Friday, May 14, 2010

Phoenix 2.0 Exploit kit

I normally do not post exploit packs, even partial but I am posting it in this case as it appears to be the source of the java files analyzed by InReverse.  Read this for more details and Java analysis.
The other possibility is the Crimepack. Let me know if there are others, I may post them too.


 Download  Phoenix2.zip as a password protected archive (contact me if you need the password)

   

List of included files


AdgredY.java    11895    416ff21ed3ddb4ce5665a4917964c5ce
all.js    5167    9432b83d52fc325f5bda83d58598e825  -- All listed except newplayer cve-2009-4324
deie.html    15097    a88f45102b57595d6c7b1cf2c2b4b241  --
flash.as    2746    718803346bbbed11e934c63af99c4a9f
ie.html    14939    1c8bd04644942a0f1832844ee4b44e63
newplayer.js    2595    a2344d3a54f26ae863011323a0973ac8 newplayer cve-2009-4324


Filename MD5 File Size   Extension
flash.swfC643C2B8E901E52C14A8D6CE8096E3271,645swf
all.pdf66BDB0DC68294890E359E91F1EF18D9E2,677
pdf
allv7.pdfB948321DE93582951598F3BDDDCC57352,465pdf
collab.pdfEF68F7B0018EDA2C149EF92EAAA666E22,012 CVE-2007-5659 pdf
geticon.pdf1ED11F0EEE47135067F36E73FD5E889E2,003 CVE-2009-0927pdf
libtiff.pdfE1E581CC0D817A808DC33CEB230F91B43,514 CVE-2010-0188pdf
newplayer.pdf37F28E5BE542AD2E32DA19EE5C44967C1,975 CVE-2009-4324pdf
printf.pdfAF680ECCA07B3294553F672F785545881,907 CVE-2008-2992pdf
index.jsB07E39D831F8EA3F8BCD84DCC9A60FFF14,272js
des.jar98F5ACDB21E8B8116FE5C7B4BA17D0E98,539jar
ie.html30C1A7B87C419A1427932773642FEEE714,929 CVE-2009-3867 html
index.html9939596B9BA5ECD4EE5FD648171EF01C14,462html
vistaie7.htmlE8888E4EDA75F6CE016A5FBA9BE02FA314,415html
vistan7ie8.html6D11908E6CCC01B14ED0097561853F868,747html
vistan7other.html3E4B94ED2A6ED5F7FF42165BB165A46B13,734html
xpie7.htmlEDE58120D8C76212E458898B348D2B8014,420html
xpie8.htmlA18CCEEE89E13B137C77F88688668CED8,714html
xpother.html355A809F8B5BDE1E511C628DD75CD87114,129html

Flash exploits are

CVE-2009-1869
CVE-2007-0071

PDF exploits
 CVE-2007-5659
 CVE-2009-0927
 CVE-2010-0188
 CVE-2009-4324
 CVE-2008-2992

Internet Explorer Exploits
CVE-2009-0806

Java Exploits
CVE-2009-3867
CVE-2008-5353

Let me know if i missed any

Java exploit GetSoundBank Read inReverse Ratsoul's posts for more information here or on their new blog here 
Also, see some malware links with this exploit here





deie.html
MDAC exploit

 Flashloader - using object and embed for different browsers. Read this article for more details http://borodin.livejournal.com/10471.html


Actionscript
 

IE 2010-0806




read more...
Posted by Mila at 1:54 AM 4 comments Tags: , , , , , , , , , , , , , , , , , Links to this post

Thursday, May 13, 2010

JAVA from Crimepack

 Download   95f3ec9b3bb5e1792fd604eb6a0b5af0 gsb50  as a password protected archive (contact me if you need the password)


I think, correct me if I am wrong, this exploit was available in Crimepack since at least 2.2.1 , not sure if this is from 2.2.1 or 2.8


File gsb50 received on 2010.05.14 02:44:37 (UTC)
http://www.virustotal.com/analisis/44916e0b40e2b8709a89f1209cceffab9a9bf8e26296ff85236cadd7d7a76258-1273805077
Result: 18/40 (45%)
AhnLab-V3    2010.05.14.00    2010.05.13    JAVA/Exploit
AntiVir    8.2.1.242    2010.05.13    EXP/Java.WebStart
Antiy-AVL    2.0.3.7    2010.05.13    Exploit/Java.CVE-2009-3867
AVG    9.0.0.787    2010.05.13    Generic2_c.XRX
DrWeb    5.0.2.03300    2010.05.14    Exploit.Java.27
eSafe    7.0.17.0    2010.05.13    Win32.Exploit.ByteVe
Ikarus    T3.1.1.84.0    2010.05.14    Exploit.Java.WebStart
Kaspersky    7.0.0.125    2010.05.14    Exploit.Java.CVE-2009-3867.b
McAfee    5.400.0.1158    2010.05.14    Exploit-ByteVerify
McAfee-GW-Edition    2010.1    2010.05.13    Exploit-ByteVerify
NOD32    5113    2010.05.13    OSX/Exploit.Smid.B
Norman    6.04.12    2010.05.13    JAVA/CrimePack.gen
PCTools    7.0.3.5    2010.05.14    Trojan.Generic
Sophos    4.53.0    2010.05.14    Exp/WebStart-A
Sunbelt    6301    2010.05.14    Trojan.Java.Webstart.a (v)
Symantec    20101.1.0.89    2010.05.14    Trojan Horse  -laconic, as usual .. but nothing wrong with it, this covers most them anyway (M)
TrendMicro    9.120.0.1004    2010.05.13    JAVA_WEBSTART.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.14    JAVA_WEBSTART.A
Additional information
File size: 2909 bytes
MD5...: 95f3ec9b3bb5e1792fd604eb6a0b5af0


Posted by Mila at 11:08 PM 0 comments Tags: , , Links to this post

Malware files rasauto16.dll and rasauto32.dll Remote Access Auto Connection Manager service - Backdoor

Update May 13 - added Rasauto32.dll

rasauto16.dll

Download 
rasauto16.dll 15138604260b1d27f92bf1ec6468b326 +
rasauto16.dll 80ca8b948409138be40ffbc5d6d95ef1 

Also, rasauto32.dll  995b44ef8460836d9091a8b361fde489 

  ac as a password protected archives (please contact me for the password if you need it)

Variant 1


File rasauto16.dll received on 2010.05.10 17:00:18 (UTC)
http://www.virustotal.com/analisis/bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574-1273510818
Current status: finished
Result: 3/41 (7.32%)
Result: 3/41 (7.32%)
DrWeb    5.0.2.03300    2010.05.10    BACKDOOR.Trojan - yes, it is a backdoor and was used as such
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
PCTools    7.0.3.5    2010.05.10    Trojan.Conficker.c.gen  --I don't think so.
Additional information
File size: 107008 bytes
MD5   : 15138604260b1d27f92bf1ec6468b326
SHA1  : 7cd0faddaf926573be91f725b07865c14dd44254
SHA256: bb1116f23874a36b0de47af8441c55687ccdcb0bad11384ab3718053f8eb7574
PEInfo: PE Structure information
entrypointaddress.: 0x12B83
timedatestamp.....: 0x4B566B52 (Wed Jan 20 03:32:50 2010)


 file dated just like other files on the system

rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll

TCP traffic

 202.175.83.10:443
z83l10.static.ctm.net
ISP:CTM Internet Services
Organization:CTM Internet Services
Country:Macau
City:Macau
address: Rua da Lagos, Telecentro
address: P.O. Box 868, Taipa
address: Macau
country: MO


Variant 2


http://www.virustotal.com/analisis/0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04-1273511085
File rasauto16.dll received on 2010.05.10 17:04:45 (UTC)
Result: 4/41 (9.76%)
AntiVir    8.2.1.236    2010.05.10    TR/Spy.Gen
Comodo    4816    2010.05.10    ApplicUnwnt.Win32.AdWare.EZula.~GGC
McAfee-GW-Edition    2010.1    2010.05.10    Heuristic.BehavesLike.Win32.Backdoor.H
Sophos    4.53.0    2010.05.10    Mal/Emogen-Y
Additional information
File size: 669696 bytes
MD5...: 80ca8b948409138be40ffbc5d6d95ef1
SHA1..: f54b24660ec8664280e999e44148457e15f5489a
SHA256: 0de9fe6378a4c024f6f2c81b300897b8978d036caafbae9902850870d8f4dc04
ssdeep: 12288:CqjmOwFjklKkoTDLa77d46+HkQIwAy0WTuzjOFE:XjNwVxkofLFTjIyXTu
3O
entrypointaddress.: 0x22b03
timedatestamp.....: 0x4b679e56 (Tue Feb 02 03:39:02 2010)
machinetype.......: 0x14c (I386)

Creation and modified dates - 8/4/2004 8:00 am


rasauto16.dll replaces legitimate rasauto.dll

Rasauto
Service description:
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto\Parameters
ServiceDll %SystemRoot%\System32\rasauto16.dll



Variant 3

Rasauto32.dll 
File rasauto32.dll received on 2010.05.13 16:19:29 (UTC)
http://www.virustotal.com/analisis/4da40b63c4027db5fb02e37db78da7333144809d1ddf0c86442e12d28cd7c47c-1273767569
Result: 12/41 (29.27%)
AntiVir    8.2.1.242    2010.05.13    TR/Spy.Gen
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.AMWN
GData    21    2010.05.13    Win32:Malware-gen
Jiangmin    13.0.900    2010.05.13    Trojan/Agent.drkq
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dnwh
Panda    10.0.2.7    2010.05.12    Suspicious file
Sophos    4.53.0    2010.05.13    Troj/RasSpy-Gen
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dnwh
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dnwh
Additional information
File size: 647168 bytes
MD5...: 995b44ef8460836d9091a8b361fde489







TCP traffic

202.153.103.83:443
Hostname:beta.nethost.hk
ISP:TaiKoo Place, Quarry Bay
Organization: TaiKoo Place, Quarry Bay
Country:Hong Kong
City:Central District
Posted by Mila at 2:39 PM 0 comments Tags: , , , Links to this post
#1

Variant 1

 

Service

Possible displaynames and file locations
ServiceDll C:\Documents and Settings\NetworkService\1e0219eb.dll
ServiceDll C:\Documents and Settings\%user%\42ecacd.dll  - Virustotal


 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\1e0219eb

Imagepath %SystemRoot%\System32\svchost.exe -k "1e0219eb"


File 1e0219eb.dll received on 2010.05.13 16:52:44 (UTC)
http://www.virustotal.com/analisis/75361b610426287685d57fb7e2947f52b1fe740cb6d3f5ac8e9c98fea0b7c7e7-1273769564
Result: 23/41 (56.10%)
a-squared    4.5.0.50    2010.05.10    Trojan.Win32.Agent!IK
AhnLab-V3    2010.05.13.01    2010.05.13    Win-Trojan/Mdmbot.30720
AntiVir    8.2.1.242    2010.05.13    TR/CryptRedol.30720.3
Antiy-AVL    2.0.3.7    2010.05.13    Trojan/Win32.Agent.gen
Avast    4.8.1351.0    2010.05.13    Win32:Malware-gen
Avast5    5.0.332.0    2010.05.13    Win32:Malware-gen
AVG    9.0.0.787    2010.05.13    Agent2.ASUL
BitDefender    7.2    2010.05.13    Trojan.CryptRedol.Gen.3
Comodo    4832    2010.05.13    UnclassifiedMalware
F-Secure    9.0.15370.0    2010.05.13    Trojan.CryptRedol.Gen.3
Fortinet    4.1.133.0    2010.05.13    W32/Agent.DXTO!tr
GData    21    2010.05.13    Trojan.CryptRedol.Gen.3
Ikarus    T3.1.1.84.0    2010.05.13    Trojan.Win32.Agent
Kaspersky    7.0.0.125    2010.05.13    Trojan.Win32.Agent.dxto
McAfee-GW-Edition    2010.1    2010.05.13    Artemis!E40670E6A0AD
Microsoft    1.5703    2010.05.13    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-13.01    2010.05.13    Trojan.CryptRedol.Gen.3
Panda    10.0.2.7    2010.05.13    Suspicious file
Sunbelt    6298    2010.05.13    Trojan.Win32.Generic!BT
TheHacker    6.5.2.0.280    2010.05.13    Trojan/Agent.dxto
TrendMicro    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.13    BKDR_MDMBOT.A
VBA32    3.12.12.4    2010.05.13    Trojan.Win32.Agent.dxto
Additional information
File size: 30720 bytes
MD5   : e40670e6a0ad1c41211f38b92bfe436a


e40670e6a0ad1c41211f38b92bfe436a
 Variant 2
Also known as  AppMgmt.dll
 
Service
Displayname Application Management
Service name Application Management
Description Processes installation, removal, and enumeration requests for Active Directory IntelliMirror group policy programs. If the service is disabled, users will be unable to install, remove, or enumerate any IntelliMirror programs. If this service is disabled, any services that explicitly depend on it will fail to start.
Default - Manual
Legitimate key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters\ServiceDll\%SystemRoot%\System32\appmgmts.dll
Service starts - Manual
Compromised key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppMgmt\Parameters\ServiceDll
C:\Documents and Settings\Default User\AppMgmt.dll
Service starts - automatic
 
 
C\Documents and Settings\Default User
File AppMgmt.dll received on 2010.05.06 03:57:39 (UTC)
Result: 5/40 (12.5%)
BitDefender    7.2    2010.05.06    Trojan.CryptRedol.Gen.3
F-Secure    9.0.15370.0    2010.05.06    Trojan.CryptRedol.Gen.3
GData    21    2010.05.06    Trojan.CryptRedol.Gen.3
Microsoft    1.5703    2010.05.05    Backdoor:Win32/Mdmbot.D
nProtect    2010-05-05.01    2010.05.05    Trojan.CryptRedol.Gen.3
Additional information
File size: 30720 bytes
MD5...: e40670e6a0ad1c41211f38b92bfe436a


========================================================================
========================================================================



Posted by Mila at 2:21 PM 0 comments Links to this post

May 13 CVE-2009-3129 XLS General Hospital service from taup@msa.hinet.net

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability." 

From: 陳志良 [mailto:taup@msa.hinet.net]
Sent: Thursday, May 13, 2010 10:13 PM
To: XXXX
Subject: FW:三軍總醫院健康檢查中心提供健康食譜.xls

很不錯的健康食譜,多多宣傳,讓更多的臺灣民眾可以健康飲食

From: Zhi-Liang Chen [mailto: taup@msa.hinet.net] Sent: Thursday, May 13, 2010 10:13 PM To: XXXX Subject: FW: Tri-Service General Hospital Health Examination Center provides health recipes. Xls Very good recipes, lots of publicity so that more people in Taiwan can be a healthy diet

 File ATT42396.xls received on 2010.05.19 11:43:29 (UTC)
http://www.virustotal.com/analisis/26cf5790e8b3808bb6e509fa239de93baf719ab379311c6d0d16795f25a218b6-1274269409
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.19    MSExcel/Dropper.B!Camelot
Jiangmin    13.0.900    2010.05.19    Heur:Exploit.CVE-2009-3129
PCTools    7.0.3.5    2010.05.19    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.05.19    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.05.19    TROJ_EXELDROP.A
Additional information
File size: 64512 bytes
MD5...: 61a29b7d8a6c3a03a884f2f64be5ca21

header info 
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
  by XXXXXXXXXXXX with SMTP; 14 May 2010 02:13:35 -0000
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr6.hinet.net (8.9.3/8.9.3) with ESMTP id KAA15594
    for XXXXX; Fri, 14 May 2010 10:13:29 +0800 (CST)
Reply-To: taup@msa.hinet.net
 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
 State/Region:    T'ai-pei


read more...
Posted by Mila at 7:47 AM 1 comments Tags: , , , , , , , , Links to this post

Wednesday, May 12, 2010

CVE-2009-1129 PPT 2010-05-06BMW Vision (My Dream Car) from saraswasingh@gmail.com

Interesting PPT file

Update May 12. 
An anonymous reader found it to be MS09-017 -a stack based overflow in PP7X32.dll (thank you)

Ted W. found the same (MS09-017) plus added that this ppt's exploit  overwrites one seh handler, offset is 0xF70, then jump to shellcode at offset 0x189c, the total size of the poc is 0x5400 (thank you)


 This appears to be CVE-2009-1129
CVE-2009-1129 Multiple stack-based buffer overflows in the PowerPoint 95 importer (PP7X32.DLL) in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3 allow remote attackers to execute arbitrary code via an inconsistent record length in sound data in a file that uses a PowerPoint 95 (PPT95) native file format, aka "PP7 Memory Corruption Vulnerability," a different vulnerability than CVE-2009-1128.


I have another ppt of the same kind and from the same sender, let me know if you want it, I am not going to post it.

Download
BMW.ppt and bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin  ac as a password protected archive (please contact me for the password if you need it)


Details 722efe25f0d973fbb684cc32da1f693e BMW.ppt


 


From: saraswati singh [mailto:saraswasingh@gmail.com]
Sent: Thursday, May 06, 2010 8:30 PM
To:
Subject: BMW Vision (My Dream Car) !!!!

an be your Future Goal......!
The All New ...  BMW Vision
 http://www.virustotal.com/analisis/771293ab20afd4da5ac9908915f5fd04467f6b444bade8ac68bb8ed60648c792-1273205194
File BMW.ppt received on 2010.05.07 04:06:34 (UTC)
Current status: finished
Result: 5/39 (12.82%)
Antiy-AVL     2.0.3.7     2010.05.06     Trojan/MSPPoint.Agent
Authentium     5.2.0.5     2010.05.07     MSPowerPoint/Dropper.B!Camelot
Kaspersky     7.0.0.125     2010.05.07     Trojan-Dropper.MSPPoint.Agent.cp
TrendMicro     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
TrendMicro-HouseCall     9.120.0.1004     2010.05.07     TROJ_POWPOINT.A
Additional information
File size: 877670 bytes
MD5   : 722efe25f0d973fbb684cc32da1f693e

OfficeMalscanner results

bmw__PEFILE__OFFSET=0x5400__XOR-KEY=0xcc.bin
XOR encrypted MZ/PE signature found at offset: 0xcf462 - encryption KEY: 0xcc




http://www.virustotal.com/analisis/db10c19f6d5da8e3f5990a371c453667a56fd2f30d8d340059528c558bea8cee-1273205940
bmw__PEFILE__OFFSET_0x5400__XOR-K  received on 2010.05.07 04:19:00 (UTC)
Result: 3/41 (7.32%)
AntiVir    8.2.1.236    2010.05.06    TR/Samsa.V
DrWeb    5.0.2.03300    2010.05.07    Trojan.Proxy.298
McAfee-GW-Edition    2010.1    2010.05.06    Heuristic.LooksLike.Win32.Samsa.I
Additional information
File size: 53248 bytes

MD5...: 9dfe33215a410362451747ecfe283802

Posted by Mila at 12:50 PM 0 comments Tags: , , , , Links to this post

Tuesday, May 11, 2010

May 11 CVE-2010-0188 PDF Call the Ministry of Defense from hiw11111@gmail.com

Download ATT73189.pdf aaeed3399e542e4ba881f27adabaf31f ac as a password protected archive (please contact me for the password if you need it)

Details ATT73189.pdf aaeed3399e542e4ba881f27adabaf31f 

From: yiwei huang [mailto: hiw11111@gmail.com]Sent: Tuesday, May 11, 2010 9:06 PMTo: XXXXXXSubject: Call the Ministry of DefenseSuch as the subject

-Coast Guard Department of Planning by Wei HuangTEL: 02-22399201 # 266137FAX: 02-22392936Wenshan District, Taipei City 296, Sec Xinglong


File ATT73189.pdf received on 2010.05.12 12:35:03 (UTC)
Result: 7/41 (17.08%)
Authentium    5.2.0.5    2010.05.12    JS/Pdfka.AD
Avast    4.8.1351.0    2010.05.12    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.12    PDF:CVE-2010-0188
ClamAV    0.96.0.3-git    2010.05.12    Suspect.PDF.ObfuscatedJS
GData    21    2010.05.12    PDF:CVE-2010-0188
IMicrosoft    1.5703    2010.05.12    Exploit:Win32/Pdfjsc.FI
Sophos    4.53.0    2010.05.12    Troj/PDFJs-II
Additional information
File size: 446746 bytes
MD5...: aaeed3399e542e4ba881f27adabaf31f

:CVE-2010-0188


Posted by Mila at 9:41 AM 0 comments Tags: , , , , , Links to this post

May 11 CVE-2009-4324 PDF national policy think-tank seminars from taup@seed.net.tw

Details 2aaa2f62cadf2b0f72587b3dffaee669 0516.pdf 


http://www.virustotal.com/analisis/2a67251b0954d430f01a2150b4528e7ae8c0c98fca80a362a9ddad85d2f1f124-1273581456
 File 0516____.pdf received on 2010.05.11 04:59:52 (UTC)
Result: 6/41 (14.63%)
Avast     4.8.1351.0     2010.05.10     JS:Pdfka-AEE
Avast5     5.0.332.0     2010.05.10     JS:Pdfka-AEE
GData     21     2010.05.11     JS:Pdfka-AEE
Kaspersky     7.0.0.125     2010.05.11     Exploit.JS.Pdfka.ceg
Microsoft     1.5703     2010.05.11     Exploit:Win32/Pdfjsc.gen!A
Sophos     4.53.0     2010.05.11     Troj/PDFJs-GQ
Additional information
File size: 87347 bytes
MD5   : 2aaa2f62cadf2b0f72587b3dffaee669 


From: Taiwan Association of University Professors [mailto: taup@seed.net.tw]Sent: Tuesday, May 11, 2010 3:33 AMTo: XXXXXXXXXXXXXSubject: Forwarding messages: 5 / 16 (Sun) morning 10:00 ~ new national policy think-tank seminars in Taiwan - the sum of Fear: Ma anniversary of the total test administration

 Hello
 
Thank you for your enthusiastic help, I believe with your help, this event will give more power in Taiwan
Accessories for our conference information and registration form
Grateful if You help lots of publicity so that more Taiwan people can participate in the activities
The following information:
 
Sum of All Fears: Ma anniversary of the total test administration
Time: May 16, 2010 (Sun) 10:00-12:00 AM
Venue: National Taiwan University Conference Center brainstorming - Socrates Hall (Taipei, Taiwan No. 85, B1)
Sponsor: New policy think tank in Taiwan
Rundown:
Time
Agenda
09:30-10:00
Registration
10:00-10:20
Sponsored Message
Koo Kuan-min (the new chairman of Taiwan's national policy think tank)
10:20-11:10
Roundtable
Moderator:
Wu Rong-i (the new national policy think tank in Taiwan Vice Chairman)
Panelists:
Lo Chih-cheng (new Taiwan policy think tank CEO) - governance capacity
Joseph Wu (Fellow, International Relations, National Chengchi University) - Foreign and cross-strait policy
To Kai Lin (Taiwan University Professor of Economics) - general economic and cross-
Liu Jinxing (Taiwan Technology University) - the problem of unemployment and the gap between rich and poor
Lin (is (the Judicial Reform Foundation executive director) - democracy and the rule of law and human rights
11:10-11:40
Q & A
11:40-12:00
Summary
   
You are welcome to participate for free!!!
 
===========================
Taiwan Brain Trust
The new policy think tank in Taiwan Co., Ltd. (24482082)
Hengyang Road, Jhongjheng District, Taipei City 10045 51 3 F
Chief Commissioner of the Department of Planning Wuyi Juan
TEL :02-2313-1456 ext 23
Fax :02-2313-1599
E-mail: yvonne@braintrust.tw 

 Header info
Received: from IBM-62979760B13 (203-69-74-246.HINET-IP.hinet.net [203.69.74.246])
    by msr15.hinet.net (8.9.3/8.9.3) with ESMTP id PAA20620
    for XXXXXX; 
Tue, 11 May 2010 15:33:20 +0800 (CST)
Reply-To: taup@seed.net.tw
From: "=?BIG5?B?u0/GV7HQscKo87d8?="
 
Hostname:    203-69-74-246.hinet-ip.hinet.net
ISP:    CHTD, Chunghwa Telecom Co., Ltd.
Organization:    Yamma Digital Technology Co., Ltd.
State/Region:    T'ai-pei
City:    Taipei
Posted by Mila at 9:14 AM 0 comments Tags: , , , , , , Links to this post

Monday, May 10, 2010

May 10 CVE-2009-3129 XLS schedule of the defense industry evaluation from 0922750173@mail.ahccddi.org.tw


 Download  d4b98bda9c3ae0810a61f95863f4f81e  ATT39755.xls and all the files described below as a password protected archive (contact me if you need the password) 


From: ¤u¦X•|³ø [mailto:0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99下半年國防工業評鑑日期表

檢送99下半年國防工業評鑑日期表文件乙份,請查照!
                 蕭名槐  敬上
From: ¤ u | X • | ³ ø [mailto: 0922750173@mail.ahccddi.org.tw]
Sent: Monday, May 10, 2010 9:38 AM
To: XXXXXXXXXXX
Subject: 99 in the second half schedule of the defense industry evaluation

                                                                       Sincerely, Huai Hsiao

Headers
Received: (qmail 314 invoked from network); 10 May 2010 13:54:05 -0000
Received: from mailsnd3.chollian.net (HELO mailsnd3.chol.com) (203.252.1.124)
  by XXXXXXXXXXXXXXXXXXXwith SMTP; 10 May 2010 13:54:05 -0000
Received: (qmail 2745 invoked from network); Mon, 10 May 2010 22:53:58 +0900 (KST)Received: from [202.65.223.202] (202.65.223.202)
  by mailsnd3.chol.com with ESMTP;
 Mon, 10 May 2010 22:53:58 +0900 (KST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@0922750173212af2ce2>
From: "?u?X?|??" <0922750173@mail.ahccddi.org.tw>
To: XXXXXXXXXXXXXXXXXX
Subject: =?big5?B?OTmkVaVipn6w6qi+pHW3frX7xbKk6bTBqu0=?=
Date: Mon, 10 May 2010 21:37:50 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CAF089.0C84DC60"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

202.65.223.202
Hostname:    static-ip-202-223-65-202.rev.dyxnet.com
ISP:    Genesis Net Limited
Organization:    Tsuen Wan
Type:    Broadband
Assignment:    Static IP
Country:    Hong Kong
 City:    Central District

  File ATT39755.xls received on 2010.06.03 11:27:14 (UTC)
http://www.virustotal.com/analisis/616b561b49258346ead431e34fb1925e2dbc11fb4620083efae92d7ed8e5333c-1275564434
Result: 7/41 (17.08%)
Jiangmin    13.0.900    2010.06.03    Heur:Exploit.CVE-2009-3129
Kaspersky    7.0.0.125    2010.06.03    Trojan-Dropper.MSExcel.Agent.bc
Heuristic.BehavesLike.Exploit.X97.CodeExec.FFLG
PCTools    7.0.3.5    2010.06.03    HeurEngine.MaliciousExploit
Symantec    20101.1.0.89    2010.06.03    Bloodhound.Exploit.306
TrendMicro    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
TrendMicro-HouseCall    9.120.0.1004    2010.06.03    TROJ_EXELDROP.A
Additional information
File size: 72192 bytes
MD5...: d4b98bda9c3ae0810a61f95863f4f81e

 Files created
%Userprofile%\LOCALS~1\Temp\wuauclt.exe  
 File: wuauclt.exe  Size: 31232   MD5:  D037500368207625E3FFEE16C50D60A7
%Userprofile%\LOCALS~1\Temp\ ATT39755.xls
File: ATT39755.xls Size: 13824 MD5:  75B495C8324C4DCF5A0B2CFCACC47971  == clean xls file

http://www.virustotal.com/reanalisis.html?1a15e1c3220e8d1800bb7b186e9d47f63aefd669cd0f1569a79982498d5d9ba6-1275579814
File wuauclt.exe-- received on 2010.06.02 00:43:59 (UTC)
Result: 4/41 (9.76%)
Microsoft 1.5802 2010.06.02 Backdoor:Win32/Ixeshe.A
Norman 6.04.12 2010.06.01 W32/Malware
TrendMicro 9.120.0.1004 2010.06.01 BKDR_IXESHE.SM
TrendMicro-HouseCall 9.120.0.1004 2010.06.02 BKDR_IXESHE.SM
Additional information
File size: 31232 bytes
MD5   : d037500368207625e3ffee16c50d60a7



 TCP traffic to 211.78.147.220

 
  Hostname:    ll-211-78-147-220.ll.sparqnet.net
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    Lill Guan Industry co., LTD
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
City:    Taichung

Posted by Mila at 12:26 PM 0 comments Tags: , , , , , , , , Links to this post

May 9 CVE-2010-0188 PDF Concept Paper.pdf from global.faruk@gmail.com

Download Concept_Paper.pdf  c06ef052db6710fd632952cc14917d84  ac as a password protected archive (please contact me for the password if you need it)
Nothing new or special in this one except the text of the message appears to be stolen from a real message or is a very good fake. This sender sent a message before http://contagiodump.blogspot.com/2010/04/apr-2-cve-2009-0927-cve-2007-5659-pdf.htmlDetection is as low as it was a month ago, not much improvement on this CVE (M)


Details Concept_Paper.pdf c06ef052db6710fd632952cc14917d84 
File Concept_Paper.pdf received on 2010.05.10 11:14:19 (UTC)
http://www.virustotal.com/analisis/e3366fd2b4ff485840c147ea2eb811e793616a5a8bb2e1abfb4d37a03e53d774-1273490059
Result: 6/41 (14.64%)
Authentium    5.2.0.5    2010.05.10    JS/CVE20100
Avast    4.8.1351.0    2010.05.09    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.09    PDF:CVE-2010-0188
GData    21    2010.05.10    PDF:CVE-2010-0188
eTrust-Vet    35.2.7477    2010.05.10    PDF/CVE-2010-0188!exploit
Sophos    4.53.0    2010.05.10    Troj/PDFJs-II
Additional information
File size: 172952 bytes
MD5...: c06ef052db6710fd632952cc14917d84








From: 呂參謀 [mailto:global.faruk@gmail.com]
Sent: Sunday, May 09, 2010 9:30 PM
To: XXXXXXXXXXXXXXXXXXXXXX
Subject: Fwd: ASEM Cooperation on Capacity Building of Disaster Relief


---------- Forwarded message ----------
From: Alan D. Romberg
Date: 2010/5/7 20:11
Subject: RE: Yang's bio. doc
To: Andrew Nien-Dzu Yang
Cc: 毛 毛


Dear Andrew –

Although I am going to be away (in Korea) next week, I want to get out an invitation to your talk so people will mark it on their calendars.

I am attaching a draft for your approval. I am assuming that, since you are giving a similar talk “on the record” at Harvard, your talk at Stimson will also be “on the record.” But if you want to tell all of your most closely-held secrets to our audience (while only giving fluff to Steve’s group at Harvard), I’m happy to make it off the record or at least “not for attribution.” Let me know.

Please let me have your feedback on the invitation text.

While the invitations are generally issued electronically, they are also printed up. So I may need to cut back a bit on the bio stuff to make it fit on one page, but I hope not. But I wanted to make you aware of that. However, I didn’t want to take more time to fiddle with formatting now before sending it to you (and LtCol Mao) for your OK.

Thanks. Looking forward to seeing you.

Best.

Alan


Posted by Mila at 7:43 AM 0 comments Tags: , , , , Links to this post

Thursday, May 6, 2010

May 6 CVE-2010-0188 PDF birthday briefing series from spoofed jjsung@ntu.edu.tw

Download  d80eb21cfe8ad1a710c8652b13f8b7 ATT59802.pdf ac as a password protected archive (please contact me for the password if you need it)

Details d80eb21cfe8ad1a710c8652b13f8b7 ATT59802.pdf   


Virustotal
 File ATT59802.pdf received on 2010.05.06 18:49:42 (UTC)
Result: 6/41 (14.64%)
Avast    4.8.1351.0    2010.05.06    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.06    PDF:CVE-2010-0188
eTrust-Vet    35.2.7471    2010.05.06    PDF/CVE-2010-0188!exploit
Kaspersky    7.0.0.125    2010.05.06    Exploit.Win32.Pidief.dch
Sophos    4.53.0    2010.05.06    Troj/PDFJs-II
Additional information
File size: 106855 bytes6
MD5...: d80eb21cfe8ad1a710c8652b13f8b7ac

 

-----Original Message-----
From: jjsung@ntu.edu.tw [mailto:jjsung@ntu.edu.tw]
Sent: 2010-05-06 10:34 AM
To: XXXXXXXXXXXX
Subject: 蔡政文教授七十華誕系列活動簡報

XXXXXXXXXXXXX

今年適逢我國政治學界耆老、臺大政治學系名譽教授、國策顧問、國家政策研究基金會執行長蔡政文教授七秩華誕,為祝賀蔡教授七秩榮慶,及表達國內政治學同道景仰之意,籌委會特別規劃系列活動,以玆慶賀。
一、蔡政文教授七十華誕學術論文研討會
謹訂於今年5月29、30兩日假台大社科院國際會議廳舉辦「全球、兩岸、臺灣—蔡政文教授七十華誕學術論文研討會」,此次研討會主題訂為「全球、兩岸、臺灣」,也正呼應馬總統「壯大臺灣、連結兩岸、布局全球」的整體大戰略,歡迎蔡教授的門生故舊與知交友好踴躍賜稿外,亦請政治學先進與同道惠賜宏文,共襄盛舉。
二、大陸地區賀壽團來訪
為擴大參與並推動兩岸學術交流,探討「壯大臺灣、連結兩岸、布局全球」之當前國家發展方針,藉此加速大陸民主化之進程,同時邀集與蔡老師有深厚情誼的江蘇省海峽兩岸關係研究會、中國社科院台灣研究所等重要涉台智庫組團來臺祝賀,共襄盛舉。與會大陸學者除參與論文研討會外,會後並安排大陸學者南下參訪政經建設。
來臺賀壽團名單:
江蘇省海峽兩岸關係研究會:路進明副會長暨夫人
台研所:朱副所長衛東、田主任賀民、高劍副主任、柳英助理研究員、汪助理研究員曙申、陳助理研究員詠江等六人
南京大學:張永桃副校長(中國政治學會副會長)、張鳳陽院長
三、蔡政文教授七十華誕祝壽晚宴
預定於99年5月29日(星期六)晚上六點舉行,晚宴席設上海鄉村首都店。
蔡老師自民國63年指導學生林嘉誠撰寫〈大衛‧伊士頓之政治理論〉碩士論文起,截至99年4月底,指導學生共計有25位博士、98位碩士。
蔡老師的每位指導學生,畢業後都能謹遵師訓,在工作崗位上有傑出的表現,未曾辜負老師的嚴格訓練。
蔡老師的門生、故舊、同事、部屬都期盼能躬逢其盛,為蔡老師舉辦一場祝壽晚宴,以表達心中的感謝與祝福!

----------------------------------------------------------------------
若有任何垂詢事項,請洽:
籌委會總幹事  宋紀均
電話:0932-322-687;傳真:(02) 2367-9708;
電子信箱:jjsung@ntu.edu.tw
----- Original Message -----From: jjsung@ntu.edu.tw [mailto: jjsung@ntu.edu.tw]Sent: 2010-05-06 10:34 AMTo: XXXXXXSubject: Professor Cai Zhengwen 70 birthday briefing seriesXXXX Hello:This year marks the country's political circles and seniors, National Taiwan University political science professor emeritus, national policy advisor to the National Policy Research Foundation, Professor Cai Zhengwen Seventieth Birthday, Professor Zhu Hecai seven to rank Rongqing, and expression of admiration of fellow domestic politics means , the PC series of special planning activities to celebrate hereby.First, Professor Cai Zhengwen 70 birthday academic seminarTo be held May 29-30 this year, a two-day leave held at National Taiwan University International Conference Hall, Academy of Social Sciences, "global, cross-strait, Taiwan - 70 birthday of Professor Cai Zhengwen academic seminar", the theme of the seminar as a "global, cross-strait , Taiwan ", are also echoed President Ma of" strengthening Taiwan, connecting both sides of the layout of the world, "the overall grand strategy, welcomed Professor Cai friendly and enthusiastic disciple old friends and fraternity grant the draft, but also advanced and fellow political science please give Wang Hui Wen, join the festivities.Second, the mainland delegation's visit Birthday GreetingsTo expand the participation and promote cross-strait academic exchanges, of "strengthening Taiwan, connecting both sides of the layout of the world" in the current national development policy to accelerate the democratization process in mainland China, and invited Tsai has a profound friendship with the Jiangsu Province-Strait Relations Research Council, the Chinese Academy of Social Sciences Institute of Taiwan Studies, and other important Taiwan-related think tanks to organize groups to congratulate the endeavor. In addition to participating scholars from mainland China to participate thesis seminars will be arranged after visiting mainland scholars south political and economic development.Taiwan Yoshihisa group list:Jiangsu Province of cross-strait relations will be: Way into the next vice chairman and his wifeTaiwan Research Institute: Deputy Director Zhu Weidong, landowner Renhe Min, Gao Jian, deputy director, Liu Ying, an assistant researcher, assistant researcher Wang Shu Shen, Yong Jiang Dengliu Ren Chen, an assistant researcherNanjing: Zhang Tao, Vice President (Vice President of Chinese Political Science Association), Zhang Fengyang DeanThird, Professor Cai Zhengwen 70 birthday birthday dinnerScheduled for 5 月 29 日 99 (星期六) 18:00 held a dinner I set up shop in Shanghai Rural capital.Tsai guide students from the Republic of China Lin Chia-cheng 63 years to write master's thesis on, at 99 years by the end of April, guiding students to a total of 25 doctoral, 98 master's degree.Tsai's guide for each student upon graduation can Jinzun teacher training, in the workplace have outstanding performance, did not live up to the rigorous training of teachers.Tsai's disciple, and old friends, colleagues, subordinates all look forward to critical keepers, to host a birthday dinner Tsai, to express their thanks and best wishes!-------------------------------------------------- --------------------If you have any inquiries matters, please contact:Director-General of the Preparatory Committee of Song Ji areTel :0932-322-687; Fax: (02) 2367-9708;E-mail: jjsung@ntu.edu.tw

 Headers
Received: from wmail1.cc.ntu.edu.tw (HELO wmail1.cc.ntu.edu.tw) (140.112.2.161)
  by XXXXXXXwith DHE-RSA-AES256-SHA encrypted SMTP; 6 May 2010 14:33:45 -0000
Received: from localhost (localhost [127.0.0.1])
    by wmail1.cc.ntu.edu.tw (Postfix) with ESMTP id 9DABE35E841
    for XXXXXXXXX; Thu,  6 May 2010 22:33:42 +0800 (CST)
Received: from 218.94.121.180 ([218.94.121.180]) by wmail1.cc.ntu.edu.tw
 (Horde Framework) with HTTP; Thu, 06 May 2010 22:33:42 +0800
Message-ID: <20100506223342.59074hzo2e1mojly@wmail1.cc.ntu.edu.tw>
Date: Thu, 6 May 2010 22:33:42 +0800
Disposition-Notification-To: jjsung@ntu.edu.tw
From: jjsung@ntu.edu.tw



Hostname:    218.94.121.180
ISP:    Data Communication Division
Organization:    CHINANET jiangsu province network
Country:    China cn flag
State/Region:    Beijing
City:    Beijing
Posted by Mila at 3:18 PM 0 comments Tags: , , , , Links to this post

Wednesday, May 5, 2010

May 5 CVE-2010-0188 PDF 2010-05-06 Asian Pacific Security stuff from samuelberger19@yahoo.com


Download  0999aef064dc91d68d48df3d7c1482e4  Assessing_the_Asian_Balance.pdf as a password protected archive (please contact me for the password if you need it)

Details 0999aef064dc91d68d48df3d7c1482e4 Assessing_the_Asian_Balance.pdf


http://www.virustotal.com/analisis/20e241ba72b751ea9b5b46617d27c6572f98dc216140ed002f30d2a169f16ee2-1273171733
File Assessing_the_Asian_Balance.pdf received on 2010.05.06 18:48:53 (UTC)
Result: 6/41 (14.64%)
Avast    4.8.1351.0    2010.05.06    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.05.06    PDF:CVE-2010-0188
eTrust-Vet    35.2.7471    2010.05.06    PDF/CVE-2010-0188!exploit
GData    21    2010.05.06    PDF:CVE-2010-0188
Kaspersky    7.0.0.125    2010.05.06    Exploit.Win32.Pidief.dch
Additional information
File size: 124874 bytes
MD5...: 0999aef064dc91d68d48df3d7c1482e4













From: Samuel Berger [mailto:samuelberger19@yahoo.com]
Sent: 2010-05-04 9:46 AM
To: XXXXXXXXXXXXXXXXXXXXX
Subject: Asian Pacific Security stuff if you are interested

Dear Colleague,
Hope this mail finds you well. Attached is my latest paper on military balance in Asia.
The purpose of this essay is to begin redressing the absence of a scholarly debate on today’s military balances. In short, I will 1) analyze certain aspects of the scholarly debate on Cold War balances to identify lessons we might learn for the assessment of Asian-Pacific balances today; 2) identify America’s security interests in the Pacific; and 3) analyze the pasts debates over military balances and assess current U.S. Asian interests to offer ways to think about the balance of power in a region of growing importance.
I am sending it in two versions that are little different in content. Part One has it in Word form, while Part Two has it in PDF form. One reason for this is that the smaller PDF form may be easier to manage. Also, it is easier to markup the PDF with comments.

Best,
Samuel



Headers
Received: (qmail 5604 invoked from network); 4 May 2010 13:46:07 -0000
Received: from web114501.mail.gq1.yahoo.com (HELO web114501.mail.gq1.yahoo.com) (98.136.183.9)
  by XXXXXXXXXXXXXX  SMTP; 4 May 2010 13:46:07 -0000
Received: (qmail 13807 invoked by uid 60001); 4 May 2010 13:46:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1272980766; bh=J3HYNvCvCDyPvkGgmftWQ8+zXbK454RBqFWFVNLeREc=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=joG8+M0RpG1PiqtkD9078vYk62Fip4emnVHfPGe3yF0VDmLdOVo5pVkBFcvatipshgRZgTtXdwFuwFcPhoTM0OQqfxmxWs7MJ0WCrKLccJ710pmzs9agP15XxmOvugjvke7AuKmPRd6dNYldgNFhwnEhI8wVZD/qT66eL7VbZm4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=1n+A//g4la4ygH85zo+bAofKE8QFyK/8bvJeD2JUxKMQaeAbZ09Lr+Zs80QOOFmYTQP8PPkMSRPQwVfVNGeIDdB1tr2kuUiGAKZ4T14zi7mB2aWN2D3WO85aU779HQ27fkdenU2B71kV8ZkEDgKmEsmGjnd9HDfSyEbOCh9g5cA=;
Message-ID: <418000.60485.qm@web114501.mail.gq1.yahoo.com>
X-YMail-OSG: WFPXxRAVM1k.IwoUJ0A1Rl6ADrcxY3z1LZO4P7F_yPzchs9
 1E3PDb34L
Received: from [66.197.176.8] by web114501.mail.gq1.yahoo.com via HTTP; Tue, 04 May 2010 06:46:05 PDT
X-Mailer: YahooMailClassic/10.1.11 YahooMailWebService/0.8.103.269680
Date: Tue, 4 May 2010 06:46:05 -0700
From: Samuel Berger
Subject: Asian Pacific Security stuff if you are interested
To: XXXXXXXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1791380416-1272980765=:60485"

66.197.176.8
Hostname:    swhosting.ie
ISP:    Network Operations Center
Organization:    SOUTHWEST TECHNOLOGIES
Assignment:    Static IP
State/Region:    Pennsylvania
City:    Scranton

 
Posted by Mila at 6:01 PM 0 comments Tags: , , , Links to this post
Subscribe to: Posts (Atom)
Home