Friday, November 27, 2009

熊猫烧香 Panda Burning Incense virus - the new version is a variant, called Worm_Piloyd.B

Li Jun, aka “Virus King,” designed the 熊猫烧香 / Panda Burning Incense / joss-sticks virus that wreaked havoc in China in 2006 - 2007.  He spent 2 1/2 years in prison and was/is supposed to be released in the end of this year. Maybe he already was because a new version of this virus is now making rounds in China

Here is a Chinese language article (Google translated) about the author of the virus

The script below (from someone by name 'bobo') is supposed to remove the original version of the virus:

Nov.25 PDF attack: MOU from Nov 25, 2009 10:25 PM

Download the infected pdf (password protected, contact me for the password)






Google Translate

From: Arthur Chou []
Sent: Wednesday, November 25, 2009 10:25 PM
Subject: MOU

This Council and the mainland three financial supervisory authorities signed a memorandum of cooperation is now Commissioner of the Executive Yuan for approval in Chen, I would like to compile a memorandum related matters, such as accessories, please read, thank you.

If any, additional information, please feel free to tell.

When Qi Shun Chung

Zhou Minggao Sincerely,



Result - suspicious

Virustotal analysis

AntiVir 2009.11.26 HTML/Rce.Gen
McAfee-GW-Edition 6.8.5 2009.11.26 Heuristic.Script.Rce
Microsoft 1.5302 2009.11.26 Exploit:Win32/ShellCode.A
NOD32 4640 2009.11.26 PDF/Exploit.Gen
Norman 6.03.02 2009.11.25 JS/ShellCode.C 


Wednesday, November 25, 2009

Nov.25 PDF attack. Letter on Taiwan from Nov 25, 2009 11:23 AM

Download the infected PDF (password protected, you have to contact me for the password)
This one is quite interesting:

From Rupert Hammond-Chambers []
Sent: Wednesday, November 25, 2009 9:54 AM
Subject Letter on Taiwan

Dear Colleagues,

I first would like to extend my heartfelt gratitude for the support that you and other members of Congress have demonstrated to the Republic of China (Taiwan) over the last 30 years. Despite the absence of official relations, our common goals and interests remain strong.
Our nation has attempted to purchase follow-on F-16s since 2006 to upgrade our national defense by replacing our F-5s and other antiquated equipment and thereby respond to the growing threat that the People’s Republic of China (PRC) and its military’s modernization efforts represents to peace and security in the Taiwan Strait. We respectively ask you to support our clear military need to upgrade our F-16 force by supporting a follow-on sale of F-16s. Your support will contribute immeasurably to America and Taiwan’s shared interest in democracy and peace and security in the Taiwan Strait.
Sincerely yours,


Rupert Hammond-Chambers
US-Taiwan Business Council
1700 North Moore Street, Suite 1703
Arlington, Virginia 22209
United States of America
Telephone: (703) 465-2930
Mobile: (202) 445-4777
Facsimile: (703) 465-2937

Monday, November 23, 2009

Nov.23 PDF attack. The three undisclosed secret in President Obama Tours Asia Nov 23, 2009 11:23 AM from

Download the malicious PDF (password protected, you have to contact me for the password)

The three undisclosed secret in President Obama Tours Asia

Sent: Mon 11/23/2009 11:23 AM
From: Jennifer F. Carlson []


The three undisclosed secret in President Obama Tours Asia.

The message sender was

The message originating IP was The message recipients were

The message was titled The three undisclosed secret in President Obama Tours Asia The message date was Mon, 23 Nov 2009 08:22:38 -0800 (PST) The message identifier was <>
The virus or unauthorised code identified in the email is:
F-Secure Security Platform version 1.12  build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Mon Nov 23 16:22:42 2009 Database version: 2009-11-23_10

attach/5963917_3X_PM5_EMS_MA-PDF__ObamaAndAsia.pdf: Infected: [AVP]

Virustotal analysis

File ObamaAndAsia.pdf received on 2009.11.25 06:39:38 (UTC)

Result: 5/41 (12.2%)

Antivirus Version Last Update Result

BitDefender 7.2 2009.11.25 Trojan.SWF.HeapSpray.B
F-Secure 9.0.15370.0 2009.11.24 Trojan.SWF.HeapSpray.B
Kaspersky 2009.11.25
GData 19 2009.11.25 Trojan.SWF.HeapSpray.B
Sunbelt 3.2.1858.2 2009.11.25 Exploit.PDF-JS.Gen (v)

Wednesday, November 18, 2009

Nov.18 PDF attack. U.S. ship thwarts second pirate attack November 18, 2009.pdf Nov 18, 2009 10:38:02 AM from (Spoofed sender)

Links updated: Jan 18, 2023

Download the malicious pdf (password protected, you have to contact me for the password)

Email message text

Fw: U.S. ship thwarts second pirate attack November 18, 2009
To: Undisclosed-Recipient:;
Sent: 11/18/2009 10:38 AM
>>> FYI
>>> ----- Original Message -----
>>> From: "Antweiler"
>>> To:
>>> Sent: Wednesday, November 18, 2009 4:40 AM
>>> Subject:Today: U.S. ship thwarts second pirate attack

Wepawet analysis 

Analysis report for U.S. ship thwarts second pirate attack November 18, 2009.pdf
Sample Overview
File    U.S. ship thwarts second pirate attack November 18, 2009.pdf
MD5    0b9e08970966b28ad05300038a16ba22
Analysis Started    2009-11-18 07:50:52
Report Generated    2009-11-18 07:50:57
JSAND version    1.03.02
Detection results
Detector    Result
JSAND 1.03.02    malicious

Name    Description    Reference

Adobe Collab overflow    Multiple Adobe Reader and Acrobat buffer overflows    CVE-2007-5659

Adobe getIcon    Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object    CVE-2009-0927

Heap Spraying with Actionscript by FireEye and From Targeted PDF Attack to Backdoor in Five Stages y McAfee

Links updated: Jan 18, 2023

FireEye Malware Intelligence Lab
Julia Wolf @ FireEye Malware Intelligence Lab

Heap Spraying with Actionscript

Why turning off Javascript won't help this time

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Background Summary

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the “%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll” and “%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll” files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash. More

McAfee Labs Blog
          From Targeted PDF Attack to Backdoor in Five Stages
          Monday September 14, 2009 at 12:33 pm CST
          Posted by Dennis Elser

 As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.

The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection. More

Saturday, November 14, 2009

Hacker Magazine (Xakep - Haker #10 2009) in Russian

Links updated: Jan 18, 2023

Hacker Magazine (Xakep - Haker #10 2009)
Download pdf in Russian

Tuesday, November 10, 2009

Nov.8 PDF attack 國防部人力司招聘「專案研究助理」 from Sun, Nov 08, 2009 8:13 PM

Links updated: Jan 18, 2023

From: 國防部人力司 []
Sent: Sunday, November 08, 2009 8:13 PM
To: ouruser@ourdomain
Subject: 國防部人力司招聘「專案研究助理」
如附件所示,請 鑒核。

Approx. Translation:
Dept of Defense Manpower Division is recruiting a special research assistant
Please see attached.
Department of Defense Manpower Division
LI Yi-chao Sincerely,
Address: No. 172 Po-ai Road, Taipei.

Wepawet Analysis report for 國防部人力司招聘「專案研究助理 .pdf
Sample Overview
File 國防部人力司招聘「專案研究助理.pdf
MD5 35300c972545b9ae6efac2d24fea8b67
Analysis Started 2009-11-10 20:44:08
Report Generated 2009-11-10 20:44:18
Jsand version 1.03.02
Detection results
Detector Result
Jsand 1.03.02 malicious


Sunday, November 8, 2009

COFEE v112

Links updated: Jan 18, 2023

COFEE - Computer forensics tool

What is COFEE?
COFEE has been designed to provide the investigator the ability to collect evidence from a target system
with the minimum of user interaction. After the GUI interface generates a COFEE USB device (copies all
scripts and programs), the investigator can take the device and easily insert it onto a target machine,
and begin the collection process by executing a single program.

Published by NIJ (56)

DOJ Computer forensics tool testing reports

Friday, November 6, 2009

Nov.6 PDF attack. Obama visit Asia from [username] Nov 6, 2009 8:38:57 AM

Links updated: Jan 18, 2023

Download. Email me if you need the password

Possible MalWare 'Exploit/Zordle.gen' found in '5963792_3X_PM5_EMS_MA-PDF__Obama=20visit=20Asia.pdf'. Heuristics score: 201
From: "[REMOVED]" [
Sent: Friday, November 6, 2009 8:38:57 AM GMT -05:00 US/Canada Eastern
Subject: Obama's visit to Asia

Dear Colleagues,

With the upcoming Obama's visit to Asia, please find the attached paper for your kind reference.
Should you have any questions, please contact me.
Best regards,
signature here [REMOVED]

File Obama_visit_Asia.pdf received on 2009.11.06 18:05:36 (UTC)

Current status: finished
Result: 4/41 (9.76%)

AntivirusVersionLast UpdateResult

Obama visit Asia.pdf
Analysis Started2009-11-06 12:10:45
Report Generated2009-11-06 12:10:53
Jsand version1.03.02

Detection results

Jsand 1.03.02malicious


Adobe Collab overflowMultiple Adobe Reader and Acrobat buffer overflowsCVE-2007-5659
Adobe getIconStack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab objectCVE-2009-0927




Monday, November 2, 2009

Win32/Opachki.A - Trojan that removes Zeus (but it is not benign)

Links updated: Jan 18, 2023

Download. Email me if you need the password
MD5 00f2fd5e2c125965c188754f04da576c
SHA-1 63d53f6e1b3f9fb23c88b19f7c6326da45753a5d
SHA-256 a602a3dd91b5aa0e0e68d20efe787e01c9548cb1b11b5032541c2e7d4edb5710

Win32/Opachki.A --Virustotal-all antivirus names for it. The real tragedy is in those

nsrbgxod.bak created by Opachki and nsrbgxod.bak created by Zeus/ZBot (link lost)

Different hash

SecureWorks Opachki Trojan Analysis


Submission details:


1 %Temp%\nsrbgxod.bak

0 bytes

MD5: D41D8CD98F00B204E9800998ECF8427E
SHA-1: DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
2 %UserProfile%\protect.dll

[file and pathname of the sample #1]

24,064 bytes

MD5: 0x87A2583DE6F6FBB5104E0433E89B1BCF

SHA-1: 6048D36DB2207A1CEA877742C9403A816D711C6D






3 %Programs%\Startup\ChkDisk.lnk

655 bytes

MD5: 0x6F61156F14AEED438770D31391E67EC9

SHA-1: 0x277B806CEC1AEDE9F9B934B7DD655D0BBB542597

Read more -  Update March 2010 

New banking trojan W32.Silon -msjet51.dll

Links updated: Jan 18, 2023