW@aO5Q4
Emsisoft    5.1.0.11    2011.10.26    Trojan.Win32.Riern!IK
F-Secure    9.0.16440.0    2011.10.26    Gen:Trojan.Heur.PT.jmW@aO5Q4
Fortinet    4.3.370.0    2011.10.26    W32/Pincav.XGB!tr
GData    22    2011.10.26    Gen:Trojan.Heur.PT.jmW@aO5Q4
Ikarus    T3.1.1.107.0    2011.10.26    Trojan.Win32.Riern
MD5   : 132015ee7af53863e88afb080f0b4cc8




Traffic

googlemail.proxydns.com

112.213.126.67

112.213.126.0 - 112.213.126.255

NOC.HK
Email: IDC@NOC.HK
Ken Chan
iprs.snl@gmail.com
7/F, TRANS ASIA CTR
18 KIN HONG ST, KWAI CHUNG
phone: +852 2125 0455






 


Reverse IP Lookup Results—6 domains hosted on IP address 112.213.126.67
Web Site
86349.com
79349.com
64956.com
64269.com
63709.com
45529.com
86349.com
Registrant:
   gudong da
   pudongxinqu15555hao
   shanghai, shanghai 200120
   China

   Domain Name: 86349.COM
      Created on: 14-Apr-11
      Expires on: 14-Apr-12
      Last Updated on: 14-Apr-11

   Administrative Contact:
      da, gudong
      pudongxinqu15555hao
      shanghai, shanghai 200120
      China
      006      Fax --

No comments:

Post a Comment