Technical analysis of CVE-2009-4324 samples by different analysts.

Please see technical analysis of some of the samples kindly offered by different analysts. 

Analysis of Jan 7 US-J-India_strategic_dialogue sample
Us-J-India_strategic_dialogue.pdf --- MD5 12aab3743c6726452eb0a91d8190a473

• January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
• January 14 PDF Babushka by ISC by Bojan Zdrnja and Daniel (Wesemann?) New
• January 12, 2010  Adobe CVE-2009-4324 by extraexploit– Another one with AsciiHexDecode waiting for the patch day -- New

========================================
All contagio samples

Analysis by extraexploit  (http://extraexploit.blogspot.com)
January 12, 2010  Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day (for Jan 7 US-J-India_strategic_dialogue sample) -- New

December 29, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection
December 19, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas
December 18, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0


Analysis by Wh's Behind (http://whsbehind.blogspot.com)
January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
December 30, 2009 CVE-2009-4324 Doc.media.newPlayer 0-day vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (new PDF from Taiwan govs) -
December 22, 2009 CVE-2009-4324 Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)

Analysis of Interview Outline by kaito (http://d.hatena.ne.jp/kaito834)
December 26, 2009 悪意あるPDF（malicious PDF）に含まれる Exploit コードを pdf-parser.py で確認する

 Analysis by demantos (http://malwarelab.tistory.com)
December 22, 2009 Adobe 0-Day
December 16, 2009 New Adobe Reader and Acrobat Vulnerability

CVE-2009-4324 Samples from other sources:
Analysis by Bojan Zdrnja - SANS (http://isc.sans.org/diary.html)

January 4, 2009 Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

Analysis by VRT (http://vrt-sourcefire.blogspot.com)
December 15, 2009 - Adobe Reader media.newPlayer() Analysis (CVE-2009-4324) 


Let me know if I missed any you think need to be added.

Jan. 13 CVE-2009-4324 The Chinese Navy's Budding Overseas Presence from trevor.yancey@gmail.com Wed, 13 Jan 2010 22:25:33 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

• Details 214f524a7721501e561046a384ba4916 -wm_2752.pdf

Download wm_2752.pdf as 214f524a7721501e561046a384ba4916 -wm_2752.zip (Password protected archive, please contact me if you need it)

 Wed, 13 Jan 2010 22:25:33 +0800

From: Dean Cheng [mailto:trevor.yancey@gmail.com]
Sent: Wednesday, January 13, 2010 9:26 AM
To: XXXXXXXXXXXXXXXXXXX
Subject: The Chinese Navy's Budding Overseas Presence

As 2009 drew to a close, a senior Chinese naval officer raised the idea that the People's Republic of China (PRC) might be interested in establishing a permanent base in the Gulf of Aden area in support of anti-piracy missions. Admiral Yin Zhuo, a senior researcher at the Chinese People's Liberation Army Navy (PLAN) Equipment Research Center, suggested that such a base would facilitate a sustained Chinese presence in the region as part of ongoing anti-piracy efforts.
A base in the Gulf of Aden area would constitute the first formal Chinese overseas military base. It reflects China's growing overseas interests, as well as its expanding military capabilities, including a growing ability to operate far from its shores.
For the United States, the extended Chinese naval deployment in the Gulf of Aden, as well as discussion of the creation of a Chinese naval base in the region, should serve as a reminder that the U.S. Navy will encounter the PLAN more and more--and not solely in the Taiwan Straits, South China Sea, and other waters off China's coast. Given the global nature of China's economic interests, it is inevitable that the Chinese military will also have a more global presence. Nor is there anything that the United States can reasonably do to prevent this.
Rather than trying to forestall the inevitable, U.S. policymakers should recognize the Chinese competitive potential and stay ahead of the game even as the U.S. tries to manage China's emergence to its own advantage. This will entail three key initiatives.
Please find the attached for more detail. Should you have any question, let me know.
Best Regards,
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation

I guess, someone got carried away with paste command (M)
  

Jan 10 CVE-2009-4324 Adobe 0 Day with Backdoor:Win32/Bifrose.gen!E payload US-Taiwan Defense Industry Conference 2010 from jswang@gmail.com Sun, 10 Jan 2010 14:05:41 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download 9cc4133139cac1c774c0bf5476b2ed56 - US-Taiwan Defense Industry Conference 2010.pdf  (password protected archive, please contact me for the password)

• Download the dropped files

sbcdrx.exe - 287EAC0F1F5E9223922EBFF3308F138F,
sbcdrx.dat EC8903129642D3AEF3348B68D17624B5,
SysPr.prx - 4EF40422A092B40000C1FCA20A8D8E44

Details: 9cc4133139cac1c774c0bf5476b2ed56 - US-Taiwan Defense Industry Conference 2010.pdf

The message sender was
  jswang@gmail.com
The message originating IP was 168.95.4.102 The message recipients were
  XXXXXXXXX
The message was titled US-Taiwan Defense Industry Conference 2010 The message date was Sun, 10 Jan 2010 14:05:41 +0800 The message identifier was <004b01ca91ba$f1087b90$9301a8c0@testacb8580da5>
The virus or unauthorised code identified in the email is:
Bloodhound.Exploit.288

Jan 7 CVE-2009-4324 Special Edition from okazaki1930@yahoo.co.jp Thu, 7 Jan 2010 16:21:46 +0900 (JST)

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

This post to be continued....

Download  日本の二大政党制.pdf as 55c503e5f160d58f830bb16d5fc1e09c-Special Edition.zip (password protected archive. Please contact me for the password)

-----Original Message-----
From: 岡崎 久彦 [mailto:okazaki1930@yahoo.co.jp]
Sent: Thursday, January 07, 2010 2:10 AM
To: XXXXXXX
Subject: 特別版再送

----- Original Message -----
From: Hisahiko Okazaki [mailto: okazaki1930@yahoo.co.jp]
Sent: Thursday, January 07, 2010 2:10 AM
To: XXXXX

 Subject: resend  Special Edition

The message sender was
    okazaki1930@yahoo.co.jp
The message originating IP was 124.83.212.30 The message recipients were
    XXXXXXXX
The message was titled 特別版再送
The message date was Thu, 7 Jan 2010 16:21:46 +0900 (JST) The message identifier was <20100107072147.17625.qmail@web4210.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913966_1003X_PA2_APDF__pdf_obj_50_0.js'. Heuristics score: 400

Previous scan on Jan 8, 2010 by someone else. Same md5 hash but different name.
http://www.virustotal.com/analisis/c09081111288172b10a4915c3ca3c917f614f0419a93407d8a4e96dc5da78563-1262913422

Two-party system in Japan
 日本の二大政党制.pdf
http://www.virustotal.com/analisis/c09081111288172b10a4915c3ca3c917f614f0419a93407d8a4e96dc5da78563-1263274446
Result: 16/41 (39.03%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.48    2010.01.12    Exploit.JS.Pdfka!IK
Antiy-AVL    2.0.3.7    2010.01.11    Exploit/JS.Pdfka
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-UQ
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
ClamAV    0.94.1    2010.01.12    Exploit.PDF-7067
Comodo    3552    2010.01.12    TrojWare.JS.Exploit.Pdfka.azg
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.01.12    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.01.12    Exploit.JS.Pdfka.azg
McAfee    5858    2010.01.11    Exploit-PDF.q.gen!stream
McAfee+Artemis    5858    2010.01.11    Exploit-PDF.q.gen!stream
McAfee-GW-Edition  Heuristic.BehavesLike.PDF.Shellcode.Z
PCTools    7.0.3.5    2010.01.12    HeurEngine.MaliciousExploit
Symantec    20091.2.0.41    2010.01.12    Bloodhound.Exploit.288
Additional information
File size: 1006594 bytes
MD5...: 55c503e5f160d58f830bb16d5fc1e09c

Jan. 5 CVE-2009-4324 Adobe 0 Day [NYTimes.com]Large Oil Spill Reported in China from nytimes2010@hotmail.com Tue, 5 Jan 2010 04:58:37 +0000

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

• Details: Large Oil Spill Reported in China.pdf - 490be4598299ca1dc27e9a04351c22ba

The message sender was

    nytimes2010@hotmail.com

The message originating IP was 65.55.34.86 The message recipients were

    XXXX@XXXXX.XXX

The message was titled [NYTimes.com]Large Oil Spill Reported in China The message date was Tue, 5 Jan 2010 04:58:37 +0000 The message identifier was
The virus or unauthorised code identified in the email is:
Bloodhound.Exploit.288
 

From: TYTimes News [mailto:nytimes2010@hotmail.com]
Sent: Monday, January 04, 2010 11:07 PM
To: XXXXX@XXXX.XXX
Subject: [NYTimes.com]Large Oil Spill Reported in China


By DAVID BARBOZA
Published: January 5, 2010

SHANGHAI — A large oil spill in northwest China has heavily polluted a tributary of the Yellow River, and threatens to reach one of the country’s longest and most important sources of water.

China’s state-run news media said late Saturday that a “large amount” of diesel oil had leaked out of a pipeline last Thursday in Shaanxi Province.

...... 
•   NYTIMES.COM
•  For general help questions, please send us an e-mail using this form.
•  Comments or feedback about our Web site? Please send us an e-mail using this form.
•  For a possible correction, or to reach the Web site's editorial staff, you can send an e-mail.
•  For questions about posting comments on the site, there is an FAQ.
•  To reach Martin Nisenholtz, the Sr. V.P. of Digital Operations, you can send an e-mail.

________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.

Dec. 28 CVE-2009-4324 Adobe 0-day "consumer welfare table" from gwsm01@gwsm.gov.tw Mon, 28 Dec 2009 22:08:05 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

Download dropped binaries ((Password protected archives. Use the same password you used on the samples above or contact me for the password)

Details: 99年(春節)消費者福利表.pdf -  c61c231d93d3bd690dd04b6de7350abb

From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!

詳情登陸國防部福利總處 http://www.gwsm.gov.tw/

服務專線： (02)2392-2377
地址：臺北市信義路一段3號
郵政信箱：台北郵政90036號信箱
網頁維護：綜合資訊組　分機：709

Dec.26 CVE-2009-4324 Adobe 0 Day Christmas Greetings from H.H. the Dalai Lama from test01@humanright-watch.org Sat, 26 Dec 2009 20:58:47 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download CVE-2009-4324 files (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Details: Greetings.pdf -2a7b8180da2906c9889f13fa912df6a0 

From: test01@humanright-watch.org on behalf of Kate Saunders [kates@ictibet.org]
Sent: Sat 12/26/2009 8:02 AM
To:
Subject Christmas Greetings from H.H. the Dalai Lama
Attachment Greetings.pdf (81 KB)

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama.
Tashi Delek!

Kate Saunders.ICT
1852 Jefferson Place NW
Washington, DC 20036
Tel 1-202-580-6716
Cell:1-202-375-4398
emai1:kates@ictibet.org
www.savetibet.org


 Sender(see header in the end of the post) Sat, 26 Dec 2009 20:58:47 +0800 (CST)
Received: from krilwftlv (203186054193.static.ctinets.com [203.186.54.193]

Hostname:203186054193.static.ctinets.com

ISP:City Telecom (H.K.) Ltd.

Organization:FIRST NETWORK COMMUNICATIONS LTD - FAVOR INDUSTRIA

Country:Hong Kong

Central District

Dec. 21 Adobe 0 Day CVE-2009-4324 PDF Attack of the Day SEF preparatory discussions list 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單 from macnews@mac.gov.tw Mon, 21 Dec 2009 20:37:15 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download infected pdf 海基會協商代表團預備性磋商名單.pdf as SEFdiscussionsm.zip. Password protected, please use the same as on other CVE-2009-4324 files or contact me for the password

Yawn.  Here is one more. 

From: macnews [mailto:macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單

您好，附件為本次協商海基會、海協會代表團預備性磋商名單，提供給您參考，謝謝。

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4707 (20091221) __________The message was checked by ESET NOD32 Antivirus.
http://www.eset.com

Here is a terrible machine translation but it is easy to understand that the mailing is fueled by the recent news, namely, the talks between the ARATS  (Association for Relations Across the Taiwan Straits) and SEF (Straits Exchange Foundation)  in Taichung tomorrow, December 22, 2009.

From: macnews [mailto: macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: MAC forwarding SEF and ARATS consultations, the delegation of the list of preliminary consultations
Hello, see attached third Consultative SEF and ARATS delegation of the list of preliminary consultations provided for your reference, thank you.