Sunday, April 25, 2010

Mar 7 JAVA Sound Malware by Donato "ratsoul" Ferrante - www.InReverse.net Post #3

Update May 14. The old www.inreverse.net was indefinitely suspended by the provider last month because of the DDoS. The new blog is here http://blog.inreverse.net/ 
It is not clear why the guys behind the DDoS got so upset over the old exploits


The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on March 7, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #3) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)
All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
  1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
  2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
  3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
  4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
  5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
  6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
  7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
  8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
  9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
        -----------------------------------------
Sunday, March 7, 2010
Donato "ratsoul" Ferrante
  
JAVA Sound Malware

Hello guys,

I'm sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.

Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX.  After using a java decompiler on our target, we will get the AppletX class code.

I will report only the relevant parts. Let's go..
Firstly, the malware tries to discover the operating system in use by using System.getProperty("os.name"), then it fills str1 according to the O.S. in use.

At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:

As we can see, this function simply converts the parameters into hex and then it calls the real spray method:

read more...
Posted by Mila at 3:05 PM 0 comments Tags: , , , Links to this post

Jan 17, 2010 JAVA Mobile Malware #1 by Donato "ratsoul" Ferrante www.InReverse.net Post #2

The following article was written and published by Donato "ratsoul" Ferrante (www.inreverse.net) on January 17, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010.  DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
www.inreverse.net is currently inaccessible, therefore, we are publishing the InReverse java analysis here (this is Post #2) but this time together with the malware samples provided by the InReverse crew.  We ask antivirus and security companies to download, analyze, and develop protection (if you have not done yet).  Thank you.

Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5
  1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
  2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
  3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
  4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
  5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
  6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
  7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
  8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
  9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
       
-----------------------------------------
Sunday, January 17, 2010
Donato "ratsoul" Ferrante

JAVA Mobile Malware #1
Hi guys,

today I will focus on a JAVA mobile malware (md5 is: 7e92d280472ca426aff1c20fbeb8d2db).

It is spread as jar, containing a class with an attractive name. The jar contains three files:


    * a java class (the malware engine);

    * an icon image (it is used in order to be attractive..);

    * an inf file (it is used to extract sms information).


The following is the class code after the usage of jd. I report only relevant parts:

LoadData:


 This method is used to read the inf file in order to fill smsnumber and smstext fields. It uses the first byte of the inf file to know how many sms should be sent.

InputStreamString:


This method is used to read user-defined strings from the inf file.

read more...
Posted by Mila at 2:38 PM 0 comments Tags: , , , , Links to this post

Jan 5 JAVA Exploit Kit Malware #1 by Donato "ratsoul" Ferrante - www.InReverse.net Post #1

The following article was written and published by Donato "ratsoul" Ferrante (http://www.inreverse.net/) on January 5, 2010. His recent java analysis publications attracted attention of the exploit kit owners who launched a heavy DDoS attack on April 16, 2010. DDoS is still in progress today, April 25, 2010. They sent their  demands - remove the analysis articles because it hurts their 'business'.
http://www.inreverse.net/ is currently inaccessible, therefore, we are publishing all InReverse java articles here (this is Post #1) but this time together with the malware samples provided by the InReverse crew. 


 
Download 9 files listed below as a password protected archive (please contact me for the password, if you need it)


All Virustotal scan results are from April 25, 2010. Compare to the initial scan results of some of the samples (1/42 a 0/42 - see post #5

  1. 8d499308df04932ed1b58a78417d6fb9.jar from JAVA Exploit Kit Malware #1 Post #1                       Virustotal 26/40
  2. 7e92d280472ca426aff1c20fbeb8d2db.jar from JAVA Mobile Malware #1 Post #2                         Virustotal 17/41  
  3. 38f083169319d0141532db992d295448.jar  from JAVA Sound malware Post #3                          Virustotal 11/41
  4. 52586e8a85188a0ada59294650c91362.jar from JAVA Sound malware Post #3                             Virustotal  19/41
  5. 3af7627af6348a76d1bf3b7bf31514e0.jar from JAVA malware family Post #4                                    Virustotal 20/38
  6. a022524cb52223a939ba50043d90ff94.jar from JAVA malware family Post #4                                   Virustotal 21/39
  7. d45a156c76f3c34bac0cf22cb586fdd1.jar from JAVA malware family Post #4                                      Virustotal 16/40
  8. 2138bfc0c92b726a13ff5095bd2f2b72.jar  from JAVA Malware evading decompilation Post #5      Virustotal 11/39
  9.  a0585edf638f5d1c556239d3bfaf08db.jar from JAVA Malware evading decompilation Post #5      Virustotal 10/40
        --------------------------------------------------
Tuesday, January 5, 2010
Donato "ratsoul" Ferrante

JAVA Exploit Kit Malware #1

This is my first blog post of the new year. New year new target!
I am going to analyze a JAVA exploit kit malware, the md5 is: 8d499308df04932ed1b58a78417d6fb9.

Since our target is a jar, containing three class files, we try to get more information about it by using a java decompiler (i.e. jd).

After decompilation, we have a java package that contains three classes:

  • C1. AppletX.java

  • C2. LoaderX.java

  • C3. PayloadX.java
C1. AppletX.java

 Here we have an Applet subclass that mainly does three things:

  1. It deserializes a serialized object;

  2. It grabs a couple of information via applet parameters: data and cc;

  3. It plays with a custom class loader named: LoaderX.

The most interesting part is the serialized object obviously.
Do you have any idea about the usage of the serialized object in the above code ?

Well, I will lead you to the right answer. Please just focus on the above AppletX code. If you pay attention to the above code, you can see the initialization of localObject, it is located just above the if test. But we can't see any sort of explicit initialization for LoaderX.instance. In fact the initialization lies in the deserialization routine... nice eh ?

Here is a visual recap:

Let's examine the custom class loader now.


read more...
Posted by Mila at 2:21 PM 0 comments Tags: , , , Links to this post

Friday, April 23, 2010

Apr 23 Link HTA w Trojan:Win32/Tapaoux.A download

Malicious HTA file in hxxtp://report-inshop.com/policies/A Step in the Right Direction.hta
 downloads additional malware wincfg.exe Trojan:Win32/Tapaoux.A

Download   



From: Richard Wilson [mailto:richard.wilson34@hotmail.com]
Sent: Friday, April 23, 2010 7:52 AM
To: XXXXXXXXXX
Subject: Obama's New Nuclear Policies: A Step in the Right Direction


Obama's New Nuclear Policies: A Step in the Right Direction

Arms Control, Nuclear Weapons, Nonproliferation, Defense
Michael E. O'Hanlon, Director of Research and Senior Fellow, Foreign Policy

The Brookings Institution

    Documents View   (Acrobat Version 9.0 or less)


read more...
Posted by Mila at 5:16 PM 0 comments Tags: , Links to this post

Tuesday, April 20, 2010

Apr 20 CVE-2009-4324 PDF US_Taiwan_policy.pdf


 Download 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf   as a password protected archive (please contact me if you need the password)

Details 5f49a04d3738b602685207419bc0789c _US_Taiwan_policy.pdf  

 There is no additional information about this message, except that it was sent via Gmail on 20 Apr 2010 around 6 pm PDT.

 http://www.virustotal.com/analisis/2e76eaa6bfb9d2b0fc2a68de0fc24eb901e55d8298fcda4ca1d0ad1b5f6ef3b6-1272509457
 File article_on_US_Taiwan_policy.pdf received on 2010.04.29 02:50:57 (UTC)
Result: 23/41 (56.1%)
a-squared    4.5.0.50    2010.04.29    Exploit.Win32.Pidief!IK
AntiVir    8.2.1.224    2010.04.28    HEUR/HTML.Malware
Antiy-AVL    2.0.3.7    2010.04.28    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.04.29    PDF/Obfusc.M!Camelot
Avast    4.8.1351.0    2010.04.28    JS:Pdfka-WJ
Avast5    5.0.332.0    2010.04.28    JS:Pdfka-WJ
AVG    9.0.0.787    2010.04.29    Script/Exploit
BitDefender    7.2    2010.04.29    Exploit.PDF-JS.Gen
ClamAV    0.96.0.3-git    2010.04.29    Exploit.PDF-21790
eSafe    7.0.17.0    2010.04.28    Win32.Pidief.H
F-Secure    9.0.15370.0    2010.04.28    Exploit.PDF-JS.Gen
GData    21    2010.04.29    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.80.0    2010.04.29    Exploit.Win32.Pidief
Kaspersky    7.0.0.125    2010.04.29    Exploit.Win32.Pidief.dcc
McAfee    5.400.0.1158    2010.04.29    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    6.8.5    2010.04.28    Heuristic.HTML.Malware
Microsoft    1.5703    2010.04.28    Exploit:Win32/Pdfjsc.FE
nProtect    2010-04-28.02    2010.04.28    Exploit.PDF-JS.Gen
Sophos    4.53.0    2010.04.29    Troj/PDFJs-FM
Sunbelt    6235    2010.04.28    Exploit.PDF-JS.Gen (v)
Symantec    20091.2.0.41    2010.04.29    Trojan.Pidief.H
TrendMicro    9.120.0.1004    2010.04.28    TROJ_PDFJS.BI
TrendMicro-HouseCall    9.120.0.1004    2010.04.29    Expl_ShellCodeSM
Additional information
File size: 82600 bytes
MD5...: 5f49a04d3738b602685207419bc0789c

CVE-2009-4324

Posted by Mila at 11:31 PM 0 comments Tags: , , , , Links to this post

Sunday, April 18, 2010

Apr 18 CVE-2010-0188 PDF China Bank Notification from bank.csc@inibr.chinatrust.com.tw

Download  10e15dd9b11528762c182b04f80e0a03 ATT13624.pdf as a password protected archive (please contact me for the password if you need it)

Details  10e15dd9b11528762c182b04f80e0a03 ATT13624.pdf


From:   [mailto:bank.csc@inibr.chinatrust.com.tw]
Sent: Sunday, April 18, 2010 10:32 PM
To: xxxxxxxxxxxxx
Subject: 中國信託提醒通知函

若您要變更電子郵件信箱,請隨時利用網路銀行進行變更→ 變更電子郵件信箱。
本提醒訊息由中國信託個人化網路銀行提供,若您對以上通知有任何問題,
歡迎來信與我聯絡或來電 02-27458080詢問,謝謝 !
From  [mailto: bank.csc @ inibr.chinatrust.com.tw]Sent: Sunday, April 18, 2010 10:32 PMTo: xxxxxxxxxxxxxSubject: China Trust to remind the notification letterIf you want to change e-mail, please feel free to use the Internet to the bank to change → change the e-mail.This reminder personal network by China Trust Bank, if you notice any of the above problemsPlease feel free to contact me or call 02-27458080 ask, thank you!

Virustotal
http://www.virustotal.com/analisis/1471f2c34d40083b574c0fa0930cba9311aa532bf7207c009b0361b7b6db8bb7-1271652690
File ATT13624.pdf received on 2010.04.19 04:24:37 (UTC)
Result: 3/40 (7.5%)
Avast    4.8.1351.0    2010.04.18    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.04.18    PDF:CVE-2010-0188
GData    19    2010.04.19    PDF:CVE-2010-0188  
File size: 132797 bytes
MD5...: 10e15dd9b11528762c182b04f80e0a03



Headers
Received: from mailsnd2.chollian.net (HELO mailsnd2.chol.com) (203.252.1.123)
  by XXXXXXXX with SMTP; 19 Apr 2010 02:44:12 -0000
Received: (qmail 31748 invoked from network); Mon, 19 Apr 2010 11:44:11 +0900 (KST)
Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd2.chol.com with ESMTP;
 Mon, 19 Apr 2010 11:44:11 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@bank.csc212af2ce2>
From: "?????H?U???~????"
To: XXXXXXXXXXX
Subject: =?big5?B?pKSw6qtIsFW0o7/0s3Gqvqjn?=
Date: Mon, 19 Apr 2010 10:31:38 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CADFAB.7FFA1D20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

   Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
      ISP:    Genesis Net Limited
      Organization:    Tsuen Wan
        Country:    Hong Kong
      City:    Central District

.It is blacklisted in three lists. 

 CVE-2010-0188






Posted by Mila at 1:01 AM 0 comments Tags: , , , Links to this post

Saturday, April 17, 2010

Apr 18 Malware Links Win32.Mepaow - RAT (Apocalypse RAT?)

hxxp://traffresearch.cn/upld/avira.exe 

Download avira.exe db553c422891aa2a3c75e0430b284719



Details avira.exe db553c422891aa2a3c75e0430b284719

http://www.virustotal.com/analisis/e451f56564ed6e0b4d82b85a450e243151f02145372bc788ba171ee42ed969d2-1271805605
File avira.exe received on 2010.04.19 01:13:41 (UTC)
Result: 14/40 (35%)
a-squared    4.5.0.50    2010.04.19    Trojan.Win32.Mepaow!IK
AntiVir    7.10.6.116    2010.04.18    TR/Mepaow.lfp
AVG    9.0.0.787    2010.04.18    Generic17.BBZB
BitDefender    7.2    2010.04.19    Trojan.Generic.KD.7531
Comodo    4641    2010.04.19    TrojWare.Win32.Mepaow.~Z
F-Secure    9.0.15370.0    2010.04.19    Trojan.Generic.KD.7531
GData    19    2010.04.19    Trojan.Generic.KD.7531
Ikarus    T3.1.1.80.0    2010.04.19    Trojan.Win32.Mepaow
Kaspersky    7.0.0.125    2010.04.19    Trojan.Win32.Mepaow.lfp
McAfee-GW-Edition    6.8.5    2010.04.18    Heuristic.BehavesLike.Win32.Trojan.L
Norman    6.04.11    2010.04.16    W32/Backdoor!gens.19256608
Panda    10.0.2.7    2010.04.18    Trj/CI.A
Prevx    3.0    2010.04.19    High Risk Cloaked Malware
Sunbelt    6193    2010.04.19    Trojan.Win32.Generic!BT
File size: 6656 bytes
MD5...: db553c422891aa2a3c75e0430b284719

Anubis Report
http://anubis.iseclab.org/?action=result&task_id=12aaece9c1f5eda341536775ed28bd2d3&format=html


It appears to be (similar to) Apocalypse RAT''
 http://www.virustotal.com/analisis/7a1399859ee132a11114eb7fe4af48efa41550bfbb88f5180dce94d8dc0de3eb-1270630158


Posted by Mila at 9:50 PM 0 comments Tags: , Links to this post

Thursday, April 15, 2010

Apr 15 CVE-2010-0188 PDF Obama-Taiwan relations from chuc.ling@yahoo.com

Download   5B7541F3648CC440405179CB5C194644 ATT95097.pdf as a password protected archive (please contact me for the password if you need it)


Details 5B7541F3648CC440405179CB5C194644 ATT95097.pdf 


From: chuc.ling@yahoo.com [mailto:chuc.ling@yahoo.com]
Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw:歐巴馬政府與美中台關係徵稿公告

中央研究院歐美研究所

連絡人:劉美齡
電話: (02)-37807262
Email:chucling@gate.sinica.edu.tw
      chuc.ling@yahoo.com
網頁: http://www.ea.sinica.edu.tw


Terrible machine translation:
From: chuc.ling @ yahoo.com [mailto: chuc.ling @ yahoo.com]Sent: Thursday, April 15, 2010 3:18 AM
To: XXXXXXXXXXXXXXXXX
Subject: Fw: Obama-Taiwan relations between the Government and the United States Call Notice

European and American Studies Academia Sinica

Contact: Liu MeilingTel: (02) -37807262Email: chucling@gate.sinica.edu.tw
      chuc.ling @ yahoo.comPage: http://www.ea.sinica.edu.tw

 Headers
Received: from nklvcfmk (61-221-172-73.HINET-IP.hinet.net [61.221.172.73])
    by msr14.hinet.net (8.9.3/8.9.3) with ESMTP id PAA26936
    for ; Thu, 15 Apr 2010 15:18:21 +0800 (CST)
Message-ID: <000568072135$21217268$48083130@nklvcfmk>
From: "chuc.ling@yahoo.com"
To: XXXXX
Subject: =?gb2312?B?Rnc6mlewzfFS1f64rsVjw8DW0Myo6lCCU+HnuOW5q7jm?=
Date: Thu, 15 Apr 2010 15:18:21 +0800

       Hostname:    61-221-172-73.hinet-ip.hinet.net
      ISP:    CHTD, Chunghwa Telecom Co., Ltd.
      Organization:    CHTD, Chunghwa Telecom Co., Ltd.
      Country:    Taiwan
      City:    Taipei


read more...
Posted by Mila at 11:24 PM 0 comments Tags: , , , , Links to this post

Apr 16 CVE-2010-0188 PDF China-Taiwan relations from m.akiyama@hotmail.co.jp

Download  75d92097d4ae109aa5d199aa97e08569 ATT70608.pdf  as a password protected archive (please contact me for the password if you need it)

Details 75d92097d4ae109aa5d199aa97e08569 ATT70608.pd



From: 秋山 昌廣 [mailto:m.akiyama@hotmail.co.jp]
Sent: Thursday, April 15, 2010 11:23 PM
To: XXXXXXXXX
Subject: 米中台関係総論


From: Akiyama Masahiro [mailto: m.akiyama @ hotmail.co.jp]
Sent: Thursday, April 15, 2010 11:23 PM
To: XXXXX
Subject:  China-Taiwan relations





Virustotal

http://www.virustotal.com/analisis/4c63aaf19effe49b2d38597150b61c42fbc9c0be883584744dae63295ec1211d-1271648028

 File ATT70608.pdf received on 2010.04.19 03:33:48 (UTC)
Result: 1/40 (2.5%)
Sophos    4.52.0    2010.04.19    Troj/PDFJs-JI  -  Looks like Sophos is doing something right (M)
Additional information
File size: 926302 bytes
MD5...: 75d92097d4ae109aa5d199aa97e08569


read more...
Posted by Mila at 12:06 AM 0 comments Tags: , , , , Links to this post

Saturday, April 10, 2010

Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

Download  Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa as a password protected archive (please contact me if you need the password)

Details Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa

Ok, let's see - the Nuclear Summit starts in DC on Monday



From: [Redacted]@yahoo.com;
Date: Sat, Apr 10, 2010 at 10:02 AM
Subject: [Redacted] Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit
To: [Redacted]

Dear Sir/Madam,

The 2010 Nuclear Posture Review (NPR) outlines the Administration’s approach to promoting the President’s agenda for reducing nuclear dangers and pursuing the goal of a world without nuclear weapons, while simultaneously advancing broader U.S. security interests.

According to the White House, the end goal of the upcoming Nuclear Security Summit 2010 will be “a communiqué pledging efforts to attain the highest levels of nuclear security, which is essential for international security as well as the development and expansion of peaceful nuclear energy worldwide.”

Accompanying this letter is the [Redacted]Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit. Please let us know whether you find it useful, and whether there is additional information you would like to see included in future editions. We very much value your support and assistance.


[Redacted address and signature]

Header info
Sender  174.139.92.6

read more...
Posted by Mila at 1:39 PM 1 comments Tags: , , , , , Links to this post

Wednesday, April 7, 2010

Apr 7 CVE-2009-4324 PDF Fwd: Matrix Report --- Earthquake from spoofed UlmanW@state.gov to fake ZaringNS@nasa.gov

 Download infected 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf as a password protected archive (please contact me if you need the password)

Details 82a7c8fdacca91b1bd0fdc2407674f50 matrix_report.pdf

 From: Ulman, Wayne (FSI) [mailto:UlmanW@state.gov]
Sent: Wednesday, April 07, 2010 2:08 PM
To: ZaringNS@nasa.gov
Subject: Fwd: Matrix Report --- Earthquake

It's incredible!

------Original Message------
From: "Amanda DJ"
Sent: Wednesday, Apr 7, 2010 10:22 AM
To: Ulman, Wayne (FSI); "Wilson Curran"
Subject: Matrix Report --- Earthquake


2012 is coming!
It's ture!

PlS see Attachment: Matrix_Report.pdf
Sichuan Wenchuan Earthquake  5.12    (May. 12th)
Haiti Earthquake  1.12   (Jan. 12th)
Chile  Earthquake   2.27   (Feb. 27th)

Matrix:Horizontal = Vertical

5 1 2
1 1 2
2 2 7

read more...
Posted by Mila at 8:09 AM 0 comments Tags: , , , , , , , Links to this post

Monday, April 5, 2010

Apr 5 CVE-2010-0188 PDF Take Note from yumiko_iuchi@cas.go.jp

 Download  5766BA4473462485E15C4EFDB243CB68 100405.pdf as a password protected archive (please contact me if you need the password)

Details 5766BA4473462485E15C4EFDB243CB68 100405.pdf


-----Original Message-----
From: yumiko.iuchi [mailto:yumiko_iuchi@cas.go.jp]
Sent: Monday, April 05, 2010 5:24 PM
To: xxxxxxxxxx
Subject: 北極海の原稿
Importance: High


(See attached file: 100405.pdf)

...

   TEL�F03-5575-1530
   FAX: 03-5575-0090
   E-mail:  yumiko_iuchi@cas.go.jp




http://www.virustotal.com/analisis/9819bcd9564907b221457cc62de5bc96d729d7a44c63d14a4c1684f269bc8e99-1270518644
 File 100405.pdf received on 2010.04.06 01:50:44 (UTC)
Result: 7/39 (17.95%)
Avast     4.8.1351.0     2010.04.05     PDF:CVE-2010-0188
Avast5     5.0.332.0     2010.04.05     PDF:CVE-2010-0188
BitDefender     7.2     2010.04.06     Exploit.PDF-Name.Gen
F-Secure     9.0.15370.0     2010.04.05     Exploit.PDF-Name.Gen
GData     19     2010.04.06     Exploit.PDF-Name.Gen
nProtect     2009.1.8.0     2010.04.05     Exploit.PDF-Name.Gen
Sophos     4.52.0     2010.04.06     Mal/PDFEx-D
Additional information
File size: 10665 bytes
MD5   : 5766ba4473462485e15c4efdb243cb68

Headers info
Received: from unknown (HELO cas.go.jp) (117.11.158.98)
  by XXXXXXXXXXX with SMTP; 5 Apr 2010 21:23:30 -0000
Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
  with SMTP id 7EB85853; Tue, 6 Apr 2010 05:23:28 +0800
From: "yumiko.iuchi"
Subject: =?ISO-2022-JP?B?GyRCS0w2SzMkJE44NjlGGyhC?=
      Hostname:    117.11.158.98
      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      State/Region:    Tianjin
      City:    Tianjin
Robtex.com It is blacklisted in two lists. 4837



read more...
Posted by Mila at 7:45 PM 0 comments Tags: , , , , Links to this post

Apr 5 CVE-2010-0188 PDF with Bifrose- nov varianty evro SPO SHA from lukin@mail.ru

Download nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211 as a password protected archive (please contact me if you need the password)

Details nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211


-----Original Message-----
From: Lukin Aleksandr [mailto:lukin@mail.ru]
Sent: Monday, April 05, 2010 4:59 AM
To: XXXXXXXXXX
 Subject: nov varianty evro SPO SHA


 




Virustotal
http://www.virustotal.com/analisis/12112cd97c7fb05f8b4719ce70f49e9ebab815cc11fab4263255c93e3455a659-1270562041
 File nov_varianty_evro_SPO_SHA.pdf received on 2010.04.06 13:54:01 (UTC)
Result: 2/39 (5.13%)
Sophos    4.52.0    2010.04.06    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.04.06    Trojan.Pidief.I
File size: 220944 bytes
MD5...: 176fa5b6dbc10b78a6f21c18f2e4d211


read more...
Posted by Mila at 1:21 PM 0 comments Tags: , , , , , Links to this post

Friday, April 2, 2010

Challenging conventional wisdom on AV signatures by Thomas Dullien from blog.zynamics.com

Here is a great post by Thomas Dullien from Zynamics.com blog

Challenging conventional wisdom on AV signatures (Part 1 of 2)

Posted by Mila at 10:25 AM 0 comments Links to this post

Apr 2 CVE-2009-0927 CVE-2007-5659 PDF IPR in China FINAL from global.faruk@gmail.com


Download c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf as a password protected archive (contact me if you need the password)

Details c497c02464ae74bbc94120d1cbe88d49 IPR in China FINAL.pdf



From: Faruk DEMİR [mailto:global.faruk@gmail.com]
Sent: Friday, April 02, 2010 4:36 AM
To: XXXXXXXXXXXXXX
Subject: IPR in China FINAL










Virustotal
http://www.virustotal.com/analisis/816ff03f39d9d210ee3a49a61f208a4b0a8979c3d08fa9b8a17e01a98b5d123c-1270206094
File IPR_in_China_FINAL.pdf received on 2010.04.02 11:01:34 (UTC)
Result: 10/42 (23.81%)
a-squared     4.5.0.50     2010.04.02     Exploit.Win32.Pidief!IK
Authentium     5.2.0.5     2010.04.02     PDF/Obfusc.M!Camelot
Avast     4.8.1351.0     2010.04.02     JS:ShellCode-EQ
Avast5     5.0.332.0     2010.04.02     JS:ShellCode-EQ
AVG     9.0.0.787     2010.04.02     Exploit.PDF
GData     19     2010.04.02     JS:ShellCode-EQ
Ikarus     T3.1.1.80.0     2010.04.02     Exploit.Win32.Pidief
Microsoft     1.5605     2010.04.02     Exploit:JS/Mult.CM
Symantec     20091.2.0.41     2010.04.02     Bloodhound.PDF!gen
TrendMicro     9.120.0.1004     2010.04.02     Expl_ShellCodeSM
File size: 54720 bytes
MD5   : c497c02464ae74bbc94120d1cbe88d49

Vicheck
https://www.vicheck.ca/md5query.php?hash=c497c02464ae74bbc94120d1cbe88d49
PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=c497c02464ae74bbc94120d1cbe88d49&type=js
suspicious



PDF Exploit call to Collab.collectEmailInfo CVE-2007-5659
PDF Exploit call to Collab.getIcon CVE-2009-0927





























Posted by Mila at 7:35 AM 0 comments Tags: , , , , , , , , Links to this post
Subscribe to: Posts (Atom)
Home