Mobile and print friendly view | Contagio Exchange - Contagio community malware dump

Friday, April 29, 2011

Hwp.exe in Apr. 8 CVE-2011-0611 Flash Player Zero day - SWF in DOC/ XLS - Disentangling Industrial Policy..


According to Cédric Gilbert (SkyRecon R&D), the shellcode’s last command include a “taskkill /im hwp.exe”. This hwp.exe file could be related to a South-Korean Word Processor Software :
“Hangul Word Processor or HWP”. According to Wikipedia :
It is used extensively in South Korea, especially by the government.
According to Hangul’s website, this word processor handle Microsoft .DOC & .DOCX documents.
So the questions are
  1. Is the infected doc with zero-day also ‘compatible’ with it ?
  2. Was it used on targets in Korea or targets who use this processor?
  3. Was it made in Korea?

Your comments and thoughts are welcome.
thanks,

Tuesday, April 26, 2011

Please welcome "Targeted Email Attacks http://targetedemailattacks.tumblr.com"


Targeted Email Attacks
http://targetedemailattacks.tumblr.com/  

these are targeted attacks received by the US-Taiwan Business Council. We are not related but somehow share the same set of overseas "friends" - I recognize many messages posted there and even received targeted messages designed to look like they came from that organization.
The author does not post samples but provides links to Virustotal  so it gives a good idea of what it is.
 

Monday, April 25, 2011

Contagio data - targeted email senders by country / source

 It is what it is.  Analysis of email headers from emails sent to one targeted domain (Nov, 2009 - April 2011). Headers were analyzed to find IP addresses of the sending mail servers. Some of them are compromised, some belong to/leased by attackers. Only Gmail does not allow tracing the senders IP. It is shame, I wish they listed the sender IP addresses.

I can post more detailed statistics, if you are interested, drop me a line.
My dataset is small and not great for industry averages but I still think it is a good representative of the of the situation.

Please note this is based on Contagio data only, which includes targeted messages with malicious attachments meant to compromise networks, steal data (so called APT stuff) and does not include regular spam, banking trojans, and mass mailed malware.

Friday, April 22, 2011

Apr 22 CVE-2011-0611 PDF-SWF Marshall Plan for the North Africa.pdf with Win32/Ixeshe.E

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File  Marshall Plan for the North Africa.pdf
MD5: 6d5fb801b890bfa7cc737c018e87e456
SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
File size: 464485 bytes
Type:  PDF
Distribution: Email attachment

Read more...

Download

Original Message

From: Christy Serrato [mailto:serrato.christy@gmail.com]
Sent: Friday, April 22, 2011 10:32 AM
To: XXXXXXXX
Subject: Marshall Plan for the North Africa

I reach out to you for advice about an initiative we are considering launching for North Africa.The Nicole Berggruen Institute is an action oriented think tank that seeks implement effective systems of governance through projects at various levels across the globe. One such project is the development of a Marshall Plan for the North Africa.
   
How I am hoping you can help is to provide insight and advice on what is currently happening within the region.
    
Thank you in advance for anytime you can give me. I look forward to your reply soon.

Serrato Christy
Senior Program Manager
Middle East and North Africa
NICOLAS BERGGRUEN INSTITUTE

Message Headers


Gmail :(
Received: by wwb39 with SMTP id 39so636530wwb.6        for ;
 Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=4CUY8j8jGJeAnrD/Qo6HSZGR94sdW5P0d67wOrEK55A=;
        b=YADFFJft8LGJmZQoFG+R7nLFlREhueyUJDUULLTy5rbU5ahHOmH/B3VDiHLKxJRDWa
         MFT0VjRiQenP/RjOBKG6uxZPRAkwztUUKD1mPmN7RMOO1lmOuQS2CTtFwGvtxuSPZsG1
         LE0nZf4nZi3CkI7LUx9Ficawc/KRajrJ1StdQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=Om90qyH/txeauhB/b9dr5k/r+FrEABSYzih46JA2QyeA9RDErNdPZnbJpeA4jWMgg0
         /JongciwiC7zE+TVEZDQorGv9qNswKt2dVO7lBgYBkC5ohabgwHqBlK/uBGuSBikkMF0
         8ikYcIMZ33QM7846FCG1HH4k07OWOKz8MGqRo=
MIME-Version: 1.0
Received: by 10.227.165.194 with SMTP id j2mr1203487wby.178.1303482722563;
 Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
Received: by 10.227.157.66 with HTTP; Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
Date: Fri, 22 Apr 2011 22:32:02 +0800
Message-ID: BANLkTikPU6AS48Gyr9BhwKQvN1jmkZ70Sw@mail.gmail.com
Subject: Marshall Plan for the North Africa
From: Christy Serrato
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="90e6ba4768d9a63a6a04a182b841"
Return-Path: serrato.christy@gmail.com


Automated Scans

 Marshall Plan for the North Africa.pdf 
Antivirus Version Last update Result
Avast5 5.0.677.0 2011.04.25 SWF:Agent-K
Commtouch 5.3.2.6 2011.04.25 JS/Pdfka.V
DrWeb 5.0.2.03300 2011.04.25 Exploit.PDF.2177
eTrust-Vet 36.1.8289 2011.04.25 PDF/CVE-2010-1297.B!exploit
Microsoft 1.6802 2011.04.25 Exploit:SWF/CVE-2011-0611.I
TrendMicro 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
TrendMicro-HouseCall 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
MD5: 6d5fb801b890bfa7cc737c018e87e456
SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
File size: 464485 bytes
Scan date: 2011-04-25 15:29:18 (UTC)



Analysis Details

-Flash embedded in the file

Extracted flash

AntivirusVersionLast updateResult
Avast4.8.1351.02011.04.25SWF:Agent-K
Avast55.0.677.02011.04.25SWF:Agent-K
GData222011.04.25SWF:Agent-K
Symantec20101.3.2.892011.04.25Trojan.Dropper
MD5: c56dd87772312ba032fc6ac8928d480f
SHA1: 1fe3478d65ba9508b1fdc31d6b3e67b336b06b95
SHA256: fff09d52d2fedc1a85fa04f75fe9a8295a57ddc39d4888ce65662e7a7b9671c0
File size: 7461 bytes
Scan date: 2011-04-25 17:32:54 (UTC)

Action script 


Files Created

%TEMP%

Marshall Plan for the North Africa.pdf  - clean dropped file

MD5: 93b600d4d641321dae860d179d8a35cf

AcroRd32.exe
The file runs as an exe and can be seen in the Windows Task Manager. It installs a link to itself in the Windows Startup folder %Programs%\Startup\Adobe Reader Speed Launcher.lnk
 
MD5: 39822adc9bc7747dadd212e0338948cb


http://www.virustotal.com/file-scan/report.html?id=b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192-1303748025#
Antivirus Version Last update Result
NOD32 6069 2011.04.25 a variant of Win32/Ixeshe.E
Panda 10.0.3.5 2011.04.25 Suspicious file
MD5: 39822adc9bc7747dadd212e0338948cb
SHA1: 00d9650584489914016941fbe28cd1c02306a34b
SHA256: b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192
File size: 430080 bytes
Scan date: 2011-04-25 16:13:45 (UTC)

From ThreatExpert 
Filename(s)File SizeFile Hash
1%Programs%\Startup\Adobe Reader Speed Launcher.lnk1,464 bytesMD5: 0x6A4CD2DA75F64AF7C402BE5BFBC516BD
SHA-1: 0x6F02199A721848449AB4992307220D1F732DA24C
2[file and pathname of the sample #1]430,080 bytesMD5: 0x39822ADC9BC7747DADD212E0338948CB
SHA-1: 0x00D9650584489914016941FBE28CD1C02306A34B

Network activity

----
  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote HostPort Number
68.16.99.165443
  • The following GET request was made:
    • /AWS7446.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
  • The data identified by the following URLs was then requested from the remote web server:
    • http://68.16.99.165/AWS7394.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7414.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7437.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7463.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7473.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA

Host names sharing IP with A records (4)  - from Robtex

Hostname:    adsl-068-016-099-165.sip.asm.bellsouth.net
ISP:    BellSouth.net
Organization:    BellSouth.net
State/Region:    Georgia
  USA
City:    Norcross

adsl-068-016-099-165.sip.asm.bellsouth.net
mail.the-joy-of-travel.com
the-joy-of-travel.com
www.the-joy-of-travel.com




China



Thursday, April 21, 2011

Apr 20 CVE-2011-0611 PDF - SWF China's Charm diplomacy + more from 69.169.145.80 / 124.160.110.242

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File China's Charm diplomacy in BRICS Summit.pdf
MD5: ae39b747e4fe72dce6e5cdc6d0314c02
SHA1: 18306c34c5769f66573b725dce70a353ff549857
SHA256: f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8
File size: 411558 bytes

Type:  PDF
Distribution: Email attachment

 

File The Obama Administration and the Middle East.pdf
MD5: 2368a8f55ee78d844896f05f94866b07
SHA1: f636e24d394e2d6084af877271ef488153b63181
SHA256: 6d05bb31f4ae3f1a2e03879396c301e8bd7f5f53c368e16b006baa459d61c040
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

 

File  Russia's profit from general NATO disunity.pdf
MD5: 4065b98fdcb17a081759061306239c8b
SHA1: bc50074e7b672a59b961f281708b652323a7acc3
SHA256: 3701a5da3f1836d48e10e09b4245d9a53b0ba685732cac69cea0b672cf7b3afb
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

Post updates

 More attacks with the same payload from the same sender. See analysis here http://contagiodump.blogspot.com/2011/04/apr-22-cve-2011-0611-pdf-swf-marshall.html

Download

Adobe Reader 9.4.4 released today, April 21, 2011 will resolve this issue.Adobe Reader 9.4.3 (even with the lastest Flash Player) and below is vulnerable. 


Apr 21 CVE-2011-0611 PDF - SWF Data requirements.pdf from williams.jennifer16@yahoo.com 65.49.2.181

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File Name Data requirements.pdf
MD5: 0d3584985627fa1c7b39c8cc8a870e58
SHA1: 3a29e57930bbfe4467b037c12e1f11a032e43420
SHA256: 773afdbd5a52aa2685857ccece94c2920e3bd9b74b2a2cfed86befc61b3b9dec
File size: 44073 bytes
File Type: PDF
Distribution: Email attachment

Download


Original Message



 From: Jennifer Williams [mailto:williams.jennifer16@yahoo.com]
Sent: Thursday, April 21, 2011 10:05 AM
To: XXXXXX
Subject: Initialization

The attachment is only an initialization,some amendment should be made. Please give us some advice.

Apr 21 CVE-2011-0611 PDF - SWF CNO Guidance from yasmeen_omran@hotmail.com 65.49.2.153


Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File Name: CNO_Guidance.pdf

MD5: 63482fff87b0cc16378eac28786017ad
SHA1: 60805758d2289b5c57865f819f9c7ea4a40d4990
SHA256: 0c3628d9bbd132695d49be965aa3c4d3e40af25c748788c06d055344a42bf552
File size: 214003 bytes
File Type: PDF
Distribution: Email attachment

Download


Original Message


 From: yasmeen omran [mailto:yasmeen_omran@hotmail.com]
Sent: Thursday, April 21, 2011 9:27 AM
To: xxxx
Subject: CNO Guidance.

CNO Guidance.

Call me as soon as you review the file.

Col Terry

Wednesday, April 20, 2011

Apr 20 CVE-2010-3333 DOC Join Forces with Us.doc - from 60.248.110.190 - firstladyoffice@usa.gov

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability


Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)  29 Dec 2010 12:10 PM

  General File Information

File  Join Forces with Us.doc
MD5: 7e89317f3e6cbfab053cf6a38661d9f4
SHA1: f702d075170f1865a47e3149cd4be2683689d3f0
SHA256: d3edfab016232c0b6d2f03492f4971d8807d5f67a43609b489bf92f4a924d24d
File size: 48650 bytes

Type:  DOC
Distribution: Email attachment


Download

Original Message

Apr 16 CVE-2011-0611 DOC urgent files from 97.66.14.11

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File network as Army's future in wars.docMD5: 0a494df9c8fb686255636b31f262e235
SHA1: 3de2a13e52f8098cdc7c912fc22e5bfcb196d7c2
File size :
212496 bytesType:  DOC
Distribution: Email attachment

Download


Original Message

 From: Bakshi Singh [mailto:afsc1974@yahoo.com]
Sent: Saturday, April 16, 2011 11:37 AM
To: XXXXXXXX
Subject: urgent files

Dear Sir

    Please see the attachment.

Monday, April 11, 2011

Apr. 8 CVE-2011-0611 Flash Player Zero day - SWF in DOC/ XLS - Disentangling Industrial Policy..

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611


This vulnerability (CVE-2011-0611) could cause a crash and potentially allow an attacker to take control of the affected system.

  General File Information

File 1
File
    Disentangling Industrial Policy and Competition Policy.doc 

MD5   96cf54e6d7e228a2c6418aba93d6bd49 

SHA1   820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d 

File size : 176144 bytes 

Type:   DOC with SWF

Distribution:  Email attachment

File 2
File
    Japan Nuclear Weapons Program.doc

MD5   78C628FC44FE40BFF47176613D3E1776

File size167440 bytes

Type:   DOC with SWF

Distribution:  Email attachment

File 3
File
    Message from Anne.doc

MD5   A51EDD010F3C0D33249BE771891265CB

SHA1   820699d9999ea3ba07e7f0d0c7f08fe10eae1d2d 

File size : 167440 bytes

Type:   DOC with SWF

Distribution:  Email attachment

File 4

this file has been first detected on or before April 12 (thanks to anonymous for the donation)

  File    JOB_DESCRIPTION.doc

MD5    9bdefcc465c73fc5eedf41ebf47b5f6c

SHA1   6f969aad92fe9340d00b31eab95355088767b9ed

File size : 167440 bytes

Type:   DOC with SWF

Distribution:  Email attachment

File 5

this file has been first detected on or before April 11 (thanks to anonymous for the donation)

  File   plan.doc

MD5    d1bfe000e745207c32343bfe5abd94c9

SHA1   45573ee5d89c1d7e7adb98149cca2dfee48b5d1f

File size : 186896 bytes

Type:   DOC with SWF

Distribution:  Email attachment

 

File 6

this file has been first detected on April 14

  File   namelist.xls

MD5   aaff5eabe5d803742dbb8b405e7a7c4cb659f12c

SHA1   45573ee5d89c1d7e7adb98149cca2dfee48b5d1f

File size : 162316 bytes

Type:   XLS with SWF

Distribution:  Email attachment

 

File 7

this file has been first detected on April 15

  File   Response 2011.doc

MD5   a421d074611188cfcfcedba55cc7e194

SHA1   ca044e91761e633a0580c947adc39a6ca248e5e9

File size : 167440 bytes

Type:  DOC with SWF

Distribution:  Email attachment

 

Download

The recipients of this message included people whose names you can find in Wikipedia and assistants of former high ranked politicians who are now working at global consulting companies.

Update April 29, 2011 
According to Cédric Gilbert (SkyRecon R&D), the shellcode’s last command include a “taskkill /im hwp.exe”. This hwp.exe file could be related to a South-Korean Word Processor Software :
“Hangul Word Processor or HWP”. According to Wikipedia :
It is used extensively in South Korea, especially by the government.
Which could match a targeted attack towards this region.
According to Hangul’s website, this word processor handle Microsoft .DOC & .DOCX documents.
So the questions are
  1.  Is the infected doc with zero-day also ‘compatible’ with it ?
  2.  Was it used in Korea?
  3. Was it made in Korea?

Your comments and thoughts are welcome.
thanks,
Mila


Using "volatility" to study the CVE-2011-6011 Adobe Flash 0-day by Andre' DiMino

Please see analysis of the exploit code at http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html by Villy

Disentangling Industrial Policy and Competition Policy.swf - Trojan-Dropper.MSWord.SwfDrop.a by Kimberly 

Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation  -- Microsoft