Dec. 28 CVE-2009-4324 Adobe 0-day "consumer welfare table" from gwsm01@gwsm.gov.tw Mon, 28 Dec 2009 22:08:05 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

Download dropped binaries ((Password protected archives. Use the same password you used on the samples above or contact me for the password)

Details: 99年(春節)消費者福利表.pdf -  c61c231d93d3bd690dd04b6de7350abb

From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!

詳情登陸國防部福利總處 http://www.gwsm.gov.tw/

服務專線： (02)2392-2377
地址：臺北市信義路一段3號
郵政信箱：台北郵政90036號信箱
網頁維護：綜合資訊組　分機：709

Dec.26 CVE-2009-4324 Adobe 0 Day Christmas Greetings from H.H. the Dalai Lama from test01@humanright-watch.org Sat, 26 Dec 2009 20:58:47 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download CVE-2009-4324 files (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Details: Greetings.pdf -2a7b8180da2906c9889f13fa912df6a0 

From: test01@humanright-watch.org on behalf of Kate Saunders [kates@ictibet.org]
Sent: Sat 12/26/2009 8:02 AM
To:
Subject Christmas Greetings from H.H. the Dalai Lama
Attachment Greetings.pdf (81 KB)

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama.
Tashi Delek!

Kate Saunders.ICT
1852 Jefferson Place NW
Washington, DC 20036
Tel 1-202-580-6716
Cell:1-202-375-4398
emai1:kates@ictibet.org
www.savetibet.org


 Sender(see header in the end of the post) Sat, 26 Dec 2009 20:58:47 +0800 (CST)
Received: from krilwftlv (203186054193.static.ctinets.com [203.186.54.193]

Hostname:203186054193.static.ctinets.com

ISP:City Telecom (H.K.) Ltd.

Organization:FIRST NETWORK COMMUNICATIONS LTD - FAVOR INDUSTRIA

Country:Hong Kong

Central District

Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 

File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
 http://www.virustotal.com/analisis/c78f02f1de087a0ce91be1ca68ffb1995f392a063fc8abb7fd700896f050ed68-1261548318
Result: 11/40 (27.5%)
a-squared    4.5.0.43    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2.0.3.7    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    9.120.0.1004    2009.12.23    Expl_ShellCodeSM
VirusBuster    5.0.21.0    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828


Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=bc11e11405b7f9ba104451ecd40e3840&type=js
File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

===========================================

The message sender was
    takahino_ninomiya@yahoo.co.jp

The message originating IP was 124.83.212.88 The message recipients were
    XXXXXXXX

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Virustotal
http://www.virustotal.com/analisis/dadcb65ec1057baa543a34bfe92144a30fde84cf85db9199b3873f819df6e79c-1261548993
 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=0ac635c06b571ad340b115f3d744f951&type=js
File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 

Dec. 22. Adobe 0 Day. Attack of the Day. 報告書（排出権取引に関する記述） from XXXREDACTED@mofa.go.jp Tue, 22 Dec 2009 09:36:20 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009.  

Update Dec 22 7:40 am: Several new variants of  CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.


--------------------------------------

Somehow I doubt that the Ministry of Foreign Affairs of Japan http://www.mofa.go.jp/ joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "mofa.go.jp 117.11.119.251" is not really mofa.go.jp (Updated Dec.22 7:30 am).

Update. Dec 22 15:30

The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japanese and are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)


The message sender was

XXXREDACTED@mofa.go.jp
The message originating IP was 117.11.119.251 The message recipients were
XXX@XXX.XXX
The message was titled 報告書（排出権取引に関する記述）
The message date was Tue, 22 Dec 2009 09:36:20 +0800 The message identifier was (empty) The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913605_1000X_PA2_APDF__pdf_obj_42_0.js'. Heuristics score: 251