Friday, December 18, 2009

Dec 18 Adobe 0 day CVE-2009-4324 PDF attack of the Day (#4) 女兵脫衣比中指 拍照PO上網 from Sat, 19 Dec 2009 10:22:01 +0800


This message is targeted but not perfect - not all recipients of that message can read Chinese. I posted the machine translation in the end of the post, it is about some alleged recent strip photo scandal in the People's Liberation Army.

This message shows that detection of the new threat remains tricky. Messagelabs apparently used Symantec scanners to stop and tag the threat yet Symantec did not detect it when it was scanned on Virustotal. Not to mention a distressingly low overall detection rate -  7 out of 41.

The message sender was
The message originating IP was The message recipients were
The message was titled 女兵脫衣比中指 拍照PO上網
The message date was Sat, 19 Dec 2009 10:22:01 +0800 The message identifier was  1975e5623c$23fce32a$0ae1d8b4@gpwbinfo212af2ce2>
The virus or unauthorised code identified in the email is:
Trojan.Pidief.H -- Symantec definitiions :)

From: 軍聞社 []
Sent: Friday, December 18, 2009 9:22 PM
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...
 (See the full text in the end of the post.)
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.    -

File ________________________.pdf received on 2009.12.19 06:08:39 (UTC)
Result: 7/41 (17.08%)
BitDefender    7.2    2009.12.19    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.19    Exploit.PDF-JS.Gen
GData    19    2009.12.19    Exploit.PDF-JS.Gen
Kaspersky    2009.12.19    Exploit.Win32.Pidief.cxi
McAfee-GW-Edition    6.8.5    2009.12.18    Heuristic.BehavesLike.PDF.Suspicious.Z
PCTools    2009.12.19    Trojan.Pidief
Symantec    2009.12.18 --Ok, Symantec, what happened here?
Sunbelt    3.2.1858.2    2009.12.19    Exploit.PDF-JS.Gen (v)

Additional information
File size: 51822 bytes
MD5...: 8950bbedf4a7f1d518e859f9800f9347
SHA1..: e4d30ecbe13765c4448e0b140db2569c58aa39f8
55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73dessdeep: 768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3Uscazp

Wepawet Analysis report for 「寶�悶�瘋狂照.pdf
File 「寶�悶�瘋狂照.pdf
MD5 8950bbedf4a7f1d518e859f9800f9347
Analysis Started 2009-12-18 20:10:54
Report Generated 2009-12-18 20:10:58
Jsand 1.03.02 malicious Use-after-free vulnerability in the method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

From: 軍聞社 []
Sent: Friday, December 18, 2009 9:22 PM
Subject: 女兵脫衣比中指 拍照PO上網

        網路上流傳一組名為「寶貝悶」的國軍女兵脫衣照,因行徑大膽前所未見,隨即引起轟動;原本外界以為是假照片,後來經查,撩衣照片主角竟是現任聯勤司令部中 部運輸大隊一中隊行政士的陳學葳女中士。照片曝光後,陳學葳向軍方坦承,這是去年二月後勤學校受訓結束時,與同學慶祝的「瘋狂照」。 ...

     對於軍中首度鬧出女兵大拍脫衣照的醜聞,國防部長高華柱昨晚得知後直搖頭,感到不可思議,隨即指示聯勤依規定懲處。聯勤研究後坦承,目前只能依軍中不得 攜帶照相器材的保密規定懲處,嚴重者可以法辦;至於在女兵在軍中脫衣拍照,因無前例,軍方一度找不到法條可管,後來又表示,可依嚴重影響軍譽記過處分。
     密碼遭破解 女中士隱私照外流
         整組照片還包括陳學葳在寢室裡趴著看電視、內務櫃中滿滿的化妝品保養品,軍用卡車照、電腦教室中的軍用模擬軟體、軍用通信器材的內部構造等照片,軍方稱這 些照片已經涉嫌洩密。這組不雅照片昨晚在軍方介入調查後,陳學葳的部落格已經關閉,隨即撤掉相關照片。
__________ Information from ESET NOD32 Antivirus, version of virus signature database 4700 (20091218) __________
The message was checked by ESET NOD32 Antivirus.    -

Machine translation of the text - horrible but understandable.
From: Jun Wen Society [mailto:]
Sent: Friday, December 18, 2009 9:22 PM
Subject: female strip pictures than the middle finger PO Internet

        A group of circulating the Internet called "Baby boring" female strip according to the national army, as an unprecedented act of daring, which immediately caused a sensation; originally thought it was fake pictures outside, then, through investigation, Liao Yi photos protagonist was actually present Joint Logistics Command Central Transport Battalion of a squadron of the Chen administration with disabilities luxuriant female sergeant. Photographs came to light, Chen luxuriant to the military acknowledges that this is the end of last year, in February, when back-school training, with classmates to celebrate the "crazy portrait."

    For the first time in the military sudden, large female strip photo shoot scandal, Defense Minister Gao Hua-chu, learned last night, after his head and felt incredible, immediately instructed the joint logistics in accordance with the provisions of punishment. Joint logistics study admits that at present only the armed forces shall not be carried in accordance with provisions on confidentiality in photographic equipment, punishment can be severe justice; As for the female in the military strip camera, because no precedent, the military can not find the law may come a time tube, and later said Ke Yi serious impact on the military reputation demerit.

    Password has been cracked photo female sergeant Privacy outflow

The Army survey found that only 22 years old this year, Chen luxuriant admits the photos are and students "crazy look" of the film, but she is not a self-timer, the camera is not her, and she just feel that this group of fun strip photos Posted at Wretch in his blog specifically encrypted, the password is not expected to have been cracked, this group was accidentally spread according to personal privacy.

    Last night, the military turned to her, Chen luxuriant himself did not know this group of indecent exposure photos are already online explosion of red, a considerable regret uttered his head.

Circulating on the Internet frequently in the past the United States, British and Israeli women soldiers in the armed forces of States or the dew point according to frolic strip, but the military shock occurs according to the military or the first female strip was!

The entire group of photos also include Chen luxuriant watching television in the bedroom, tummy, the House cabinet full of cosmetics skin care products, military trucks, according to the computer classroom in the military simulation software for military communications equipment of the internal structure of the photos, the military said the photos has been suspected leak. This group of indecent pictures last night at the military involved in the investigation, Chen luxuriant blog has been closed, then removed the relevant photos.

Joint Logistics Command, the Department of political warfare, Major General Liu Zhijian, deputy director of the five branches of today's female non-commissioned officers for their respective self-timer case, the damage to the national army soldiers in the image of women officers, on behalf of the joint logistics to the public apology and said they would strengthen the education and information security officers and men of the law provisions on confidentiality Junjun discipline in order to implement the State requirements.
Liu Zhijian Major General pointed out that the Joint Logistics Command, subject to verification according to the "National Army Information Security incentive benchmark requirements" and "army navy air force to punish France" in order to violate the security and undermine the military-pass funding the circumstances of reputation, be punished suitable method.

Liu Zhijian Major General stressed that in light of this case, the Department will require all officers and men at all levels actively promote "the implementation of information security confidentiality" provisions implementing the State Junjun discipline requirements in order to ensure that the reputation of the country Junjun.

  1. See post with CVE-2009-4324 Sample#0 (Nov. 30, 2009)  note200911.pdf 61baabd6fc12e01ff73ceacc07c84f9a
  2. See post with CVE-2009-4324 sample #1 (Dec 11, 2009) note_20091210.pdf  61baabd6fc12e01ff73ceacc07c84f9a
  3. See post with CVE-2009-4324 sample #2 (Dec. 13, 2009) Outline of Interview.pdf 35e8eeee2b94cbe87e3d3f843ec857f6
  4. See post with CVE-2009-4324 Sample #3 (Dec 18, 2009) merry christmas.pdf  955bade419a9ba9e5650ccb3dda88844
  5. See post with CVE-2009-4324 Sample #4 (Dec 18, 2009) 「寶貝悶」瘋狂照.pdf  ----renamed to 8950bbedf4a7f1d518e859f9800f9347

Download all files together with the binary downloaded from hxxxp:// (Password protected archive. Use the same password you used on the samples above or contact me for the password)

No comments:

Post a Comment