Tuesday, May 31, 2011

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed Nationalpost.com

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations
    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account


     It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

    Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

    PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.


    read more...
    Posted by Mila at 8:24 AM 0 comments Tags: Links to this post

    Wednesday, May 25, 2011

    W32.Qakbot aka W32/Pinkslipbot or infostealer worm

    W32.Qakbot aka W32/Pinkslipbot

      W32.Qakbot in Detail by Symantec Nicolas Falliere

    W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting computers since mid-2009. Its primary purpose is to steal online banking account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic keylogger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

    The following screenshot is from the paper you see above 


      General File Information


    MD5  076bc0533d63826e1e809ad9fcbe2fb8
    SHA1 33d9b4a712c29304478da235f17cd28978a93d2f
    File size :55808 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)
     
    MD5 120d845ac973b4a0cde2bc88d8530b3d
    SHA1 120d845ac973b4a0cde2bc88d8530b3d
    File size :87040 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

    MD5 150d006eab34528e3305fbbb5ad82164
    SHA1 551a9f3ce5b86cf77df90eda61be233c821be6b2
    File size :267776 bytes
    Type:  PE32 exe
    Distribution: mostly web (worm - spreads through shares, drives, webpages etc)


    Download


    read more...
    Posted by Mila at 1:02 AM 0 comments Tags: Links to this post

    Wednesday, May 11, 2011

    May 2 MAC Defender + May 11 Mac Protector Fake Antivirus Programs

    MAC Defender Fake Antivirus Program

    INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

    Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
    When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

      General File Information




     Added Mac Protector - May 11, Thanks to anonymous donation

    Malware: OSX/MacDefender.Aand Mac protector.A
    Distribution: Web browsing  Low; in the wild, but not very widespread for now

    Download

     File name:MacProtector
    Submission date:2011-05-09 19:49:55 (UTC)
    Result:14 /43 (32.6%)
    http://www.virustotal.com/file-scan/report.html?id=2e9a751efb38ff8e971a9dd4c629bd5066c9fb802a0d821ef5c250e0b1c43382-1304970595
    ClamAV     0.97.0.0     2011.05.09     Trojan.OSX.MacDefender.C
    Emsisoft     5.1.0.5     2011.05.09     Hoax.Mac.MacProtector!IK
    F-Secure     9.0.16440.0     2011.05.09     Rogue:OSX/FakeMacDef.F
    Fortinet     4.2.257.0     2011.05.09     OSX/MacProtector.A
    Ikarus     T3.1.1.103.0     2011.05.09     Hoax.Mac.MacProtector
    Kaspersky     9.0.0.837     2011.05.09     Hoax.Mac.MacProtector.a
    Microsoft     1.6802     2011.05.09     Rogue:MacOS_X/FakeMacdef
    NOD32     6107     2011.05.09     OSX/AdWare.MacDefender.E
    PCTools     7.0.3.5     2011.05.09     RogueAntiSpyware.MacProtector
    Sophos     4.65.0     2011.05.09     OSX/FakeAV-A
    Symantec     20101.3.2.89     2011.05.09     MacProtector
    TrendMicro     9.200.0.1012     2011.05.09     OSX_FAKEAV.A
    TrendMicro-HouseCall     9.200.0.1012     2011.05.09     OSX_FAKEAV.A

    VirusBuster     13.6.345.0     2011.05.09     FraudTool.OSX.Defma.G
    Additional information
    Show all
    MD5   : 1f8e9cd3f0717a85b96f350e4f4a539a

    MAC DEFENDER
    Archive.pax
    Current status:
    9 /41 (22.0%)
    AntiVir     7.11.7.150     2011.05.04     MACOS/FakeAV.A
    BitDefender     7.2     2011.05.04     MAC.OSX.Trojan.FakeAlert.A
    ClamAV     0.97.0.0     2011.05.04     Trojan.OSX.MacDefender
    DrWeb     5.0.2.03300     2011.05.05     Trojan.Fakealert.20856
    F-Secure     9.0.16440.0     2011.05.04     Rogue:OSX/FakeMacDef.A
    GData     22     2011.05.05     MAC.OSX.Trojan.FakeAlert.A
    Kaspersky     9.0.0.837     2011.05.05     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.04     Rogue:MacOS_X/FakeMacdef
    Sophos     4.64.0     2011.05.05     OSX/FakeAV-DMP
    MD5   : c0c866fde6336764da0def483f635dc9
    SHA1  : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac

    http://www.virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304457284
    MacDefender
    Submission date:
    2011-05-03 21:14:44 (UTC)
    Result:6 /41 (14.6%)
    DrWeb     5.0.2.03300     2011.05.03     Trojan.Fakealert.20856
    Kaspersky     9.0.0.837     2011.05.03     not-a-virus:FraudTool.OSX.Defma.a
    Microsoft     1.6802     2011.05.03     Rogue:MacOS_X/FakeMacdef
    PCTools     7.0.3.5     2011.05.03     MACDefender
    Sophos     4.64.0     2011.05.03     OSX/FakeAV-DMP
    Symantec     20101.3.2.89     2011.05.03     MACDefender
    MD5   : 2f357b6037a957be9fbd35a49fb3ab72
    SHA1  : fb6f092624d48fe9a496c50f615b424b27cf3515





    Posted by Mila at 8:21 AM 4 comments Tags: Links to this post

    Tuesday, May 3, 2011

    May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

    Common Vulnerabilities and Exposures (CVE)number

    CVE-2010-3333

    Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

      General File Information

    File   Laden's Death.doc
    MD5   dad4f2a0f79db83f8976809a88d260c5
    SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    File size : 163065 bytes
    Type:  DOC
    Distribution: Email attachment

    Post Updates

    May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

    May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

    It was sent to many targets in the US Government today.

    Also see the same payload in the following messages

    http://contagiodump.blogspot.com/2010/09/sep14-cve-2010-2883-adobe-0-day-fwd.html

    http://contagiodump.blogspot.com/2010/09/cve-2009-4324-cve-2010-1297-cve-2009.html



    Download

    Message


    Tue, 03 May 2011 11:34:06 -0400 (EDT)
    Source-IP: 220.228.120.62 
    Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
    From: XXXXXXXXXXXXXXXXXXX
    To: XXXXXXXXXXXXXXXXXXX
    Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    Date: Tue, 3 May 2011 21:43:28 +0800
    X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
            boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.3790.2929
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


    This is a multi-part message in MIME format.

    ------=_NextPart_000_0009_01CC09DB.23A97E20
    Content-Type: text/plain;
            format=flowed;
            charset="big5";
            reply-type=original
    Content-Transfer-Encoding: 7bit

    To whom it may concern.
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


    ------=_NextPart_000_0009_01CC09DB.23A97E20
    Content-Type: application/octet-stream;
            name="Laden's Death.doc"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
            filename="Laden's Death.doc"

    Sender

    220.228.120.62 (there are other IPs from that company used as well)

    Lotus Notes mail server, apparently compromised

    Hostname:    notess1.protech.com.tw
    ISP:    New Centry InfoComm Tech. Co., Ltd.
    Organization:    PROTECHSYSTEMSCO.,LTD.
    Assignment:    Static IP
    Country:    Taiwan


    Automated Scans

    File name: Laden's Death.doc
    Submission date:2011-05-03 15:34:52 (UTC)
    http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304436892#
    1/ 41 (2.4%)
    Commtouch    5.3.2.6    2011.05.03    CVE-2010-3333!Camelot
    Show all
    MD5   : dad4f2a0f79db83f8976809a88d260c5
    SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
    SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
    ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
    661UswH/fNGy2XB
    File size : 163065 bytes
    First seen: 2011-05-03 15:34:52
    Last seen : 2011-05-03 15:34:52

    Analysis

    May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit


    Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)

     

    The binary  - Trojan Protux (read more about it here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Protux.A!dll#techdetails_link)

    File name:exe_decoded.bin
    http://www.virustotal.com/file-scan/report.html?id=a40b5cf0689aebaaf2352b61e8a9f4544ec69ef8ea3dc558f53646964a85755b-1304567158
    Submission date:2011-05-05 03:45:58 (UTC)
    Result:17 /40 (42.5%)

    AntiVir     7.11.7.150     2011.05.04     BDS/Protux.tg
    BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
    Commtouch     5.3.2.6     2011.05.05     W32/Virut.AI!Generic
    rWeb     5.0.2.03300     2011.05.05     BackDoor.Diho.163
    eTrust-Vet     36.1.8307     2011.05.04     -
    F-Prot     4.6.2.117     2011.05.04     W32/Virut.AI!Generic
    GData     22     2011.05.05     Trojan.Generic.KDV.211541
    Ikarus     T3.1.1.103.0     2011.05.05     Backdoor.Win32.Protux
    Kaspersky     9.0.0.837     2011.05.05     Backdoor.Win32.Protux.tg
    McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
    McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
    NOD32     6095     2011.05.05     Win32/Protux.NAK
    Panda     10.0.3.5     2011.05.04     Suspicious file
    PCTools     7.0.3.5     2011.05.04     Trojan.Generic
    SUPERAntiSpyware     4.40.0.1006     2011.05.05     -
    Symantec     20101.3.2.89     2011.05.05     Trojan Horse
    TrendMicro     9.200.0.1012     2011.05.04     PAK_Generic.001
    TrendMicro-HouseCall     9.200.0.1012     2011.05.05     BKDR_PROTUX.GE
    VBA32     3.12.16.0     2011.05.04     Backdoor.Protux.ta
    Additional information
    Show all
    MD5   : 30c8c4c9943044287cf06996863c2261
    SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

    ----------------------------------------------------------------------------------------------------------
    See the payload analysis here  http://www.cyberesi.com/2011/05/03/ladens-death-doc-cve-2010-3333/

    Hermes Bojaxhi from CyberESI  http://www.cyberesi.com provided the following details about the payload

    File Name:  dhcpsrv.dll
    File Size:  44504 bytes
    MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
    SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
    PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
    Sections (4):
     Name      Entropy  MD5
     .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
     .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
     .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
     .reloc    5.7      e437cc92e10504181d7b712478db6af3


    beacons to these domains:

    checkerror.ucparlnet.com
    ssi.ucparlnet.com
    www.dnswatch.info
    picture.ucparlnet.com
    ==============
    C2 domain info

    checkerror.ucparlnet.com   -  203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan
    ssi.ucparlnet.com  - 58.34.152.233  ChinaNet Shanghai Province Network China
    www.dnswatch.info - 82.96.118.210     Probe Networks Planet-Hosting.cz Germany
    picture.ucparlnet.com -     203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan

    ucparlnet.com IP Address hosting history

    Event Date Action Pre-Action IP Post-Action IP
    2010-08-10 New -none- 58.34.152.162
    2010-08-13 Change 58.34.152.162 58.37.54.66
    2010-08-23 Change 58.37.54.66 58.34.148.241
    2010-09-03 Change 58.34.148.241 220.246.76.125
    2010-09-24 Change 220.246.76.125 127.0.0.1
    2010-10-25 Change 127.0.0.1 58.37.182.29
    2010-11-28 Change 58.37.182.29 58.34.149.104
    2010-12-09 Change 58.34.149.104 58.34.152.202
    2010-12-31 Change 58.34.152.202 127.0.0.1
    2011-02-24 Change 127.0.0.1 125.141.233.16
    2011-04-10 New -none- 125.141.233.16

    dnswatch.info  - is not a malicious domain


    Posted by Mila at 1:33 PM 1 comments Tags: Links to this post

    Friday, April 29, 2011

    Hwp.exe in Apr. 8 CVE-2011-0611 Flash Player Zero day - SWF in DOC/ XLS - Disentangling Industrial Policy..


    According to Cédric Gilbert (SkyRecon R&D), the shellcode’s last command include a “taskkill /im hwp.exe”. This hwp.exe file could be related to a South-Korean Word Processor Software :
    “Hangul Word Processor or HWP”. According to Wikipedia :
    It is used extensively in South Korea, especially by the government.
    According to Hangul’s website, this word processor handle Microsoft .DOC & .DOCX documents.
    So the questions are
    1. Is the infected doc with zero-day also ‘compatible’ with it ?
    2. Was it used on targets in Korea or targets who use this processor?
    3. Was it made in Korea?

    Your comments and thoughts are welcome.
    thanks,
    Mila

    P.S. Korea came up before in this  http://bugix-security.blogspot.com/2010/09/cve-2010-2883-made-in-korea.html

    Posted by Mila at 10:32 AM 0 comments Links to this post

    Tuesday, April 26, 2011

    Please welcome "Targeted Email Attacks http://targetedemailattacks.tumblr.com"


    Targeted Email Attacks
    http://targetedemailattacks.tumblr.com/  

    these are targeted attacks received by the US-Taiwan Business Council. We are not related but somehow share the same set of overseas "friends" - I recognize many messages posted there and even received targeted messages designed to look like they came from that organization.
    The author does not post samples but provides links to Virustotal  so it gives a good idea of what it is.     

    Posted by Mila at 8:30 AM 0 comments Links to this post

    Monday, April 25, 2011

    Contagio data - targeted email senders by country / source

     It is what it is.  Analysis of email headers from emails sent to one targeted domain (Nov, 2009 - April 2011). Headers were analyzed to find IP addresses of the sending mail servers. Some of them are compromised, some belong to/leased by attackers. Only Gmail does not allow tracing the senders IP. It is shame, I wish they listed the sender IP addresses.

    I can post more detailed statistics, if you are interested, drop me a line.
    My dataset is small and not great for industry averages but I still think it is a good representative of the of the situation.

    Please note this is based on Contagio data only, which includes targeted messages with malicious attachments meant to compromise networks, steal data (so called APT stuff) and does not include regular spam, banking trojans, and mass mailed malware.
    Posted by Mila at 11:44 PM 8 comments Tags: Links to this post

    Friday, April 22, 2011

    Apr 22 CVE-2011-0611 PDF-SWF Marshall Plan for the North Africa.pdf with Win32/Ixeshe.E

    Common Vulnerabilities and Exposures (CVE)number

    CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

      General File Information

    File  Marshall Plan for the North Africa.pdf
    MD5: 6d5fb801b890bfa7cc737c018e87e456
    SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
    SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
    File size: 464485 bytes
    Type:  PDF
    Distribution: Email attachment

    Read more...

    Download

    Original Message

    From: Christy Serrato [mailto:serrato.christy@gmail.com]
    Sent: Friday, April 22, 2011 10:32 AM
    To: XXXXXXXX
    Subject: Marshall Plan for the North Africa

    I reach out to you for advice about an initiative we are considering launching for North Africa.The Nicole Berggruen Institute is an action oriented think tank that seeks implement effective systems of governance through projects at various levels across the globe. One such project is the development of a Marshall Plan for the North Africa.
       
    How I am hoping you can help is to provide insight and advice on what is currently happening within the region.
        
    Thank you in advance for anytime you can give me. I look forward to your reply soon.

    Serrato Christy
    Senior Program Manager
    Middle East and North Africa
    NICOLAS BERGGRUEN INSTITUTE

    Message Headers


    Gmail :(
    Received: by wwb39 with SMTP id 39so636530wwb.6        for ;
     Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=gmail.com; s=gamma;
            h=domainkey-signature:mime-version:date:message-id:subject:from:to
             :content-type;
            bh=4CUY8j8jGJeAnrD/Qo6HSZGR94sdW5P0d67wOrEK55A=;
            b=YADFFJft8LGJmZQoFG+R7nLFlREhueyUJDUULLTy5rbU5ahHOmH/B3VDiHLKxJRDWa
             MFT0VjRiQenP/RjOBKG6uxZPRAkwztUUKD1mPmN7RMOO1lmOuQS2CTtFwGvtxuSPZsG1
             LE0nZf4nZi3CkI7LUx9Ficawc/KRajrJ1StdQ=
    DomainKey-Signature: a=rsa-sha1; c=nofws;
            d=gmail.com; s=gamma;
            h=mime-version:date:message-id:subject:from:to:content-type;
            b=Om90qyH/txeauhB/b9dr5k/r+FrEABSYzih46JA2QyeA9RDErNdPZnbJpeA4jWMgg0
             /JongciwiC7zE+TVEZDQorGv9qNswKt2dVO7lBgYBkC5ohabgwHqBlK/uBGuSBikkMF0
             8ikYcIMZ33QM7846FCG1HH4k07OWOKz8MGqRo=
    MIME-Version: 1.0
    Received: by 10.227.165.194 with SMTP id j2mr1203487wby.178.1303482722563;
     Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
    Received: by 10.227.157.66 with HTTP; Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
    Date: Fri, 22 Apr 2011 22:32:02 +0800
    Message-ID: BANLkTikPU6AS48Gyr9BhwKQvN1jmkZ70Sw@mail.gmail.com
    Subject: Marshall Plan for the North Africa
    From: Christy Serrato
    To: XXXXXXXXXXX
    Content-Type: multipart/mixed; boundary="90e6ba4768d9a63a6a04a182b841"
    Return-Path: serrato.christy@gmail.com


    Automated Scans

     Marshall Plan for the North Africa.pdf 
    Antivirus Version Last update Result
    Avast5 5.0.677.0 2011.04.25 SWF:Agent-K
    Commtouch 5.3.2.6 2011.04.25 JS/Pdfka.V
    DrWeb 5.0.2.03300 2011.04.25 Exploit.PDF.2177
    eTrust-Vet 36.1.8289 2011.04.25 PDF/CVE-2010-1297.B!exploit
    Microsoft 1.6802 2011.04.25 Exploit:SWF/CVE-2011-0611.I
    TrendMicro 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
    TrendMicro-HouseCall 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
    MD5: 6d5fb801b890bfa7cc737c018e87e456
    SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
    SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
    File size: 464485 bytes
    Scan date: 2011-04-25 15:29:18 (UTC)



    Analysis Details

    -Flash embedded in the file

    Extracted flash

    AntivirusVersionLast updateResult
    Avast4.8.1351.02011.04.25SWF:Agent-K
    Avast55.0.677.02011.04.25SWF:Agent-K
    GData222011.04.25SWF:Agent-K
    Symantec20101.3.2.892011.04.25Trojan.Dropper
    MD5: c56dd87772312ba032fc6ac8928d480f
    SHA1: 1fe3478d65ba9508b1fdc31d6b3e67b336b06b95
    SHA256: fff09d52d2fedc1a85fa04f75fe9a8295a57ddc39d4888ce65662e7a7b9671c0
    File size: 7461 bytes
    Scan date: 2011-04-25 17:32:54 (UTC)

    Action script 


    Files Created

    %TEMP%

    Marshall Plan for the North Africa.pdf  - clean dropped file

    MD5: 93b600d4d641321dae860d179d8a35cf

    AcroRd32.exe
    The file runs as an exe and can be seen in the Windows Task Manager. It installs a link to itself in the Windows Startup folder %Programs%\Startup\Adobe Reader Speed Launcher.lnk
     
    MD5: 39822adc9bc7747dadd212e0338948cb

    http://www.virustotal.com/file-scan/report.html?id=b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192-1303748025#
    Antivirus Version Last update Result
    NOD32 6069 2011.04.25 a variant of Win32/Ixeshe.E
    Panda 10.0.3.5 2011.04.25 Suspicious file
    MD5: 39822adc9bc7747dadd212e0338948cb
    SHA1: 00d9650584489914016941fbe28cd1c02306a34b
    SHA256: b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192
    File size: 430080 bytes
    Scan date: 2011-04-25 16:13:45 (UTC)

    From ThreatExpert 
    Filename(s)File SizeFile Hash
    1%Programs%\Startup\Adobe Reader Speed Launcher.lnk1,464 bytesMD5: 0x6A4CD2DA75F64AF7C402BE5BFBC516BD
    SHA-1: 0x6F02199A721848449AB4992307220D1F732DA24C
    2[file and pathname of the sample #1]430,080 bytesMD5: 0x39822ADC9BC7747DADD212E0338948CB
    SHA-1: 0x00D9650584489914016941FBE28CD1C02306A34B

    Network activity

    ----
    Threatexpert 
    • There was registered attempt to establish connection with the remote host. The connection details are:

    Remote HostPort Number
    68.16.99.165443
    • The following GET request was made:
      • /AWS7446.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • The data identified by the following URLs was then requested from the remote web server:
      • http://68.16.99.165/AWS7394.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
      • http://68.16.99.165/AWS7414.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
      • http://68.16.99.165/AWS7437.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
      • http://68.16.99.165/AWS7463.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
      • http://68.16.99.165/AWS7473.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA

    Host names sharing IP with A records (4)  - from Robtex

    Hostname:    adsl-068-016-099-165.sip.asm.bellsouth.net
    ISP:    BellSouth.net
    Organization:    BellSouth.net
    State/Region:    Georgia       USA
    City:    Norcross

    adsl-068-016-099-165.sip.asm.bellsouth.net
    mail.the-joy-of-travel.com
    the-joy-of-travel.com
    www.the-joy-of-travel.com




    China



    Posted by Mila at 3:15 PM 0 comments Tags: Links to this post
    Subscribe to: Posts (Atom)
    Home