Showing posts with label Vir-Trojan.Pidief.H. Show all posts
Showing posts with label Vir-Trojan.Pidief.H. Show all posts

Tuesday, April 20, 2010

Apr 20 CVE-2009-4324 PDF US_Taiwan_policy.pdf


 Download 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf   as a password protected archive (please contact me if you need the password)

Details 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf  

 There is no additional information about this message, except that it was sent via Gmail on 20 Apr 2010 around 6 pm PDT.

 http://www.virustotal.com/analisis/2e76eaa6bfb9d2b0fc2a68de0fc24eb901e55d8298fcda4ca1d0ad1b5f6ef3b6-1272509457
 File article_on_US_Taiwan_policy.pdf received on 2010.04.29 02:50:57 (UTC)
Result: 23/41 (56.1%)
a-squared    4.5.0.50    2010.04.29    Exploit.Win32.Pidief!IK
AntiVir    8.2.1.224    2010.04.28    HEUR/HTML.Malware
Antiy-AVL    2.0.3.7    2010.04.28    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.04.29    PDF/Obfusc.M!Camelot
Avast    4.8.1351.0    2010.04.28    JS:Pdfka-WJ
Avast5    5.0.332.0    2010.04.28    JS:Pdfka-WJ
AVG    9.0.0.787    2010.04.29    Script/Exploit
BitDefender    7.2    2010.04.29    Exploit.PDF-JS.Gen
ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-21790
eSafe    7.0.17.0    2010.04.28    Win32.Pidief.H
F-Secure    9.0.15370.0    2010.04.28    Exploit.PDF-JS.Gen
GData    21    2010.04.29    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.04.29    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.04.29    Exploit.Win32.Pidief.dcc
McAfee    5.400.0.1158    2010.04.29    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    6.8.5    2010.04.28    Heuristic.HTML.Malware
Microsoft    1.5703    2010.04.28    Exploit:Win32/Pdfjsc.FE
nProtect    2010-04-28.02    2010.04.28    Exploit.PDF-JS.Gen
Sophos    4.53.0    2010.04.29    Troj/PDFJs-FM
Sunbelt    6235    2010.04.28    Exploit.PDF-JS.Gen (v)
Symantec    20091.2.0.41    2010.04.29    Trojan.Pidief.H
TrendMicro    9.120.0.1004    2010.04.28    TROJ_PDFJS.BI
TrendMicro-HouseCall    9.120.0.1004    2010.04.29    Expl_ShellCodeSM
Additional information
File size: 82600 bytes
MD5...: 5f49a04d3738b602685207419bc0789c

CVE-2009-4324

Posted by Mila at 11:31 PM 0 comments Tags: , , , , Links to this post

Friday, January 15, 2010

Jan 15 Zany.pdf -fc5196ff7d14bda18cd9f89d81f913db

This file from an URL was submitted by TarunKumar Singh - thank you, TarunKumar


Download  zany.pdf as FC5196FF7D14BDA18CD9F89D81F913DB-zany.zip (Password protected. Please contact me for the password)

Details: fc5196ff7d14bda18cd9f89d81f913db - zany.pdf


Virustotal
http://www.virustotal.com/analisis/b5b6866775f437d9730e3baf4e6d23d512278a613299b17270cfd7cdc999a68b-1263640687
File zany.pdf99 received on 2010.01.16 11:18:07 (UTC)
F-Secure     9.0.15370.0     2010.01.16     Exploit:W32/Pidief.CKT
Kaspersky     7.0.0.125     2010.01.16     Exploit.Win32.Pidief.cyn
PCTools     7.0.3.5     2010.01.16     Trojan.Pidief
Sophos             4.49.0     2010.01.16     Mal/PDFEx-D
Sunbelt     3.2.1858.2     2010.01.16     Exploit.PDF-JS.Gen (v)
Symantec     20091.2.0.41     2010.01.16     Trojan.Pidief.H
File size: 3701 bytes
MD5   : fc5196ff7d14bda18cd9f89d81f913db


read more...
Posted by Mila at 11:01 AM 0 comments Tags: , , , , Links to this post

Thursday, January 14, 2010

Technical analysis of CVE-2009-4324 samples by different analysts.

Please see technical analysis of some of the samples kindly offered by different analysts. 

Analysis of Jan 7 US-J-India_strategic_dialogue sample
Us-J-India_strategic_dialogue.pdf --- MD5 12aab3743c6726452eb0a91d8190a473


========================================
All contagio samples

Analysis by extraexploit  (http://extraexploit.blogspot.com)
January 12, 2010  Adobe CVE-2009-4324 – Another one with AsciiHexDecode waiting for the patch day (for Jan 7 US-J-India_strategic_dialogue sample) -- New
December 29, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection
December 19, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas
December 18, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs
December 15, 2009 Adobe CVE-2009-4324 in the wild - (0day) - part 0


Analysis by Wh's Behind (http://whsbehind.blogspot.com)
January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
December 30, 2009 CVE-2009-4324 Doc.media.newPlayer 0-day vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (new PDF from Taiwan govs) -
December 22, 2009 CVE-2009-4324 Doc.media.newPlayer vulnerability in Adobe Reader/Acrobat v8.0 through 9.2 (DEEP INSIGHT)

Analysis of Interview Outline by kaito (http://d.hatena.ne.jp/kaito834)
December 26, 2009 悪意あるPDF(malicious PDF)に含まれる Exploit コードを pdf-parser.py で確認する

 Analysis by demantos (http://malwarelab.tistory.com)
December 22, 2009 Adobe 0-Day
December 16, 2009 New Adobe Reader and Acrobat Vulnerability

CVE-2009-4324 Samples from other sources:
Analysis by Bojan Zdrnja - SANS (http://isc.sans.org/diary.html)
January 4, 2009 Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324



Analysis by VRT (http://vrt-sourcefire.blogspot.com)
December 15, 2009 - Adobe Reader media.newPlayer() Analysis (CVE-2009-4324) 


Let me know if I missed any you think need to be added.








Posted by Mila at 11:04 PM 0 comments Tags: , , , , , Links to this post

Wednesday, January 13, 2010

Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted]@state.gov 13 Jan 2010 06:17:21 -0000



Download  116d92f036f68d325068f3c7bbf1d535 - Project.pdf as a password protected archive (please contact me if you need the password)

Update Jan. 22, 2010 - CW Sandbox analysis kindly provided by TarunKumar Singh (below)




 -----Original

Message-----
From: XXXXX (Real name here)
[mailto:XXXXXX@state
.gov]
Sent: 2010-01-13 1:17
AM
To: XXXXXX
Subject: Re: Project
Importance: High

Dear

I will bring your email
to his attention at
that time.

With regards,
Lesley Rich

Header:
Received: (qmail 6296 invoked from network); 13 Jan 2010 06:17:21 -0000
Received: from unknown (HELO state.gov) (115.92.107.178)
  by XXXXXXXXXXX
Received: from ¼òÌå²âÊÔ (unknown [192.168.7.110])
    by 192.168.7.110 (Coremail) with SMTP id _bJCALesoEAeAFMU.1
    for XXXXXXXXXXXXX Wed, 13 Jan 2010 14:17:15 +0800 (CST)
X-Originating-IP: [192.168.7.110]
Date: Wed, 13 Jan 2010 14:17:15 +0800
From: "=?GB2312?B?QnJlbW5lciwgU3VlIEw=?="
Subject: =?GB2312?B?UmU6IFByb2plY3Q=?=
To: XXXXXXXXXXXXXXXXXXX
X-Priority: 1
X-mailer: FastMail 1.5 [cn]
Mime-Version: 1.0
Content-Type: multipart/mixed;
    boundary="------=_Next_Part_0019055250.467"


Hostname: 115.92.107.178
ISP: LG DACOM Corporation
Organization: LG DACOM Corporation
Type: Cable/DSL
Country: Korea, Republic of  
State/Region: 11
City: Seoul
Latitude: 37.5664
Longitude: 126.9997

This file was already analyzed
 http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263106258











http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263938027
 File Project.pdf received on 2010.01.19 21:53:47 (UTC)
Result: 18/41 (43.90%)
a-squared 4.5.0.50 2010.01.19 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2010.01.19 PDF/Expl.FO
BitDefender 7.2 2010.01.19 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.01.19 Expoit.PDF.FlateDecode
ClamAV 0.94.1 2010.01.19 Exploit.PDF-9757
Comodo 3640 2010.01.19 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.19 Exploit.PDF.687
eSafe 7.0.17.0 2010.01.19 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.01.19 Exploit.PDF-JS.Gen
GData 19 2010.01.19 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.01.19 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.01.19 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.19 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.19 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.19 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.01.19 Trojan.Pidief
Symantec 20091.2.0.41 2010.01.19 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.01.19 TROJ_PDFKA.AK
Additional information
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

 Vicheck.ca has this file under a different name already
https://www.vicheck.ca/md5query.php?hash=116d92f036f68d325068f3c7bbf1d535
 kernel32, ExitProcess, Javascript obfuscation using unescape, , Javascript obfuscation using unescape, , Javascript possible obfuscation using unescape, , PDF Exploit call to media.newPlayer, , , ,

Wepawet
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
File Project.pdf
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand 1.03.02 benign


Here is CW Sandbox analysis kindly provided by TarunKumar Singh


Created Files...
  • File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe
  • File Type: file
  • Source File Hash: 88fd19e48625e623a4d6abb5d5b78445
  • Creation/Distribution: CREATE_ALWAYS
  • Desired Access: FILE_ANY_ACCESS
  • Share Access: FILE_SHARE_WRITE
  • Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
  • Stored as: 88fd19e48625e623a4d6abb5d5b78445.exe
  • File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf
  • File Type: file
  • Source File Hash: dc0a02619771b5d2d0887267c67b87a6
  • Creation/Distribution: CREATE_ALWAYS
  • Desired Access: FILE_ANY_ACCESS
  • Share Access: FILE_SHARE_WRITE
  • Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
  • Stored as: dc0a02619771b5d2d0887267c67b87a6.pdf

    Store Created Files Section...



    • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe (36974 Bytes.)
    • Destination: 88fd19e48625e623a4d6abb5d5b78445.exe
    • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf (57536 Bytes.)
    • Destination: dc0a02619771b5d2d0887267c67b87a6.pdf




        Registrey Section...
  • Created Keys...



    • Key: HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY




  • Open Keys...



    • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\8.0\ORO
    • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters






Posted by Mila at 5:53 PM 0 comments Tags: , , , , , Links to this post

Tuesday, January 5, 2010

Jan 4 CVE-2009-4324 Adobe 0 Day "Global Views Survey Research Center- President Ma satisfaction poll" from liontai@gmail.com Jan 4, 2010 10:04



Download CVE-2009-4324 samples. (Password protected archive. Use the same password you used on the CVE-2009-4324 samples or contact me for the password)


Details: 200912_GVSRC_others.pdf - 5cdd8b5916c9bceab084c4d569633fa (to be added later..)


From: 戴立安(gmail) [mailto:liontai@gmail.com]
Sent: Monday, January 04, 2010 10:04 PM
To: Undisclosed-Recipient:@yahoo.com
Subject: 遠見民調中心最新調查_「美國與兩岸領導人暨主要政黨信任度、馬總統滿意度」民調
Importance: High

遠見民調中心最新調查結果
 

「美國與兩岸領導人暨主要政黨信任度、
馬總統滿意度」民調

 
--------------------------------------------------------
         遠見雜誌民調中心主任  戴立安
                      Director  Li-an Tai
       Global Views Survey Research Center
          www.gvm.com.tw/gvsrc/index.asp
 
           104 台北市松江路93巷1號
           行動:0916-828-482
           電話:02-2517-3688分機638
           專線:02-2517-8537
           傳真:02-2517-6275
           email:liantai@cwgv.com.tw
                        lion.tai@gmail.com
 --------------------------------------------------------
 遠見.天下文化事業群
 遠見雜誌 * 30雜誌 * 天下文化 * 小天下
 哈佛商業評論--全球中文版 * 大小媒體
 --------------------------------------------------------
Google translation (sorry, it is pretty bad)
From: Dai Lian (gmail) [mailto: liontai@gmail.com]
    Sent: Monday, January 04, 2010 10:04 PM
    To: Undisclosed-Recipient: @ yahoo.com
    Subject: Vision Poll Center _ the latest survey, "the leaders of the United States and cross-strait confidence-cum-major political parties, President Ma satisfaction" poll
    Importance: High

    Vision Center, the latest poll findings
     
    "The U.S. and the major political parties-cum-leaders of both sides trust,
    President Ma satisfaction "poll

             Director, Center for Global Views magazine poll Dai Lian
                          Director Li-an Tai
           Global Views Survey Research Center
              www.gvm.com.tw / gvsrc / index.asp
 
               93, Lane 104, Sung Chiang Road, Taipei No. 1,
               Action :0916-828-482
               Tel :02-2517-3688 ext 638
               Hotline :02-2517-8537
               Fax :02-2517-6275
               email: liantai@cwgv.com.tw
                            lion.tai @ gmail.com
     -------------------------------------------------- ------
     Vision. Commonwealth Business Group
     Journal of Global Views magazine * 30 * Commonwealth * Small world
     Harvard Business Review - Global English Version * the size of the media




read more...
Posted by Mila at 1:14 AM 0 comments Tags: , , , , , Links to this post

Saturday, December 26, 2009

Dec.26 CVE-2009-4324 Adobe 0 Day Christmas Greetings from H.H. the Dalai Lama from test01@humanright-watch.org Sat, 26 Dec 2009 20:58:47 +0800


Download CVE-2009-4324 files (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Details: Greetings.pdf -2a7b8180da2906c9889f13fa912df6a0 

From: test01@humanright-watch.org on behalf of Kate Saunders [kates@ictibet.org]
Sent: Sat 12/26/2009 8:02 AM
To:
Subject Christmas Greetings from H.H. the Dalai Lama
Attachment Greetings.pdf (81 KB)

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama.
Tashi Delek!

Kate Saunders.ICT
1852 Jefferson Place NW
Washington, DC 20036
Tel 1-202-580-6716
Cell:1-202-375-4398
emai1:kates@ictibet.org
www.savetibet.org


 Sender(see header in the end of the post) Sat, 26 Dec 2009 20:58:47 +0800 (CST)
Received: from krilwftlv (203186054193.static.ctinets.com [203.186.54.193]

Hostname:203186054193.static.ctinets.com
ISP:City Telecom (H.K.) Ltd.
Organization:FIRST NETWORK COMMUNICATIONS LTD - FAVOR INDUSTRIA
Country:Hong Kong
Central District
read more...
Posted by Mila at 12:15 PM 0 comments Tags: , , , , , , , Links to this post

Wednesday, December 23, 2009

Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone



Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 




File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
 http://www.virustotal.com/analisis/c78f02f1de087a0ce91be1ca68ffb1995f392a063fc8abb7fd700896f050ed68-1261548318
Result: 11/40 (27.5%)
a-squared    4.5.0.43    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2.0.3.7    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    9.120.0.1004    2009.12.23    Expl_ShellCodeSM
VirusBuster    5.0.21.0    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828


Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=bc11e11405b7f9ba104451ecd40e3840&type=js
File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

===========================================

The message sender was
    takahino_ninomiya@yahoo.co.jp

The message originating IP was 124.83.212.88 The message recipients were
    XXXXXXXX

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Virustotal
http://www.virustotal.com/analisis/dadcb65ec1057baa543a34bfe92144a30fde84cf85db9199b3873f819df6e79c-1261548993
 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=0ac635c06b571ad340b115f3d744f951&type=js
File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 



read more...
Posted by Mila at 1:34 AM 0 comments Tags: , , , , , , , Links to this post

Tuesday, December 22, 2009

Dec. 22. Adobe 0 Day. Attack of the Day. 報告書(排出権取引に関する記述) from XXXREDACTED@mofa.go.jp Tue, 22 Dec 2009 09:36:20 +0800


Update Dec 22 7:40 am: Several new variants of  CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.


--------------------------------------

Somehow I doubt that the Ministry of Foreign Affairs of Japan http://www.mofa.go.jp/ joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "mofa.go.jp 117.11.119.251" is not really mofa.go.jp (Updated Dec.22 7:30 am).


Update. Dec 22 15:30
The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japanese and are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)


The message sender was

XXXREDACTED@mofa.go.jp
The message originating IP was 117.11.119.251 The message recipients were
XXX@XXX.XXX
The message was titled 報告書(排出権取引に関する記述)
The message date was Tue, 22 Dec 2009 09:36:20 +0800 The message identifier was (empty) The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913605_1000X_PA2_APDF__pdf_obj_42_0.js'. Heuristics score: 251


read more...
Posted by Mila at 1:27 AM 2 comments Tags: , , , , Links to this post

Monday, December 21, 2009

Dec. 21 Adobe 0 Day CVE-2009-4324 PDF Attack of the Day SEF preparatory discussions list 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單 from macnews@mac.gov.tw Mon, 21 Dec 2009 20:37:15 +0800


Download infected pdf 海基會協商代表團預備性磋商名單.pdf as SEFdiscussionsm.zip. Password protected, please use the same as on other CVE-2009-4324 files or contact me for the password

Yawn.  Here is one more. 



From: macnews [mailto:macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: 陸委會轉寄 海基會、海協會協商代表團預備性磋商名單

您好,附件為本次協商海基會、海協會代表團預備性磋商名單,提供給您參考,謝謝。

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4707 (20091221) __________The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
Here is a terrible machine translation but it is easy to understand that the mailing is fueled by the recent news, namely, the talks between the ARATS  (Association for Relations Across the Taiwan Straits) and SEF (Straits Exchange Foundation)  in Taichung tomorrow, December 22, 2009.


From: macnews [mailto: macnews@mac.gov.tw]
Sent: Monday, December 21, 2009 7:37 AM
To: XXXXXXXXXXXX
Subject: MAC forwarding SEF and ARATS consultations, the delegation of the list of preliminary consultations
Hello, see attached third Consultative SEF and ARATS delegation of the list of preliminary consultations provided for your reference, thank you. 



read more...
Posted by Mila at 6:24 PM 0 comments Tags: , , , , , Links to this post

Nov 30 -- Dec 21 CVE-2009-4324 Summary of posts with samples




Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

  1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
  2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
  3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
  4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
  5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf --renamed to crazyphoto.zip 8950bbedf4a7f1d518e859f9800f9347  
  6. See post with CVE-2009-4324 Sample #5 (Dec 21, 2009) 海基會協商代表團預備性磋商名單.pdf renamed to SEFdiscussionsm.zip.0ab2fd3b6c385049f9eb4a559dbdc8a6 ---New





Posted by Mila at 1:54 AM 0 comments Tags: , , , , Links to this post

Friday, December 18, 2009

Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#4) 女兵脫衣比中指 拍照PO上網 from gpwbinfo@mna.gpwb.gov.tw Sat, 19 Dec 2009 10:22:01 +0800

 



This message is targeted but not perfect - not all recipients of that message can read Chinese. I posted the machine translation in the end of the post, it is about some alleged recent strip photo scandal in the People's Liberation Army.

This message shows that detection of the new threat remains tricky. Messagelabs apparently used Symantec scanners to stop and tag the threat yet Symantec did not detect it when it was scanned on Virustotal. Not to mention a distressingly low overall detection rate -  7 out of 41.

The message sender was
    gpwbinfo@mna.gpwb.gov.tw
The message originating IP was 203.252.1.122 The message recipients were
    XXX@XXX.XXX
The message was titled 女兵脫衣比中指 拍照PO上網
The message date was Sat, 19 Dec 2009 10:22:01 +0800 The message identifier was  1975e5623c$23fce32a$0ae1d8b4@gpwbinfo212af2ce2>
The virus or unauthorised code identified in the email is:
Trojan.Pidief.H -- Symantec definitiions :)




From: 軍聞社 [mailto:gpwbinfo@mna.gpwb.gov.tw]
Sent: Friday, December 18, 2009 9:22 PM
To: XXXXXXXXX
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...
 (See the full text in the end of the post.)
 .....
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com    -

Virustotal
http://www.virustotal.com/analisis/55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73de-1261202919
File ________________________.pdf received on 2009.12.19 06:08:39 (UTC)
Result: 7/41 (17.08%)
BitDefender    7.2    2009.12.19    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.19    Exploit.PDF-JS.Gen
GData    19    2009.12.19    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2009.12.19    Exploit.Win32.Pidief.cxi
McAfee-GW-Edition    6.8.5    2009.12.18    Heuristic.BehavesLike.PDF.Suspicious.Z
PCTools    7.0.3.5    2009.12.19    Trojan.Pidief
Symantec    1.4.4.12    2009.12.18 --Ok, Symantec, what happened here?
Sunbelt    3.2.1858.2    2009.12.19    Exploit.PDF-JS.Gen (v)

Additional information
File size: 51822 bytes
MD5...: 8950bbedf4a7f1d518e859f9800f9347
SHA1..: e4d30ecbe13765c4448e0b140db2569c58aa39f8
SHA256:
55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73dessdeep: 768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3Uscazp
XM25EZepG


Wepawet Analysis
http://wepawet.cs.ucsb.edu/view.php?hash=8950bbedf4a7f1d518e859f9800f9347&type=jsAnalysis report for 「寶�悶�瘋狂照.pdf
File 「寶�悶�瘋狂照.pdf
MD5 8950bbedf4a7f1d518e859f9800f9347
Analysis Started 2009-12-18 20:10:54
Report Generated 2009-12-18 20:10:58
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

read more...
Posted by Mila at 11:30 PM 0 comments Tags: , , , , , , Links to this post

Tuesday, December 15, 2009

Dec.13 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#2) Interview Request from fureer.angelica@gmail.com Sun, 13 Dec 2009 14:13:46


Download "Outline of interview" infected pdf. (password protected archive. Contact me for the password. If you got the first verison of the adobe zero day of Fri, Dec 11, the password is the same) 
Note: A few people reported problems with unzipping the files - use 7Zip http://www.7-zip.org if you do. Please email the name of the file or provide a link when asking for a password.

New Adobe zero day exploit message (#2)  See #1 here
From: Fureer Angelica [mailto:fureer.angelica@gmail.com]
Sent: 2009-12-13 12:14 AM
To: XXXXXX
Subject: Interview Request


This is Fureer Angelica, diplomaic broadcaster for CNN in DC.
There's growing concern about the U.S.-North Korea bilateral talks.
So, we're planning an Interview about them.
Attached is the outline of the interview.


p.s. Detailed schedules will be followed soon if you accept the offer.

Messagelabs detects it easily
The message sender was
fureer.angelica@gmail.com

The message originating IP was 209.85.222.117 The message recipients were
XXX@XXX.XXX

The message was titled Interview Request The message date was Sun, 13 Dec 2009 14:13:46 +0900 The message identifier was <9c3b16360912122113s2a953d1dqfdb5a6ddb8f35c5a@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in
'5963838_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651


read more...
Posted by Mila at 11:10 AM 0 comments Tags: , , , , , , Links to this post

Friday, December 11, 2009

Dec.11 Adobe 0 day CVE-2009-4324 Attack of the Day (#1). Fwd: Reference from christanderson.ma@gmail.com Fri 2009-12-11 01:08


Download infected pdf. (password protected archive. Please contact me for the password)

The message sender was
chrisanderson.ma@gmail.com

The message originating IP was 209.85.223.197 The message recipients were
XXX@XXX.XXX

The message was titled Fwd: reference
The message date was Fri, 11 Dec 2009 15:18:05 +0900 The message identifier was <3b0a7fee0912102218y2a5125b6l647440877727e6cc@mail.gmail.com>
The virus or unauthorised code identified in the email is:
Possible MalWare 'JS/PDFEncoded' found in'5963958_1001X_PA3_APDF__pdf_obj_110_0.js'. Heuristics score: 651




From: Rachel Millstone
Date: Dec 11, 2009 3:12 PM
Subject: reference
To: chrisanderson.ma@gmail.com

Dear All
Please find attached the updated country briefing notes, and staff lists.

Kind regards
Rachel



Virustotal
File note_20091210.pdf received on 2009.12.11 17:35:39 (UTC)
Result: 4/41 (9.76%)

AntiVir 7.9.1.108 2009.12.11 HTML/Malicious.PDF.Gen
eSafe 7.0.17.0 2009.12.10 PDF.Exploit.4
McAfee-GW-Edition 6.8.5 2009.12.11 Script.Malicious.PDF.Gen 
NOD32 4679 2009.12.11 PDF/Exploit.Gen 

Update (December14-2009)
Virustotal
received on 2009.12.15 05:16:00 (UTC)
Result: 8/41 (19.52%)
http://www.virustotal.com/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1260854160
AntiVir 7.9.1.108 2009.12.14 HTML/Malicious.PDF.Gen
Comodo 3248 2009.12.15 UnclassifiedMalware
eSafe 7.0.17.0 2009.12.14 PDF.Exploit.4
Kaspersky 7.0.0.125 2009.12.15 Exploit.JS.Pdfka.atq
McAfee-GW-Edition 6.8.5 2009.12.15 Script.Malicious.PDF.Gen
NOD32 4688 2009.12.15 PDF/Exploit.Gen
PCTools 7.0.3.5 2009.12.15 Trojan.Pidief
Symantec 1.4.4.12 2009.12.15 Trojan.Pidief.H

Adobe 0 - day  CVE-2009-4324
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html
http://www.symantec.com/connect/blogs/zero-day-xmas-present





read more...
Posted by Mila at 12:59 PM 3 comments Tags: , , , , , Links to this post
Subscribe to: Posts (Atom)
Home