Wednesday, December 23, 2009

Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone

Download all files together with the binary downloaded from hxxxp:// (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 

File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
Result: 11/40 (27.5%)
a-squared    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    2009.12.23    Expl_ShellCodeSM
VirusBuster    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828

File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious Use-after-free vulnerability in the method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324


The message sender was

The message originating IP was The message recipients were

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference Use-after-free vulnerability in the method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 

 Received: (qmail 18226 invoked from network); 22 Dec 2009 07:42:05 -0000
Received: from [] by via HTTP; Tue, 22 Dec 2009 16:42:01 JST
X-Mailer: YahooMailWebService/
Date: Tue, 22 Dec 2009 16:42:01 +0900 (JST)
From: =?iso-2022-jp?B?GyRCRnM1XBsoQiAbJEJONDkwGyhC?=
Subject: merry x-mas
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1827157953-1261467721=:75136"
Message-ID: <>

Organization: KRNIC
Country: Korea, Republic of  
State/Region: 11
City: Seoul

No comments:

Post a Comment