Apr 7 CVE-2009-4324 PDF Fwd: Matrix Report --- Earthquake from spoofed UlmanW@state.gov to fake ZaringNS@nasa.gov

•  CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

 Download infected 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf as a password protected archive (please contact me if you need the password)

Details 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf

 From: Ulman, Wayne (FSI) [mailto:UlmanW@state.gov]
Sent: Wednesday, April 07, 2010 2:08 PM
To: ZaringNS@nasa.gov
Subject: Fwd: Matrix Report --- Earthquake

It's incredible!

------Original Message------
From: "Amanda DJ"
Sent: Wednesday, Apr 7, 2010 10:22 AM
To: Ulman, Wayne (FSI); "Wilson Curran"
Subject: Matrix Report --- Earthquake


2012 is coming!
It's ture!

PlS see Attachment: Matrix_Report.pdf
Sichuan Wenchuan Earthquake  5.12    (May. 12th)
Haiti Earthquake  1.12   (Jan. 12th)
Chile  Earthquake   2.27   (Feb. 27th)

Matrix：Horizontal = Vertical

5 1 2
1 1 2
2 2 7

Apr 2 CVE-2009-0927 CVE-2007-5659 PDF IPR in China FINAL from global.faruk@gmail.com

•  CVE-2009-0927 Stack-based buffer overflow in Adobe via getIcon method of a Collab object, a different vulnerability than CVE-2009-0658 - March 2009. 
• CVE-2007-5659 Multiple buffer overflows in Adobe via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655. 

Download c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf as a password protected archive (contact me if you need the password)

Details c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf



From: Faruk DEMİR [mailto:global.faruk@gmail.com]
Sent: Friday, April 02, 2010 4:36 AM
To: XXXXXXXXXXXXXX
Subject: IPR in China FINAL










Virustotal
http://www.virustotal.com/analisis/816ff03f39d9d210ee3a49a61f208a4b0a8979c3d08fa9b8a17e01a98b5d123c-1270206094
File IPR_in_China_FINAL.pdf received on 2010.04.02 11:01:34 (UTC)
Result: 10/42 (23.81%)
a-squared     4.5.0.50     2010.04.02     Exploit.Win32.Pidief!IK
Authentium     5.2.0.5     2010.04.02     PDF/Obfusc.M!Camelot
Avast     4.8.1351.0     2010.04.02     JS:ShellCode-EQ
Avast5     5.0.332.0     2010.04.02     JS:ShellCode-EQ
AVG     9.0.0.787     2010.04.02     Exploit.PDF
GData     19     2010.04.02     JS:ShellCode-EQ
Ikarus     T3.1.1.80.0     2010.04.02     Exploit.Win32.Pidief
Microsoft     1.5605     2010.04.02     Exploit:JS/Mult.CM
Symantec     20091.2.0.41     2010.04.02     Bloodhound.PDF!gen
TrendMicro     9.120.0.1004     2010.04.02     Expl_ShellCodeSM
File size: 54720 bytes
MD5   : c497c02464ae74bbc94120d1cbe88d49

Vicheck
https://www.vicheck.ca/md5query.php?hash=c497c02464ae74bbc94120d1cbe88d49
PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c497c02464ae74bbc94120d1cbe88d49&type=js
suspicious



PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927

Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 

File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
 http://www.virustotal.com/analisis/c78f02f1de087a0ce91be1ca68ffb1995f392a063fc8abb7fd700896f050ed68-1261548318
Result: 11/40 (27.5%)
a-squared    4.5.0.43    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2.0.3.7    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    9.120.0.1004    2009.12.23    Expl_ShellCodeSM
VirusBuster    5.0.21.0    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828


Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=bc11e11405b7f9ba104451ecd40e3840&type=js
File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

===========================================

The message sender was
    takahino_ninomiya@yahoo.co.jp

The message originating IP was 124.83.212.88 The message recipients were
    XXXXXXXX

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Virustotal
http://www.virustotal.com/analisis/dadcb65ec1057baa543a34bfe92144a30fde84cf85db9199b3873f819df6e79c-1261548993
 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=0ac635c06b571ad340b115f3d744f951&type=js
File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324