Adobe Zero Day CVE-2011-2462 - with samples

Update: Adobe Released the patch yesterday and  I posted a few samples below. There were several campaigns with two variants - 
1) unencrypted (some are not working - see explanation below)
2) AESV3 encrypted  (try to use Origami to decrypt these). Each of the posted samples are marked by their 'type"

CVE-2011-2462 the new Adobe Zero files come with the same payload we saw in CVE-2010-3654 Adobe Flash player zero day vulnerability, trojan Sykipot - using the same technique with injecting a DLL file into
iexplore, or firefox.exe, or outlook.exe and communicating with  hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys over HTTPS. Brandon Dixon from 9bplus.com posted a great initial analysis of Java script and payload from a file with this exploit, I am just adding a few additional details.

(CVE)number

CVE-2011-2462 Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.

File information

Unencrypted

File: FD778C023020A23311B68127BF7E7692_merray christmas.pdf   
Size: 293808
MD5:  FD778C023020A23311B68127BF7E7692

File: 2172079c9c4aa385624de6b4987dbc15 FY12 Per Diem Rates.pdf.pdf 
Size: 118089
MD5:  2172079C9C4AA385624DE6B4987DBC15

File: 721fda5df552f4130218ad9bd2a4ab78.pdf   ManTech Employee Satisfaction Survey.pdf
Size: 275683
MD5:  721FDA5DF552F4130218AD9BD2A4AB78

File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf  2012 Federal Employee Pay Calendar.pdf
Size: 80577
MD5:  517FE6BA9417E6C8B4D0A0B3B9C4C9A9

---------------------------------------------------------------------------------------------

Encrypted

File: 601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf
Size: 258092
MD5:  601F8F52CEDF043EE4D3D3C83706329F

1E46C60E65AE9F9C9C8850372D8DA491_電子郵件資訊安全防護措施.pdf   - Email security protection measures.pdf

Size: 1201039
MD5:  1E46C60E65AE9F9C9C8850372D8DA491

File: 92e9b24f7d041c4e6e952309e352e3753a21.pdf 

Size: 711584
MD5:  7EAB072B76ABC4C3E8CBA8173C79890C

File: c095e10041da52f6434c1eb072cc570a03a8.pdf
Size: 405659
MD5:  B9872F4B6D2290DE75A7FF2874A28850

Download

You can download all samples from here (email me if you need the password - email address is in my profile)

You can download dropped files described below from here 

You can download pcap from here

Automatic scans

merray christmas.pdf  - Virustotal Submission date: 2011-12-10 12:02:37 (UTC) 16 /43 (37.2%) AntiVir     7.11.19.57     2011.12.09     EXP/CVE-2011-2462 Avast     6.0.1289.0     2011.12.09     PDF:CVE_2011_2462 [Expl] BitDefender     7.2     2011.12.10     Exploit.PDF-U3D.Gen ClamAV     0.97.3.0     2011.12.10     PUA.Script.PDF.EmbeddedJavaScript Commtouch     5.3.2.6     2011.12.10     CVE-2011-2462!Camelot F-Secure     9.0.16440.0     2011.12.10     Exploit.PDF-U3D.Gen GData     22     2011.12.10     Exploit.PDF-U3D.Gen Kaspersky     9.0.0.837     2011.12.10     Exploit.Win32.Pidief.def McAfee-GW-Edition     2010.1E     2011.12.10     Heuristic.BehavesLike.JS.Exploit.G Panda     10.0.3.5     2011.12.10     Exploit/PDF.Gen.B Sophos     4.72.0     2011.12.10     Exp/20112462-A Symantec     20111.2.0.82     2011.12.10     Bloodhound.Exploit.439 TrendMicro     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B TrendMicro-HouseCall     9.500.0.1008     2011.12.10     HEUR_PDFEXP.B VIPRE     11229     2011.12.10     Exploit.PDF-JS.Gen (v) MD5   : fd778c023020a23311b68127bf7e7692 Virustotal FY12 Per Diem Rates.pdf 2011-12-12 04:58:10 (UTC) Result:23 /41 (56.1%) AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462 Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl] AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot Comodo     10927     2011.12.12     UnclassifiedMalware Emsisoft     5.1.0.11     2011.12.12     Exploit.Win32.Pidief!IK F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen GData     22     2011.12.12     Exploit.PDF-U3D.Gen Ikarus     T3.1.1.109.0     2011.12.12     Exploit.Win32.Pidief K7AntiVirus     9.119.5640     2011.12.09     Trojan Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462 McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462 Norman     6.07.13     2011.12.11     CVE/2011-2462.A Sophos     4.72.0     2011.12.12     Exp/20112462-A Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439 TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v) ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.118089 VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen MD5   : 2172079c9c4aa385624de6b4987dbc15 ManTech Employee Satisfaction Survey.pdf  - Virustotal Submission date: 2011-12-12 04:59:44 (UTC) Result: 26 /43 (60.5%) Antivirus     Version     Last Update     Result AhnLab-V3     2011.12.10.02     2011.12.11     PDF/Cve-2011-2462 AntiVir     7.11.19.61     2011.12.12     EXP/CVE-2011-2462 Avast     6.0.1289.0     2011.12.11     PDF:CVE_2011_2462 [Expl] AVG     10.0.0.1190     2011.12.11     BackDoor.Outbreak.L BitDefender     7.2     2011.12.12     Exploit.PDF-U3D.Gen ClamAV     0.97.3.0     2011.12.12     PUA.Script.PDF.EmbeddedJavaScript Commtouch     5.3.2.6     2011.12.11     CVE-2011-2462!Camelot Comodo     10927     2011.12.12     UnclassifiedMalware DrWeb     5.0.2.03300     2011.12.12     Exploit.PDF.2642 Emsisoft     5.1.0.11     2011.12.12     Exploit.PDF-U3D!IK F-Secure     9.0.16440.0     2011.12.12     Exploit.PDF-U3D.Gen Fortinet     4.3.388.0     2011.12.12     PDF/Pidief.DEF!exploit GData     22.304/22.569     2011.12.12     Exploit.PDF-U3D.Gen Ikarus     T3.1.1.109.0     2011.12.12     Exploit.PDF-U3D K7AntiVirus     9.119.5640     2011.12.09     Trojan Kaspersky     9.0.0.837     2011.12.12     Exploit.Win32.Pidief.def McAfee     5.400.0.1158     2011.12.12     Exploit-CVE2011-2462 McAfee-GW-Edition     2010.1E     2011.12.11     Exploit-CVE2011-2462 Norman     6.07.13     2011.12.11     CVE/2011-2462.A Sophos     4.72.0     2011.12.12     Exp/20112462-A Symantec     20111.2.0.82     2011.12.11     Bloodhound.Exploit.439 TrendMicro     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG TrendMicro-HouseCall     9.500.0.1008     2011.12.12     TROJ_PIDIEF.EGG VIPRE     11239     2011.12.12     Exploit.PDF-JS.Gen (v) ViRobot     2011.12.12.4820     2011.12.12     PDF.S.CVE-2011-2462.275683 VirusBuster     14.1.110.0     2011.12.11     Exploit.Pdfjsc.Gen MD5   : 721fda5df552f4130218ad9bd2a4ab78 2012 Federal Employee Pay Calendar.pdf  Virustotal Submission date:2011-12-13 04:40:34 (UTC) Result:30 /43 (69.8%) Antivirus     Version     Last Update     Result AhnLab-V3     2011.12.12.00     2011.12.12     PDF/Cve-2011-2462 AntiVir     7.11.19.74     2011.12.13     EXP/CVE-2011-2462 Avast     6.0.1289.0     2011.12.12     PDF:CVE_2011_2462 [Expl] AVG     10.0.0.1190     2011.12.12     BackDoor.Outbreak.L BitDefender     7.2     2011.12.13     Exploit.PDF-U3D.Gen ClamAV     0.97.3.0     2011.12.13     PUA.Script.PDF.EmbeddedJavaScript Commtouch     5.3.2.6     2011.12.13     CVE-2011-2462!Camelot Comodo     10935     2011.12.13     UnclassifiedMalware DrWeb     5.0.2.03300     2011.12.13     Exploit.PDF.2642 Emsisoft     5.1.0.11     2011.12.13     Exploit.PDF-U3D!IK eTrust-Vet     37.0.9620     2011.12.13     PDF/Pidief.AJL F-Secure     9.0.16440.0     2011.12.13     Exploit:JS/CVE-2011-2462.A Fortinet     4.3.388.0     2011.12.13     PDF/Pidief.DEF!exploit GData     22     2011.12.13     Exploit.PDF-U3D.Gen Ikarus     T3.1.1.109.0     2011.12.13     Exploit.PDF-U3D K7AntiVirus     9.119.5661     2011.12.12     Trojan Kaspersky     9.0.0.837     2011.12.13     Exploit.Win32.Pidief.def McAfee     5.400.0.1158     2011.12.13     Exploit-CVE2011-2462 McAfee-GW-Edition     2010.1E     2011.12.12     Exploit-CVE2011-2462 NOD32     6705     2011.12.12     PDF/Exploit.CVE-2011-2462.A Norman     6.07.13     2011.12.12     CVE/2011-2462.A nProtect     2011-12-12.01     2011.12.12     Trojan-Exploit/W32.Pidief.80577.JUM Rising     23.88.00.02     2011.12.12     Hack.Exploit.CVE-2011-2462.a Sophos     4.72.0     2011.12.13     Exp/20112462-A Symantec     20111.2.0.82     2011.12.13     Bloodhound.Exploit.439 TrendMicro     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG TrendMicro-HouseCall     9.500.0.1008     2011.12.13     TROJ_PIDIEF.EGG VIPRE     11245     2011.12.13     Exploit.PDF.CVE-2011-2462 (v) ViRobot     2011.12.13.4822     2011.12.13     PDF.S.CVE-2011-2462.80577 VirusBuster     14.1.112.0     2011.12.12     Exploit.Pdfjsc.Gen Additional information MD5   : 517fe6ba9417e6c8b4d0a0b3b9c4c9a9 Additional info regarding files with non-working exploit (from SkyRecon R&D)  File: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9.pdf  2012 Federal Employee Pay Calendar.pdf Size: 80577 MD5:  517FE6BA9417E6C8B4D0A0B3B9C4C9A9  "It will not 'work' because the PDF has been altered by someone before sending. The real size of this PDF is : 80568 bytes, but someone added at the end of this PDF a string of 9 bytes ('grew').The problem is that the shellcode embeded in this PDF check its size before trying to drop anything,as the size is no longer 80568 but 80577, the shellcode never drops the exe or decoy PDF.So in order to get this PDF to 'work' one needs to remove the last 9 bytes of the file before opening it." 601F8F52CEDF043EE4D3D3C83706329F_invoice.pdf Submission date: 2011-12-17 06:44:52 (UTC) 0/ 43 (0.0%) MD5   : 601f8f52cedf043ee4d3d3c83706329f 1E46C60E65AE9F9C9C8850372D8DA491_____________.pdf Submission date: 2011-12-17 06:45:36 (UTC) MD5   : 1e46c60e65ae9f9c9c8850372d8da491 92e9b24f7d041c4e6e952309e352e3753a21.pdf Submission date: 2011-12-17 06:59:28 (UTC) 2/ 43 (4.7%) TrendMicro    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1 TrendMicro-HouseCall    9.500.0.1008    2011.12.17    TROJ_PIDIEF.RC1 MD5   : 7eab072b76abc4c3e8cba8173c79890c employee_AUS.pdf Submission date: 2011-12-13 21:59:58 (UTC) 0 /43 (0.0%) MD5   : b9872f4b6d2290de75a7ff2874a28850

Payload and traffic

 The clean decoy file is
 ManTech Employee Satisfaction Survey.pdf as it was mentioned by Brandon Dixon.

The trojan has been described before and you can see analysis at
Contagio. CVE-2010-3654 Adobe Flash player zero day vulnerability
Kaspersky Lab 2010  Sykipot exploits an Adobe Flash Zero-Day


Local Settings\pretty.exe
Size: 39936
MD5:  E769A920B12D019679C43A9A4C0D7E2C

Headers Info

Time Date Stamp  4ECB430Eh 22/11/2011 06:37:02

pretty.exe
Submission date: 2011-12-07 16:33:35 (UTC)
Result: 18 /43 (41.9%)
Antivirus Version Last Update Result
AhnLab-V3 2011.12.07.00 2011.12.07 Trojan/Win32.Scar
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
AVG 10.0.0.1190 2011.12.07 unknown virus Win32/DH.FF83001C{40080009-00400000-
00000000}
BitDefender 7.2 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Commtouch 5.3.2.6 2011.12.07 W32/Heuristic-KPP!Eldorado
DrWeb 5.0.2.03300 2011.12.07 BACKDOOR.Trojan
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Prot 4.6.5.141 2011.11.29 W32/Heuristic-KPP!Eldorado
F-Secure 9.0.16440.0 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
GData 22 2011.12.07 Gen:Trojan.Heur.PT.cqW@a0iqwubb
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
Kaspersky 9.0.0.837 2011.12.07 HEUR:Trojan.Win32.Invader
McAfee 5.400.0.1158 2011.12.07 Generic BackDoor.u
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!E769A920B12D
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Sophos 4.71.0 2011.12.07 Mal/Dropr-C
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
VBA32 3.12.16.4 2011.12.07 Trojan.Win32.Inject.2
MD5   : e769a920b12d019679c43a9a4c0d7e2c

 Local Settings\WSE4EF1.TMP 
Size: 31232
MD5:  BA7793845FE2A02187263A96E8DAAEC6
http://www.virustotal.com/file-scan/report.html?id=21d58245c495b9ed4234577fa3fb43cd4c703f38a9b5ce83aa490613168a735f-1323275543
 original name: wship4.dll

WSE4EF1.TMP
Submission date: 2011-12-07 16:32:23 (UTC)
Result: 14 /43 (32.6%)
AhnLab-V3 2011.12.07.00 2011.12.07 Backdoor/Win32.CSon
AntiVir 7.11.19.14 2011.12.07 TR/Spy.Gen
BitDefender 7.2 2011.12.07 Gen:Variant.Graftor.3624
Emsisoft 5.1.0.11 2011.12.07 Backdoor.Win32.Wkysol!IK
F-Secure 9.0.16440.0 2011.12.07 Gen:Variant.Graftor.3624
GData 22 2011.12.07 Gen:Variant.Graftor.3624
Ikarus T3.1.1.109.0 2011.12.07 Backdoor.Win32.Wkysol
McAfee 5.400.0.1158 2011.12.07 Artemis!BA7793845FE2
McAfee-GW-Edition 2010.1E 2011.12.07 Artemis!BA7793845FE2
nProtect 2011-12-07.01 2011.12.07 Gen:Variant.Graftor.3624
Panda 10.0.3.5 2011.12.06 Suspicious file
PCTools 8.0.0.5 2011.12.07 Backdoor.Sykipot
Symantec 20111.2.0.82 2011.12.07 Backdoor.Sykipot
TrendMicro-HouseCall 9.500.0.1008 2011.12.07 -
VIPRE 11215 2011.12.07 Trojan.Win32.Wisp.gen.a (v)
MD5   : ba7793845fe2a02187263a96e8daaec6

WSE4EF1.TMP can be found and extractted from the Resource section of the main file PRETTY.EXE, the resource language is LANG_CHINESE, SUBLANG_CHINESE_SIMPLIFIED

 Indeed, the temp file WSE4EF1.TMP  , which is in our case it injected itself in our case in iexplore process  but it can aslo use firefox.exe and outlook.exe.



 

deleted_files
\Local Settings\ctfmon.exe  - same file as  pretty.exe


Strings from pretty.exe

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
www.prettylikeher.com
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=
explorer.exe
pdtpretty.tmp
gdtpretty.tmp
ptpretty.tmp
gtpretty.tmp
POST
HTTP/1.0
http://www.yahoo.com/
https
putfile:
getfile:
time:
door:
cmd:
19990817
%s,%s,%d
Proxyserver
Software\Microsoft\Windows\CurrentVersion\Internet Settings
firefox
%s,%d
-pretty20111122
&hostname=
https://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
outlook
iexplore
firefox.exe
outlook.exe
iexplore.exe
/ASP/KYS_ALLOW_PUT.ASP?TYPE=
%s,get:%s,%d
get:%s,%d
unsuccessfully!
successfully!
%s%s%s%s%s
cmd /c "
process
kill

The trojan communicates with the C&C domain on port 443
hXXps://www.prettylikeher.com/asp/kys_allow_get.asp?name=getkys.kys
You can download pcap from here 

the  C&C server is running a car design front end, which seems like it was stolen from somewhere else

prettylikeher.com
Registrant Contact:
   deng haimei
   haimei deng
   +86.07733944048 fax: +86.07733944048
   yulingshi
   guangxi guangxi 537000
   CN
71.36.88.82 RData

ccnslc.com.     
desktop.newcarstyle.com.     
info.kimfishions.com.     
www.ccnslc.com.     
www.prettylikeher.com.    

Other  domain hosted on the same IP

Domain name: imagespornfree.comRegistrant Contact:
   helan naiye
   naiye helan 
   +86.02366029085 fax: +86.02366029085
   chongqingshishanpingbei111hao
   chonqing chongqing 210000
   CN
Hosting history
Event Date     Action     Pre-Action IP     Post-Action IP
2011-11-06     New     -none-     68.167.27.215   
 Name Server History
Event Date     Action     Pre-Action Server     Post-Action Server
2011-10-10     New     -none-     Cdncenter.com
RData for
68.167.27.215
ftp.younts.com.
mail.agentsafe.com.