Technical analysis of CVE-2009-4324 samples by different analysts.

Please see technical analysis of some of the samples kindly offered by different analysts. 

Analysis of Jan 7 US-J-India_strategic_dialogue sample
Us-J-India_strategic_dialogue.pdf --- MD5 12aab3743c6726452eb0a91d8190a473

• January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
• January 14 PDF Babushka by ISC by Bojan Zdrnja and Daniel (Wesemann?) New
• January 12, 2010  Adobe CVE-2009-4324 by extraexploit– Another one with AsciiHexDecode waiting for the patch day -- New

========================================
All contagio samples

Analysis by extraexploit  (http://extraexploit.blogspot.com)
January 12, 2010  Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day (for Jan 7 US-J-India_strategic_dialogue sample) -- New

December 29, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection
December 19, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas
December 18, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0


Analysis by Wh's Behind (http://whsbehind.blogspot.com)
January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
December 30, 2009 CVE-2009-4324 Doc.media.newPlayer 0-day vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (new PDF from Taiwan govs) -
December 22, 2009 CVE-2009-4324 Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)

Analysis of Interview Outline by kaito (http://d.hatena.ne.jp/kaito834)
December 26, 2009 悪意あるPDF（malicious PDF）に含まれる Exploit コードを pdf-parser.py で確認する

 Analysis by demantos (http://malwarelab.tistory.com)
December 22, 2009 Adobe 0-Day
December 16, 2009 New Adobe Reader and Acrobat Vulnerability

CVE-2009-4324 Samples from other sources:
Analysis by Bojan Zdrnja - SANS (http://isc.sans.org/diary.html)

January 4, 2009 Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

Analysis by VRT (http://vrt-sourcefire.blogspot.com)
December 15, 2009 - Adobe Reader media.newPlayer() Analysis (CVE-2009-4324) 


Let me know if I missed any you think need to be added.

Nov.30 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#0) This is the very first we received. FW: reference from chrisanderson58@hotmail.com Mon, 30 Nov 2009 06:56:23

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download the infected note200911.pdf  (password protected archive note200911m.zip. Contact me for the password. If you downloaded adobe zero day pdfs #1 and #2, use the same password)

• Details: 61baabd6fc12e01ff73ceacc07c84f9a - note200911.pdf

This message shows that Adobe zero day exploit has been in the wild and actively exploited by attackers since at least November 30, 2009 not December 11 or 14, 2009  Note the name of the file note200911.pdf is slightly different from Dec. 11, 2009 note_20091210.pdf  but it is the same MD5 61baabd6fc12e01ff73ceacc07c84f9a

From: Chris Anderson [mailto:chrisanderson58@hotmail.com]
Sent: 2009-11-30 1:56 AM
To: XXX@XXX.XXX
Subject: FW: reference
________________________________________
From: jackr@gilbrooks.edu
To: chrisanderson58@hotmail.com
Subject: reference
Date: Mon, 30 Nov 2009 06:53:52 +0000


Dear All
Please find attached the updated country briefing notes, and staff lists.


Kind regards
Jack

Virustotal
results of Dec. 15 2009
File note200911.pdf received on 2009.12.15 16:20:58 (UTC)
http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260894058
Result: 13/41 (31.71%)

a-squared 4.5.0.43 2009.12.15 Exploit.JS.Pdfka!IK
AhnLab-V3 5.0.0.2 2009.12.15 PDF/CVE-2009-4324
AntiVir 7.9.1.108 2009.12.15 HTML/Malicious.PDF.Gen
Comodo 3254 2009.12.15 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.15 PDF.Exploit.4
F-Secure 9.0.15370.0 2009.12.15 Exploit:W32/AdobeReader.UZ
Ikarus T3.1.1.74.0 2009.12.15 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2009.12.15 Exploit.JS.Pdfka.atq
McAfee-GW-Edition 6.8.5 2009.12.15 Script.Malicious.PDF.Gen
Microsoft 1.5302 2009.12.15 Exploit:Win32/Pdfjsc.CO
NOD32 4690 2009.12.15 PDF/Exploit.Gen
PCTools 7.0.3.5 2009.12.15 Trojan.Pidief
Symantec 1.4.4.12 2009.12.15 Trojan.Pidief.H

File size: 400918 bytes
MD5...: 61baabd6fc12e01ff73ceacc07c84f9a
SHA1..: 0805d0ae62f5358b9a3f4c1868d552f5c3561b17
SHA256: 27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa
ssdeep: 1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8V


Messagelabs was catching it on November 30, 2009.

The message sender was
chrisanderson58@hotmail.com
 

The message was titled FW: reference
The message date was Mon, 30 Nov 2009 06:56:23 +0000 The message identifier was
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
5963825_1001X_PA4_APDF__pdf_obj_110_0.js'. Heuristics score: 650

See post with CVE-2009-4324 sample #2
See post with CVE-2009-4324 sample #1

Dec.13 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#2) Interview Request from fureer.angelica@gmail.com Sun, 13 Dec 2009 14:13:46

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download "Outline of interview" infected pdf. (password protected archive. Contact me for the password. If you got the first verison of the adobe zero day of Fri, Dec 11, the password is the same) 
Note: A few people reported problems with unzipping the files - use 7Zip http://www.7-zip.org if you do. Please email the name of the file or provide a link when asking for a password.

New Adobe zero day exploit message (#2)  See #1 here

From: Fureer Angelica [mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Messagelabs detects it easily
The message sender was
fureer.angelica@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
XXX@XXX.XXX

The message was titled Interview Request The message date was Sun, 13 Dec 2009 14:13:46 +0900 The message identifier was <9c3b16360912122113s2a953d1dqfdb5a6ddb8f35c5a@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
'5963838_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651