Dec.1 PDF Attack of the day. Russian-Proposed European Security Treaty from sullivanchris81@yahoo.com Tue, 1 Dec 2009 04:30:47

CVE-2009-3953

The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994. 


Download infected pdf files (password protected archive. You have to contact me for the password) 

The message sender was

sullivanchris81@yahoo.com

The message originating IP was 98.136.165.26 The message recipients were

XXX@XXX.XXX

The message was titled Russian-Proposed European Security Treaty The message date was Tue, 1 Dec 2009 04:30:47 -0800 (PST) The message identifier was <729208.94960.qm@web112801.mail.gq1.yahoo.com>

The virus or unauthorised code identified in the email is:

F-Secure Security Platform version 1.12 build 6412 Copyright (c) 1999-2007 F-Secure Corporation. All Rights Reserved.

Scan started at Tue Dec 1 12:30:52 2009 Database version: 2009-12-01_03

attach/5964623_3X_PM5_EMS_MA-PDF__European=20Security=20Treaty=2D1.pdf: Infected: Exploit.JS.Pdfka.ara [AVP]

attach/5964623_4X_PM6_EMS_MA-PDF__European=20Security=20Treaty=2D2.pdf: Infected: Exploit.JS.Pdfka.ara [AVP]

Scan ended at Tue Dec 1 12:30:52 2009

3 files scanned

2 files infected

Dear Colleagues,

Just in case you have not seen this, I attached the draft treaty for your infomation. The treaty was posted on the website of the Russian Government.

Hope it will be help for your work.

Regards,

Chris

File 1
Virustotal
File European_Security_Treaty-1.pdf received on 2009.12.11 18:18:23 (UTC)

Result: 16/41 (39.03%)

a-squared 4.5.0.43 2009.12.11 Exploit.Win32.ShellCode!IK
AntiVir 7.9.1.108 2009.12.11 HTML/Rce.Gen
Antiy-AVL 2.0.3.7 2009.12.11 Exploit/Win32.Pidief
BitDefender 7.2 2009.12.11 Trojan.Script.237170
F-Secure 9.0.15370.0 2009.12.11 Trojan.Script.237170
GData 19 2009.12.11 Trojan.Script.237170
Ikarus T3.1.1.74.0 2009.12.11 Exploit.Win32.ShellCode
Kaspersky 7.0.0.125 2009.12.11 Exploit.Win32.Pidief.cwq
McAfee 5829 2009.12.11 Exploit-PDF.q.gen!stream
McAfee+Artemis 5829 2009.12.11 Exploit-PDF.q.gen!stream
McAfee-GW-Edition 6.8.5 2009.12.11 Heuristic.Script.Rce
Microsoft 1.5302 2009.12.11 Exploit:Win32/Pdfdrop.A
NOD32 4680 2009.12.11 PDF/Exploit.Gen
Norman 6.04.03 2009.12.11 JS/ShellCode.C
Sophos 4.48.0 2009.12.11 Troj/PDFJs-FM
TrendMicro 9.100.0.1001 2009.12.11 TROJ_PIDIEF.SMP

File size: 323583 bytes
MD5...: 839be4f806c62456847b2f844df46e81
SHA1..: 31cc7f70d0323ab08bec65726767c36f2821bdb5
SHA256: 1a7d3233571b0639ad2b7247ea509f4fa79400e5d52a001469593ab19953547b
ssdeep: 6144:1ykJZ+49yOBfNEHEhz4yfhVXNrgUYwiV1moGXnN79TxNBGmf:1yk99yof2C
4CITwiUnbFNtf

Wepawet
File European Security Treaty-1.pdf
MD5 839be4f806c62456847b2f844df46e81
Analysis Started 2009-12-11 10:34:01
Report Generated 2009-12-11 10:34:06
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 suspicious
http://wepawet.cs.ucsb.edu/view.php?hash=839be4f806c62456847b2f844df46e81&type=js

File 2

Virustotal

 

File European_Security_Treaty-2.pdf received on 2009.12.11 18:18:10 (UTC)

Result: 13/41 (31.71%)

a-squared 4.5.0.43 2009.12.11 Exploit.Win32.ShellCode!IK
AntiVir 7.9.1.108 2009.12.11 HTML/Rce.Gen
Antiy-AVL 2.0.3.7 2009.12.11 Exploit/Win32.Pidief
BitDefender 7.2 2009.12.11 Trojan.Script.237170
F-Secure 9.0.15370.0 2009.12.11 Trojan.Script.237170
GData 19 2009.12.11 Trojan.Script.237170
Ikarus T3.1.1.74.0 2009.12.11 Exploit.Win32.ShellCode
Kaspersky 7.0.0.125 2009.12.11 Exploit.Win32.Pidief.cwq
McAfee-GW-Edition 6.8.5 2009.12.11 Heuristic.Script.Rce
Microsoft 1.5302 2009.12.11 Exploit:Win32/Pdfdrop.A
NOD32 4680 2009.12.11 PDF/Exploit.Gen
Norman 6.04.03 2009.12.11 JS/ShellCode.C
Sophos 4.48.0 2009.12.11 Troj/PDFJs-FM

Additional information
File size: 856683 bytes
MD5...: 5e4d2be5bd907c0806d1044f526fe0c2
SHA1..: 10c0d93ae27803ce006d37dfbabedb15e8e78562
SHA256: 81a7dee4a6b87842b427a60a43af658b1fd2bcdf43a108c66c768017f0de4a46
ssdeep: 24576:tVX09sllTA77sRAmvoICcyroeV1M3MiazM4dEWGcCliMbnZ:tVX0ellTA7
7sRFvoICXroebiJGEWXCE4
http://www.virustotal.com/analisis/81a7dee4a6b87842b427a60a43af658b1fd2bcdf43a108c66c768017f0de4a46-1260555490

Wepawet
File European Security Treaty-2.pdf
MD5 5e4d2be5bd907c0806d1044f526fe0c2
Analysis Started 2009-12-11 10:41:52
Report Generated 2009-12-11 10:41:56
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 suspicious 

 http://wepawet.cs.ucsb.edu/view.php?hash=5e4d2be5bd907c0806d1044f526fe0c2&type=js

Vicheck.ca scans

European Security Treaty-1.pdf:
SCAN: PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=839be4f806c62456847b2f844df46e81
RESULT: Embedded executable detected.
Encryption level: 1 byte key.
Exploit method detected: genexploit - PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959.
Confidence ranking: 100 (12 hits).


European Security Treaty-2.pdf:
SCAN: PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959 (genexploit/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=5e4d2be5bd907c0806d1044f526fe0c2
RESULT: Embedded executable detected.
Encryption level: 1 byte key.
Exploit method detected: genexploit - PDF Exploit suspicious use of U3D CVE-2009-3953 CVE-2009-3959.
Confidence ranking: 100 (22 hits).