Jun 22 CVE-2011-0611 PDF-SWF "Fruits of economic growth" with revoked COMODO cert and Trojan Taidoor

Message is signed by a certificate "Issued by COMODO Client Authentication and Secure Email CA" and the certificate is revoked.

The sender address is a spoofed Gmail address of SEF News sef1941@gmail.com but it was sent from a HINET server in Taiwan, not from Gmail. The exploit used is CVE-2011-0611, with the same malicious SWF as described in the previous post Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor.

The payload is the same too Trojan Taidoor / Rubinurd (see more with Taidoor here) with CC server 213.42.74.85- Dubai, UAE

Update June 29  As screenshots of the certificate show, it was not expired. The Comodo Certificate Revocation List showed that the certificate was revoked less than 12 hours before it was sent, which means it was stolen and ready to be used while it was still valid. Perhaps it was used while still valid for a while before I got it.
Digitally signed messages are used to gain trust of the recipient. Contagio has examples of stolen valid and invalid certificates used to signed malicious binaries in order to bypass white-listing applications and other filters. Speaking of CRL, here are two articles related to web certificates.

Revocation doesn't work (18 Mar 2011) Imperial Violet
Detecting Certificate Authority compromises and web browser collusion (22 Mar 2011) Tor Blog by ioerror

Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Trojan Taidoor

-- This message came from a compromised account of mail.ppboces.org - mail server for Pikes Peak Board of Cooperative Educational Services in Colorado Springs, Co.It has two attachments exploiting CVE-2011-0611.
 --The payload is Trojan Taidoor / Rubinurd, which is a frequently used trojan for targeted attacks. (see more with Taidoor here) For attribution reasons, I would like to know if this is a private custom trojan or something commercial and thus used by more than one group of attackers. If you happen to know, let me know. The PDF and the payload have Chinese language in the file metadata and code.
-- The CC IP addresses are 62.38.148.117 ( 443 80) -Hellas On Line S.A., Greece, Attiki and 64.167.26.66 (80) - SBC Internet Services, Costa Mesa, CA

New blog design. Yay or Nay?

Not sure if noticeable but there are a lot of tweaks, including addition of a mobile template. It it work in progress, I will tweak it more later
Update: Changed to fixed width to prevent columns from running over each other

OLD DESIGN

NEW DESIGN

Jun 17 SCR (RTLO) South China Sea Territorial Disputes Study Update with Taidoor

Exploit Information

More about RTLO is here Right to Left Override unicode can be used for multiple spoofing cases by Jordi Chancel:

"RTLO is a technique exploiting the RIGHT TO LEFT OVERRIDE unicode and than it will always cause the directional reverse reading order of others characters followed it including the extension-type of malicious file! This UNICODE of which we will simplify name by [RTLO] doesnt can see owing to the fact that its characters and its place are invisible. Use RTLO for reverse the direction of reading of the file names including the extension of concerned file while keeping same the types of execution.
Example: To use a syntax like “SexyPictureGirlAl[RTLO]gpj.exe” be read “SexyPictureGirlAlexe.jpg”

I2P ... the *other* Anonymous Network - Sempersecurus.blogspot.com

So you want to be "Anonymous"? check out Andre's post about I2P tunnels I2P ..the *other* Anonymous Network http://sempersecurus.blogpost.com

Apr 13 CVE-2011-2100 PDF - Adobe DLL Loading Vulnerability - Agenda.7z

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-2100 Adobe Acrobat and Reader DLL Loading Arbitrary Code Execution Vulnerability.

Untrusted search path vulnerability in Adobe Reader and Acrobat 8.x before 8.3, 9.x before 9.4.5, and 10.x before 10.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory. 

It was patched by Adobe on June 14, 2011.
References and related articles

• APSB11-16 Security updates available for Adobe Reader and Acrobat (Adobe) June 14, 2011
• Microsoft Security Advisory 2269637 Released (Microsoft: DLL preloading attacks post of 21 Aug 2010 )
• Security Focus
  
  

May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign

These posts all contain the same trojan but they were created not the sake of samples. They are to show how compromised USA servers are used for a stream of phishing emails. The first was noticed on May 31, 2011 and the last was today - June 13, 2011.


mail.louisvilleheartsurgery.com 66.147.51.202 appears to be a misconfigured mail server allowing relay but only forensic examination of the server can provide more details. If you are a patient and are concerned about your records, please note that the mail server is not the same as a database or a data server and patient records are most likely on a different server and not affected. Also, these attackers are not after the louisvilleheartsurgery.com data, they usually use the mail service to reach their targets elsewhere. The phishing campaign, judging by the targets, topics, and trojans used, is targeting researchers and experts working on Chinese and Taiwan issues.

Jun 13 CVE-2009-4324 PDF navy procurement.pdf from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

  General File Information

File  navy procurement.pdf
File Size  222903
MD5  DF0DE9AD9E5BF00A60F8DE3D37683C5B
Distribution  Email attachment

CLICK HERE SEE ALL OTHER PHISHING MESSAGES SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.

Jun 1 CVE-2010-3333 DOC You are my King from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File You are my king.doc
File Size  58531 bytes
MD5  09D68EF693AC6B7D3ACF0DDFF0585543
Distribution  Email attachment


CLICK HERE SEE ALL OTHERS SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

May 31 CVE-2010-3333 DOC President Obama's Speech.doc from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability 

  General File Information

File President Obama's Speech.doc
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)

See others

• Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor  
• May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File Q and A.doc
File Size 115755 bytes
MD5 46863c6078905dab6fd9c2a480e30ad0
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post) Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File 2011 Insider's Guide to Military Benefits .doc
File Size  92715 bytes
MD5 f520c8671ddb9965bbf541f20635ef30
Distribution Email Attachment

 The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server and I will post them as soon as I can)

Six ways sensitive data finds its way to personal email accounts

    There has been a lot of speculation recently on how much sensitive data a hacker can find on personal email accounts, considering it is against the rules in most places to use personal accounts for work . Although there are strict rules for classified messages and documents, the intruders are often satisfied with just sensitive or just informational messages for building the picture they need. While I don't know how strict the rules are at the White House, the following behavior is common for at least some US Government offices and for many companies. This information is from my own knowledge, as well as accounts of people working for the US Government, military, as well as Fortune 500 companies, non-government research institutions, and other places.

I am sure you will find none of these scenarios surprising, they all are very common.

   
SIX WAYS SENSITIVE DATA FINDS ITS WAY TO PERSONAL EMAIL ACCOUNTS
    1.   Google Apps accounts are often created in addition to corporate/work mail to alllow easy document sharing between different companies  - for one project, or as a permanent setup
    2.   Employees create autoforwarding of all work emails to their personal accounts for easy reading on personal mobile devices (not everyone has work-issued mobile device)
    3.   Employees, regardless of their employer, need to communicate with people who work elsewhere. They cannot control whether their recipients use free webmail or what they do with their mail - and their recipients can be targeted
    4.   Employees often trust personal webmail more than their work accounts for privacy reasons. They know their work mail is heavily monitored, archived, filtered and they sometimes need to say something to each other "off the record". This may include work related topics, their supervisors, etc.
    5.   Employees, especially when traveling, often manually forward selected messages from work to personal accounts. This is  because it is easier to check personal accounts rather than logging in with smart cards, RSA keys, VPN just to refer to a few things they may need for work during their travel or work at home period.
    6.   Employees may forward mail to personal accounts before leaving their job - some places allow auto-forward and in others you can do it manually. People forward contacts or important messages that they may need after they start a new job

Related posts : Targeted attacks against personal accounts of military, government employees and associates

May 17 CVE-2010-2883 PDF Bin Laden's successor from spoofed Nationalpost.com

Common Vulnerabilities and Exposures

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. 

  General File Information

MD5                 8E633588B3EE59DE09FE126D99869D2D 

SIZE 103981 bytes
EXPLOIT TYPE         CVE-2010-2883
FILE NAME             Bin Ladens successor.pdf

Post Updates

The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.

The sender is often uses compromised servers of different organizations

    *     Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce

    *     Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

 It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer    

Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.

PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.

W32.Qakbot aka W32/Pinkslipbot or infostealer worm

W32.Qakbot aka W32/Pinkslipbot

  W32.Qakbot in Detail by Symantec Nicolas Falliere

W32.Qakbot is a worm that has been seen spreading through network shares, removable drives, and infected webpages, and infecting computers since mid-2009. Its primary purpose is to steal online banking account information from compromised computers. The malware controllers use the stolen information to access client accounts within various financial service websites with the intent of moving currency to accounts from which they can withdraw funds. It employs a classic keylogger, but is unique in that it also steals active session authentication tokens and then piggy backs on the existing online banking sessions. It then quickly uses that information for malicious purposes.

The following screenshot is from the paper you see above 

  General File Information

MD5  076bc0533d63826e1e809ad9fcbe2fb8
SHA1 33d9b4a712c29304478da235f17cd28978a93d2f
File size :55808 bytes
Type:  PE32 exe
Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

 
MD5 120d845ac973b4a0cde2bc88d8530b3d
SHA1 120d845ac973b4a0cde2bc88d8530b3d
File size :87040 bytes
Type:  PE32 exe
Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

MD5 150d006eab34528e3305fbbb5ad82164
SHA1 551a9f3ce5b86cf77df90eda61be233c821be6b2
File size :267776 bytes
Type:  PE32 exe
Distribution: mostly web (worm - spreads through shares, drives, webpages etc)

Download

Download -- as a password protected archive (contact me if you need the password) - with many many thanks to Q :)

Read more...

May 2 MAC Defender + May 11 Mac Protector Fake Antivirus Programs

MAC Defender Fake Antivirus Program

INTEGO SECURITY MEMO – May 2, 2011 MAC Defender Fake Antivirus Program Targets Mac Users

Quote from Intego: Description: Intego has discovered a fake antivirus program called MAC Defender, which targets Mac users via SEO poisoning attacks (web sites set up to take advantage of search engine optimization tricks to get malicious sites to appear at the top of search results).
When a user clicks on certain links after performing a search on a search engine such as Google, they are sent to a web site that displays a fake Windows screen with an animated image showing a malware scan; a window then tells the user that their computer is infected. After this, JavaScript on the page automatically downloads a file. The file downloaded is a compressed ZIP archive, which, if a specific option in a web browser is checked (“Open ‘safe’ files after downloading” in Safari, for example), will open. The file is decompressed, and the installer it contains launches presenting a user with the following screen:

  General File Information

 Added Mac Protector - May 11, Thanks to anonymous donation

Malware: OSX/MacDefender.Aand Mac protector.A
Distribution: Web browsing  Low; in the wild, but not very widespread for now

Download

Download -MacDefender.mpkg  as a password protected archive (contact me if you need the password)  - thanks to anonymous for the donation.


Download -MacProtector.mpkg  as a password protected archive (contact me if you need the password)  - thanks to anonymous for the donation.

Automated Scans

MAC PROTECTOR

 File name:MacProtector
Submission date:2011-05-09 19:49:55 (UTC)
Result:14 /43 (32.6%)
http://www.virustotal.com/file-scan/report.html?id=2e9a751efb38ff8e971a9dd4c629bd5066c9fb802a0d821ef5c250e0b1c43382-1304970595
ClamAV     0.97.0.0     2011.05.09     Trojan.OSX.MacDefender.C
Emsisoft     5.1.0.5     2011.05.09     Hoax.Mac.MacProtector!IK
F-Secure     9.0.16440.0     2011.05.09     Rogue:OSX/FakeMacDef.F
Fortinet     4.2.257.0     2011.05.09     OSX/MacProtector.A
Ikarus     T3.1.1.103.0     2011.05.09     Hoax.Mac.MacProtector
Kaspersky     9.0.0.837     2011.05.09     Hoax.Mac.MacProtector.a
Microsoft     1.6802     2011.05.09     Rogue:MacOS_X/FakeMacdef
NOD32     6107     2011.05.09     OSX/AdWare.MacDefender.E
PCTools     7.0.3.5     2011.05.09     RogueAntiSpyware.MacProtector
Sophos     4.65.0     2011.05.09     OSX/FakeAV-A
Symantec     20101.3.2.89     2011.05.09     MacProtector
TrendMicro     9.200.0.1012     2011.05.09     OSX_FAKEAV.A
TrendMicro-HouseCall     9.200.0.1012     2011.05.09     OSX_FAKEAV.A

VirusBuster     13.6.345.0     2011.05.09     FraudTool.OSX.Defma.G
Additional information
Show all
MD5   : 1f8e9cd3f0717a85b96f350e4f4a539a

MAC DEFENDER

http://www.virustotal.com/file-scan/report.html?id=c6806909d5524b00b421e8078977c8ff6a597bacdb0f4ab97660cbd86dfd3b0c-1304556064

Archive.pax
Current status:
9 /41 (22.0%)
AntiVir     7.11.7.150     2011.05.04     MACOS/FakeAV.A
BitDefender     7.2     2011.05.04     MAC.OSX.Trojan.FakeAlert.A
ClamAV     0.97.0.0     2011.05.04     Trojan.OSX.MacDefender
DrWeb     5.0.2.03300     2011.05.05     Trojan.Fakealert.20856
F-Secure     9.0.16440.0     2011.05.04     Rogue:OSX/FakeMacDef.A
GData     22     2011.05.05     MAC.OSX.Trojan.FakeAlert.A
Kaspersky     9.0.0.837     2011.05.05     not-a-virus:FraudTool.OSX.Defma.a
Microsoft     1.6802     2011.05.04     Rogue:MacOS_X/FakeMacdef
Sophos     4.64.0     2011.05.05     OSX/FakeAV-DMP
MD5   : c0c866fde6336764da0def483f635dc9
SHA1  : a61f2cb78bbb0472d95d2b967e3eda5f786e07ac

http://www.virustotal.com/file-scan/report.html?id=22c3ded47d1903c101efefaba219e13542a4d2c463004fc6058f00eba2293466-1304457284
MacDefender
Submission date:
2011-05-03 21:14:44 (UTC)
Result:6 /41 (14.6%)
DrWeb     5.0.2.03300     2011.05.03     Trojan.Fakealert.20856
Kaspersky     9.0.0.837     2011.05.03     not-a-virus:FraudTool.OSX.Defma.a
Microsoft     1.6802     2011.05.03     Rogue:MacOS_X/FakeMacdef
PCTools     7.0.3.5     2011.05.03     MACDefender
Sophos     4.64.0     2011.05.03     OSX/FakeAV-DMP
Symantec     20101.3.2.89     2011.05.03     MACDefender
MD5   : 2f357b6037a957be9fbd35a49fb3ab72
SHA1  : fb6f092624d48fe9a496c50f615b424b27cf3515

May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333

Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File   Laden's Death.doc
MD5   dad4f2a0f79db83f8976809a88d260c5
SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File size : 163065 bytes
Type:  DOC
Distribution: Email attachment

Post Updates

May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

It was sent to many targets in the US Government today.

Also see the same payload in the following messages

http://contagiodump.blogspot.com/2010/09/sep14-cve-2010-2883-adobe-0-day-fwd.html

http://contagiodump.blogspot.com/2010/09/cve-2009-4324-cve-2010-1297-cve-2009.html

Download

Download -- as a password protected archive (contact me if you need the password)
Download binary and the decoy file here 

Message

Tue, 03 May 2011 11:34:06 -0400 (EDT)
Source-IP: 220.228.120.62 
Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
From: XXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXX
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
        boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168


This is a multi-part message in MIME format.

------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: text/plain;
        format=flowed;
        charset="big5";
        reply-type=original
Content-Transfer-Encoding: 7bit

To whom it may concern.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX  Signature spoofed  XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: application/octet-stream;
        name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Laden's Death.doc"

Sender

220.228.120.62 (there are other IPs from that company used as well)

Lotus Notes mail server, apparently compromised

Hostname:    notess1.protech.com.tw
ISP:    New Centry InfoComm Tech. Co., Ltd.
Organization:    PROTECHSYSTEMSCO.,LTD.
Assignment:    Static IP
Country:    Taiwan

Automated Scans

File name: Laden's Death.doc
Submission date:2011-05-03 15:34:52 (UTC)
http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304436892#
1/ 41 (2.4%)
Commtouch    5.3.2.6    2011.05.03    CVE-2010-3333!Camelot
Show all
MD5   : dad4f2a0f79db83f8976809a88d260c5
SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
661UswH/fNGy2XB
File size : 163065 bytes
First seen: 2011-05-03 15:34:52
Last seen : 2011-05-03 15:34:52

Analysis

May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)

 

The binary  - Trojan Protux (read more about it here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Protux.A!dll#techdetails_link)

File name:exe_decoded.bin

http://www.virustotal.com/file-scan/report.html?id=a40b5cf0689aebaaf2352b61e8a9f4544ec69ef8ea3dc558f53646964a85755b-1304567158
Submission date:2011-05-05 03:45:58 (UTC)
Result:17 /40 (42.5%)

AntiVir     7.11.7.150     2011.05.04     BDS/Protux.tg
BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
Commtouch     5.3.2.6     2011.05.05     W32/Virut.AI!Generic
rWeb     5.0.2.03300     2011.05.05     BackDoor.Diho.163
eTrust-Vet     36.1.8307     2011.05.04     -
F-Prot     4.6.2.117     2011.05.04     W32/Virut.AI!Generic
GData     22     2011.05.05     Trojan.Generic.KDV.211541
Ikarus     T3.1.1.103.0     2011.05.05     Backdoor.Win32.Protux
Kaspersky     9.0.0.837     2011.05.05     Backdoor.Win32.Protux.tg
McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
NOD32     6095     2011.05.05     Win32/Protux.NAK
Panda     10.0.3.5     2011.05.04     Suspicious file
PCTools     7.0.3.5     2011.05.04     Trojan.Generic
SUPERAntiSpyware     4.40.0.1006     2011.05.05     -
Symantec     20101.3.2.89     2011.05.05     Trojan Horse
TrendMicro     9.200.0.1012     2011.05.04     PAK_Generic.001
TrendMicro-HouseCall     9.200.0.1012     2011.05.05     BKDR_PROTUX.GE
VBA32     3.12.16.0     2011.05.04     Backdoor.Protux.ta
Additional information
Show all
MD5   : 30c8c4c9943044287cf06996863c2261
SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

----------------------------------------------------------------------------------------------------------
See the payload analysis here  http://www.cyberesi.com/2011/05/03/ladens-death-doc-cve-2010-3333/

Hermes Bojaxhi from CyberESI  http://www.cyberesi.com provided the following details about the payload

File Name:  dhcpsrv.dll
File Size:  44504 bytes
MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
Sections (4):
 Name      Entropy  MD5
 .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
 .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
 .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
 .reloc    5.7      e437cc92e10504181d7b712478db6af3


beacons to these domains:

checkerror.ucparlnet.com
ssi.ucparlnet.com
www.dnswatch.info
picture.ucparlnet.com

==============
C2 domain info

checkerror.ucparlnet.com   -  203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan
ssi.ucparlnet.com  - 58.34.152.233  ChinaNet Shanghai Province Network China
www.dnswatch.info - 82.96.118.210 Probe Networks Planet-Hosting.cz Germany
picture.ucparlnet.com - 203.67.127.165 Hostname:    protech.com.tw  Digital United Inc. Taiwan

ucparlnet.com IP Address hosting history

Event Date	Action	Pre-Action IP	Post-Action IP
2010-08-10	New	-none-	58.34.152.162
2010-08-13	Change	58.34.152.162	58.37.54.66
2010-08-23	Change	58.37.54.66	58.34.148.241
2010-09-03	Change	58.34.148.241	220.246.76.125
2010-09-24	Change	220.246.76.125	127.0.0.1
2010-10-25	Change	127.0.0.1	58.37.182.29
2010-11-28	Change	58.37.182.29	58.34.149.104
2010-12-09	Change	58.34.149.104	58.34.152.202
2010-12-31	Change	58.34.152.202	127.0.0.1
2011-02-24	Change	127.0.0.1	125.141.233.16
2011-04-10	New	-none-	125.141.233.16

dnswatch.info  - is not a malicious domain