Dec. 23. CVE-2009-4324 Adobe 0 Day. Attack of the Day VERY Merry Christmas from everyone

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

Download all files together with the binary downloaded from hxxxp://foruminspace.com/documents/dprk/ (Password protected archive. Use the same password you used on the samples above or contact me for the password)

Merry Christmas cards come in bulk. I normally don't bother with greeting cards viruses but these are 0 Day pdfs and I am peeved at Adobe for making a decision to wait with the fixes in order not to disrupt the update cycle.  The cards show total lack of imagination and aesthetics but impressive antivirus evasion abilities, especially on the second card Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951  - only three AV providers have a clue. Please see both samples below, you can download them from the link above.

File MerryChristmas.pdf   bc11e11405b7f9ba104451ecd40e3840 
File Merry Christmas.pdf  0ac635c06b571ad340b115f3d744f951 

File MerryChristmas.pdf received on 2009.12.23 06:05:18 (UTC)
 http://www.virustotal.com/analisis/c78f02f1de087a0ce91be1ca68ffb1995f392a063fc8abb7fd700896f050ed68-1261548318
Result: 11/40 (27.5%)
a-squared    4.5.0.43    2009.12.22    Exploit.Win32.ShellCode!IK
AntiVir    7.9.1.122    2009.12.22    HTML/Shellcode.Gen
Antiy-AVL    2.0.3.7    2009.12.23    Exploit/Win32.Pidief
BitDefender    7.2    2009.12.23    Exploit.PDF-JS.Gen
F-Secure    9.0.15370.0    2009.12.23    Exploit.PDF-JS.Gen
GData    19    2009.12.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.79.0    2009.12.22    Exploit.Win32.ShellCode
McAfee-GW-Edition    6.8.5    2009.12.23    Script.Shellcode.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
TrendMicro    9.120.0.1004    2009.12.23    Expl_ShellCodeSM
VirusBuster    5.0.21.0    2009.12.22    JS.Shellcode.Gen
Additional information
File size: 1226632 bytes
MD5...: bc11e11405b7f9ba104451ecd40e3840
SHA1..: 5867bd88d2cb5f822f493a041a39705432973828


Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=bc11e11405b7f9ba104451ecd40e3840&type=js
File MerryChristmas.pdf
MD5 bc11e11405b7f9ba104451ecd40e3840
Analysis Started 2009-12-22 22:24:14
Report Generated 2009-12-22 22:24:20
Jsand 1.03.02 malicious
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324

===========================================

The message sender was
    takahino_ninomiya@yahoo.co.jp

The message originating IP was 124.83.212.88 The message recipients were
    XXXXXXXX

The message was titled merry x-mas
The message date was Tue, 22 Dec 2009 16:42:01 +0900 (JST) The message identifier was <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>
The virus or unauthorised code identified in the email is:
>>> Possible MalWare 'Exploit/Acroread-CVE-2009-4324' found in
>>> '8044665_1000X_PA3_APDF__pdf_obj_42_0.js'. Heuristics score: 251

Virustotal
http://www.virustotal.com/analisis/dadcb65ec1057baa543a34bfe92144a30fde84cf85db9199b3873f819df6e79c-1261548993
 File Merry_Christmas.pdf received on 2009.12.23 06:16:33 (UTC)
Result: 3/41 (7.32%)
McAfee-GW-Edition    6.8.5    2009.12.23 Heuristic.BehavesLike.PDF.Suspicious.Z
NOD32    4710    2009.12.22    PDF/Exploit.Gen
Sophos    4.49.0    2009.12.23    Troj/PDFJs-B
Additional information
File size: 873031 bytes
MD5...: 0ac635c06b571ad340b115f3d744f951
SHA1..: d2af65c8f6f5733a574d049fe9e2683c9aab479e

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=0ac635c06b571ad340b115f3d744f951&type=js
File Merry Christmas.pdf
MD5 0ac635c06b571ad340b115f3d744f951
Analysis Started 2009-12-22 22:32:36
Report Generated 2009-12-22 22:32:56
Jsand 1.03.02 malicious
Name Description Reference
doc.media.newPlayer Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2 CVE-2009-4324 

Headers
 Received: (qmail 18226 invoked from network); 22 Dec 2009 07:42:05 -0000
Received: from [211.38.104.129] by web4308.mail.ogk.yahoo.co.jp via HTTP; Tue, 22 Dec 2009 16:42:01 JST
X-Mailer: YahooMailWebService/0.7.134.12_26
Date: Tue, 22 Dec 2009 16:42:01 +0900 (JST)
From: =?iso-2022-jp?B?GyRCRnM1XBsoQiAbJEJONDkwGyhC?=
Subject: merry x-mas
To: XXXXXXXXX
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1827157953-1261467721=:75136"
Message-ID: <659021.75136.qm@web4308.mail.ogk.yahoo.co.jp>

Hostname: 211.38.104.129
ISP: KRNIC
Organization: KRNIC
Country: Korea, Republic of  
State/Region: 11
City: Seoul