Tuesday, December 22, 2009

Dec. 22. Adobe 0 Day. Attack of the Day. 報告書(排出権取引に関する記述) from Tue, 22 Dec 2009 09:36:20 +0800

Update Dec 22 7:40 am: Several new variants of  CVE-2009-4324 arrived since yesterday in different targeted messages. I do not have time to post them now but hope to do it, eventually. I think the trickle of messages containing this type of exploit now turned into a shower and is likely to become a downpour. I hope the AV vendors and Adobe are working hard on their detection and fixes because the current VT results are a bit worrisome.


Somehow I doubt that the Ministry of Foreign Affairs of Japan joined the the zero day games, however, the headers seem to point to their network or someone using it.--- never mind, they don't. "" is not really (Updated Dec.22 7:30 am).

Update. Dec 22 15:30
The spoofed message is crafted to look like a message from an existing high ranking official in the Ministry of Foreign Affairs of Japan . Contents of the message and pdf are in Japanese and are pieces of documents discussing emissions controls. The documents contained names of various officials and full correct contact information of the alleged sender from MOFA. Since I do not speak Japanese, I had to seek advice from people who can read Japanese and make such decisions. I have been told that while they are obviously fakes, it would take too much time and effort to make sure the documents contain no sensitive information and therefore the message contents should not be released. I cannot publish them after receiving the recommendations above, there will be no samples on this one (M)

The message sender was
The message originating IP was The message recipients were
The message was titled 報告書(排出権取引に関する記述)
The message date was Tue, 22 Dec 2009 09:36:20 +0800 The message identifier was (empty) The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '7913605_1000X_PA2_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Received: (qmail 19855 invoked from network); 22 Dec 2009 01:36:22 -0000
Received: from unknown (HELO (   --- ok that is from China pretending to be (Updated Dec.22 7:30 am).
by with SMTP; 22 Dec 2009 01:36:22 -0000
Received: from SSSSSS-2F0F04F3[] by
  with SMTP id 4FFDC9B3; Tue, 22 Dec 2009 09:36:11 +0800
From: "" <>
Subject: =?ISO-2022-JP?B?GyRCSnM5cD1xIUpHUz1QOCI8aDB6JEs0WCQ5JGs1LT1SIUsbKEI=?=
Content-Type: multipart/mixed;
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Date: Tue, 22 Dec 2009 09:36:20 +0800
X-Priority: 2
X-Mailer: Microsoft Outlook Express 5.00.2919.6700

File 091222________________________.pd received on 2009.12.22 05:04:49 (UTC)

Result: 3/40 (7.5%)
McAfee-GW-Edition 6.8.5 2009.12.21 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32 4707 2009.12.21 PDF/Exploit.Gen
Sophos 4.49.0 2009.12.22 Troj/PDFJs-B
Additional information
File size: 872962 bytes
MD5...: fa1ceda2f4efbf3c3b1936be2221be31

MD5 fa1ceda2f4efbf3c3b1936be2221be31
Analysis Started 2009-12-21 21:24:33
Report Generated 2009-12-21 21:24:40

Jsand 1.03.02 malicious
Exploits Use-after-free vulnerability in the method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 

ISP: CNC Group Tianjin province network
Organization: CNC Group Tianjin province network
Type: Cable/DSL
Country: China  
State/Region: 28
City: Tianjin

Before the test machine crashed, it generated traffic to China. It was too late last night to look much into it but hope to post the pdf soon.(Dec 22, 7:50 am)

ISP: CNCGROUP Shandong province network
Organization: CNCGROUP Shandong province network
Proxy: None detected
Type: Cable/DSL
Country: China  
State/Region: 25
City: Jinan

The end.


  1. The IP the message originated from doesn't really tell us much - other than the fact that the message came from China - not Japan!

    Both Trusted source and Ironport give this IP a poor reputation - perhaps this isn't the only thing to be sent.

  2. Good point. did not check, it was pretty late last night. Which means the sample might be coming soon.