Wednesday, December 7, 2011

Adobe Zero Day CVE-2011-2462 - with samples




Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.



(CVE)number


CVE-2011-2462 Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.

File information

Unencrypted
File: FD778C023020A23311B68127BF7E7692_merray christmas.pdf   
Size: 293808
MD5:  FD778C023020A23311B68127BF7E7692

File: 2172079c9c4aa385624de6b4987dbc15 FY12 Per Diem Rates.pdf.pdf 
Size: 118089
MD5:  2172079C9C4AA385624DE6B4987DBC15

File: 721fda5df552f4130218ad9bd2a4ab78.pdf   ManTech Employee Satisfaction Survey.pdf
Size: 275683
MD5:  721FDA5DF552F4130218AD9BD2A4AB78

File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf  2012 Federal Employee Pay Calendar.pdf
Size: 80577
MD5:  517FE6BA9417E6C8B4D0A0B3B9C4C9A9
---------------------------------------------------------------------------------------------
Encrypted
File: 601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf
Size: 258092
MD5:  601F8F52CEDF043EE4D3D3C83706329F

1E46C60E65AE9F9C9C8850372D8DA491_電子郵件資訊安全防護措施.pdf   - Email security protection measures.pdf
Size: 1201039
MD5:  1E46C60E65AE9F9C9C8850372D8DA491

File: 92e9b24f7d041c4e6e952309e352e3753a21.pdf 
Size: 711584
MD5:  7EAB072B76ABC4C3E8CBA8173C79890C

File: c095e10041da52f6434c1eb072cc570a03a8.pdf
Size: 405659
MD5:  B9872F4B6D2290DE75A7FF2874A28850




Download



Automatic scans

merray christmas.pdf  - Virustotal
Submission date:
2011-12-10 12:02:37 (UTC)
16 /43 (37.2%)
AntiVir     7.11.19.57     2011.12.09     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.09     PDF:CVE_2011_2462 [Expl]
BitDefender     7.2     2011.12.10     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.10     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.10     CVE-2011-2462!Camelot
F-Secure     9.0.16440.0     2011.12.10     Exploit.PDF-U3D.Gen
GData     22     2011.12.10     Exploit.PDF-U3D.Gen
Kaspersky     9.0.0.837     2011.12.10     Exploit.Win32.Pidief.def
McAfee-GW-Edition     2010.1E     2011.12.10     Heuristic.BehavesLike.JS.Exploit.G
Panda     10.0.3.5     2011.12.10     Exploit/PDF.Gen.B
Sophos     4.72.0     2011.12.10     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.10     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B
TrendMicro-HouseCall     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B
VIPRE     11229     2011.12.10     Exploit.PDF-JS.Gen (v)
MD5   : fd778c023020a23311b68127bf7e7692

Virustotal
FY12 Per Diem Rates.pdf
2011-12-12 04:58:10 (UTC)
Result:23 /41 (56.1%)
AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot
Comodo     10927     2011.12.12     UnclassifiedMalware
Emsisoft     5.1.0.11     2011.12.12     Exploit.Win32.Pidief!IK
F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen
GData     22     2011.12.12     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.12     Exploit.Win32.Pidief
K7AntiVirus     9.119.5640     2011.12.09     Trojan
Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462
Norman     6.07.13     2011.12.11     CVE/2011-2462.A
Sophos     4.72.0     2011.12.12     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v)
ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.118089
VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen
MD5   : 2172079c9c4aa385624de6b4987dbc15


ManTech Employee Satisfaction Survey.pdf  - Virustotal
Submission date:
2011-12-12 04:59:44 (UTC)
Result: 26 /43 (60.5%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.12.10.02     2011.12.11     PDF/Cve-2011-2462
AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot
Comodo     10927     2011.12.12     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.12.12     Exploit.PDF.2642
Emsisoft     5.1.0.11     2011.12.12     Exploit.PDF-U3D!IK
F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen
Fortinet     4.3.388.0     2011.12.12     PDF/Pidief.DEF!exploit
GData     22.304/22.569     2011.12.12     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.12     Exploit.PDF-U3D
K7AntiVirus     9.119.5640     2011.12.09     Trojan
Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462
Norman     6.07.13     2011.12.11     CVE/2011-2462.A
Sophos     4.72.0     2011.12.12     Exp/20112462-A
Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG
VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v)
ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.275683
VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen
MD5   : 721fda5df552f4130218ad9bd2a4ab78


2012 Federal Employee Pay Calendar.pdf  Virustotal
Submission date:2011-12-13 04:40:34 (UTC)
Result:30 /43 (69.8%)
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.12.12.00     2011.12.12     PDF/Cve-2011-2462
AntiVir     7.11.19.74     2011.12.13     EXP/CVE-2011-2462
Avast     6.0.1289.0     2011.12.12     PDF:CVE_2011_2462 [Expl]
AVG     10.0.0.1190     2011.12.12     BackDoor.Outbreak.L
BitDefender     7.2     2011.12.13     Exploit.PDF-U3D.Gen
ClamAV     0.97.3.0     2011.12.13     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     5.3.2.6     2011.12.13     CVE-2011-2462!Camelot
Comodo     10935     2011.12.13     UnclassifiedMalware
DrWeb     5.0.2.03300     2011.12.13     Exploit.PDF.2642
Emsisoft     5.1.0.11     2011.12.13     Exploit.PDF-U3D!IK
eTrust-Vet     37.0.9620     2011.12.13     PDF/Pidief.AJL
F-Secure     9.0.16440.0     2011.12.13     Exploit:JS/CVE-2011-2462.A
Fortinet     4.3.388.0     2011.12.13     PDF/Pidief.DEF!exploit
GData     22     2011.12.13     Exploit.PDF-U3D.Gen
Ikarus     T3.1.1.109.0     2011.12.13     Exploit.PDF-U3D
K7AntiVirus     9.119.5661     2011.12.12     Trojan
Kaspersky     9.0.0.837     2011.12.13     Exploit.Win32.Pidief.def
McAfee     5.400.0.1158     2011.12.13     Exploit-CVE2011-2462
McAfee-GW-Edition     2010.1E     2011.12.12     Exploit-CVE2011-2462
NOD32     6705     2011.12.12     PDF/Exploit.CVE-2011-2462.A
Norman     6.07.13     2011.12.12     CVE/2011-2462.A
nProtect     2011-12-12.01     2011.12.12     Trojan-Exploit/W32.Pidief.80577.JUM
Rising     23.88.00.02     2011.12.12     Hack.Exploit.CVE-2011-2462.a
Sophos     4.72.0     2011.12.13     Exp/20112462-A

Symantec     20111.2.0.82     2011.12.13     Bloodhound.Exploit.439
TrendMicro     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG
TrendMicro-HouseCall     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG
VIPRE     11245     2011.12.13     Exploit.PDF.CVE-2011-2462 (v)
ViRobot     2011.12.13.4822     2011.12.13     PDF.S.CVE-2011-2462.80577
VirusBuster     14.1.112.0     2011.12.12     Exploit.Pdfjsc.Gen
Additional information
MD5   : 517fe6ba9417e6c8b4d0a0b3b9c4c9a9


Additional info regarding files with non-working exploit (from SkyRecon R&D) 
File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf  2012 Federal Employee Pay Calendar.pdf
Size: 80577
MD5:  517FE6BA9417E6C8B4D0A0B3B9C4C9A9 
"It will not 'work' because the PDF has been altered by someone before sending. The real size of this PDF is : 80568 bytes, but someone added at the end of this PDF a string of 9 bytes ('grew').The problem is that the shellcode embeded in this PDF check its size before trying to drop anything,as the size is no longer 80568 but 80577, the shellcode never drops the exe or decoy PDF.So in order to get this PDF to 'work' one needs to remove the last 9 bytes of the file before opening it."




601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf
Submission date:
2011-12-17 06:44:52 (UTC)
0/ 43 (0.0%)
MD5   : 601f8f52cedf043ee4d3d3c83706329f

1E46C60E65AE9F9C9C8850372D8DA491_____________.pdf
Submission date:
2011-12-17 06:45:36 (UTC)
MD5   : 1e46c60e65ae9f9c9c8850372d8da491

92e9b24f7d041c4e6e952309e352e3753a21.pdf
Submission date:
2011-12-17 06:59:28 (UTC)
2/ 43 (4.7%)
TrendMicro    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1
TrendMicro-HouseCall    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1
MD5   : 7eab072b76abc4c3e8cba8173c79890c

employee_AUS.pdf
Submission date:
2011-12-13 21:59:58 (UTC)
0 /43 (0.0%)
MD5   : b9872f4b6d2290de75a7ff2874a28850






Payload and traffic

 The clean decoy file is
 ManTech Employee Satisfaction Survey.pdf as it was mentioned by Brandon Dixon.



The trojan has been described before and you can see analysis at
Contagio. CVE-2010-3654 Adobe Flash player zero day vulnerability
Kaspersky Lab 2010  Sykipot exploits an Adobe Flash Zero-Day


Local Settings\pretty.exe
Size: 39936
MD5:  E769A920B12D019679C43A9A4C0D7E2C

Headers Info
Time Date Stamp  4ECB430Eh 22/11/2011 06:37:02


pretty.exe
Submission date: 2011-12-07 16:33:35 (UTC)
Result: 18 /43 (41.9%)
Antivirus Version Last Update Result
AhnLab-V3 2011.12.07.00 2011.12.07 Trojan/Win32.Scar
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
AVG 10.0.0.1190 2011.12.07 unknown virus Win32/DH.FF83001C{40080009-00400000-
00000000}
BitDefender 7.2 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Commtouch 5.3.2.6 2011.12.07 W32/Heuristic-KPP!Eldorado
DrWeb 5.0.2.03300 2011.12.07 BACKDOOR.Trojan
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Prot 4.6.5.141 2011.11.29 W32/Heuristic-KPP!Eldorado
F-Secure 9.0.16440.0 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
GData 22 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
Kaspersky 9.0.0.837 2011.12.07 HEUR:Trojan.Win32.Invader
McAfee 5.400.0.1158 2011.12.07 Generic BackDoor.u
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!E769A920B12D
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Sophos 4.71.0 2011.12.07 Mal/Dropr-C
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
VBA32 3.12.16.4 2011.12.07 Trojan.Win32.Inject.2
MD5   : e769a920b12d019679c43a9a4c0d7e2c

 Local Settings\WSE4EF1.TMP 
Size: 31232
MD5:  BA7793845FE2A02187263A96E8DAAEC6
http://www.virustotal.com/file-scan/report.html?id=21d58245c495b9ed4234577fa3fb43cd4c703f38a9b5ce83aa490613168a735f-1323275543
 original name: wship4.dll

WSE4EF1.TMP
Submission date: 2011-12-07 16:32:23 (UTC)
Result: 14 /43 (32.6%)
AhnLab-V3 2011.12.07.00 2011.12.07 Backdoor/Win32.CSon
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
BitDefender 7.2 2011.12.07 Gen:Variant.Graftor.3624
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Secure 9.0.16440.0 2011.12.07 Gen:Variant.Graftor.3624
GData 22 2011.12.07 Gen:Variant.Graftor.3624
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
McAfee 5.400.0.1158 2011.12.07 Artemis!BA7793845FE2
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!BA7793845FE2
nProtect 2011-12-07.01 2011.12.07 Gen:Variant.Graftor.3624
Panda 10.0.3.5 2011.12.06 Suspicious file
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
TrendMicro-HouseCall 9.500.0.1008 2011.12.07 -
VIPRE 11215 2011.12.07 Trojan.Win32.Wisp.gen.a (v)
MD5   : ba7793845fe2a02187263a96e8daaec6

WSE4EF1.TMP can be found and extractted from the Resource section of the main file PRETTY.EXE, the resource language is LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED

 Indeed, the temp file WSE4EF1.TMP  , which is in our case it injected itself in our case in iexplore process  but it can aslo use firefox.exe and outlook.exe.



 

deleted_files
\Local Settings\ctfmon.exe  - same file as  pretty.exe


Strings from pretty.exe
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.prettylikeher.com
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=
explorer.exe
pdtpretty.tmp
gdtpretty.tmp
ptpretty.tmp
gtpretty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-pretty20111122
&hostname=
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/ASP/KYS_ALLOW_PUT.ASP?TYPE=
%s,get:%s,%d
get:%s,%d
unsuccessfully!
successfully!
%s%s%s%s%s
cmd /c "
process
kill
The trojan communicates with the C&C domain on port 443
hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
You can download pcap from here 


the  C&C server is running a car design front end, which seems like it was stolen from somewhere else
prettylikeher.com
Registrant Contact:
   deng haimei
   haimei deng
   +86.07733944048 fax: +86.07733944048
   yulingshi
   guangxi guangxi 537000
   CN
71.36.88.82 RData
ccnslc.com.     
desktop.newcarstyle.com.     
info.kimfishions.com.     
www.ccnslc.com.     
www.prettylikeher.com.    
Other  domain hosted on the same IP
Domain name: imagespornfree.comRegistrant Contact:
   helan naiye
   naiye helan 
   +86.02366029085 fax: +86.02366029085
   chongqingshishanpingbei111hao
   chonqing chongqing 210000
   CN
Hosting history
Event Date     Action     Pre-Action IP     Post-Action IP
2011-11-06     New     -none-     68.167.27.215   
 Name Server History
Event Date     Action     Pre-Action Server     Post-Action Server
2011-10-10     New     -none-     Cdncenter.com
RData for
68.167.27.215
ftp.younts.com.
mail.agentsafe.com.

9 comments:

  1. Its usually infected or malware.

    ReplyDelete
  2. it seems adobe workers watch porn at work...

    ReplyDelete
  3. Will you be posting your PCAP capture for download like you did with your CVE-2010-3654 posting?

    ReplyDelete
  4. Oh,That 's good! Could you tell me the password for the dropped files.Thank you!
    My Email is :tictacwei@gmail.com

    ReplyDelete
  5. Hi,could you send me the password for the cve-2011-2462droppedfilesonly.zip
    Tks
    wenzicishui@sohu.com

    ReplyDelete
  6. Omg, people! Don't leave your addresses here, you will get spammers harvest it. Click on Mila-My Profile up on the right and email me.

    ReplyDelete
  7. Hi,That 's good! Could you tell me the password for the dropped files.Thank you!
    My Email is :antivir7@gmail.com

    ReplyDelete
  8. Bzzt! Thank you for playing. You are not smarter than a 3rd grader, and no you may not have the password as you did not pass the test. :-)

    On a more serious note, Mila, the rest of us thank you for keeping up the good work.

    ReplyDelete