contagio: April 02, 2009 CVE-2009-0556 PPT - 0 Day One of the first samples. Cooperative threat reduction

Thursday, April 2, 2009

April 02, 2009 CVE-2009-0556 PPT - 0 Day One of the first samples. Cooperative threat reduction

CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

Link updated: Jan 18, 2023
Download infected ppt files Cooperative Threat Reduction briefing.PPT - b622b9e294647277dc40205dcf27e086 and CTR_talk.PPT - 0e1fc785eff45ff0b140dbf61abf3eab

(password protected archive, see my profile for email address if you need the password

From: XXXXXX@gmail.com
Sent: Thursday, April 02, 2009 3:59 AM
To: XXXXXXXX
Subject: Cooperative Threat Reduction
I've attached the CTR concept paper. Feel free to circulate it. We very much look forward to the comments of you and your colleagues.
Best regards,
[name and contact info removed]

Message received on April 2, 2009

Attachment 1

Cooperative Threat Reduction briefing.PPT - b622b9e294647277dc40205dcf27e086

Virustotal scan on April 2, 2009
http://www.virustotal.com/analisis/dcf59752b35afa4034cc6e99e24ab9b8

File Cooperative_Threat_Reduction_brie received on 2009.04.02 22:22:40 (UTC)
Current status: finished
Result: 2/40 (5.00%)
Antivirus     Version     Last Update     Result
McAfee-GW-Edition     6.7.6     2009.04.01     OLE2.LooksLike.Suspicious.gen
Norman     6.00.06     2009.04.02     ShellCode.A
Additional information
File size: 838144 bytes
MD5...: b622b9e294647277dc40205dcf27e086

Note the Content created date and date last saved in combination with the timeline below.

Virustotal scan on December 21, 2009
http://www.virustotal.com/analisis/4c4453542923b1194d62aafa11c7d27da269e653bce93db38bb2be6200ee9e6f-1262234584

File Cooperative_Threat_Reduction_brie received on 2009.12.31 04:43:04 (UTC)
Result: 19/40 (47.50%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.43     2009.12.31     Exploit.MSPPoint.Apptom!IK
AhnLab-V3     5.0.0.2     2009.12.31     Dropper/Exploit-PPT
AntiVir     7.9.1.122     2009.12.30     EXP/MSPPoint.Apptom.A.1
Authentium     5.2.0.5     2009.12.31     PPT/Dropper.A
BitDefender     7.2     2009.12.31     Exploit.PPT.Gen
Comodo     3423     2009.12.31     UnclassifiedMalware
DrWeb     5.0.1.12222     2009.12.31     Exploit.PowerPoint
F-Secure     9.0.15370.0     2009.12.31     Exploit:W32/Ppdropper.BV
GData     19     2009.12.31     Exploit.PPT.Gen
Kaspersky     7.0.0.125     2009.12.31     Exploit.MSPPoint.Apptom.a
McAfee     5847     2009.12.30     Exploit-PPT.k
McAfee+Artemis     5847     2009.12.30     Exploit-PPT.k
McAfee-GW-Edition     6.8.5     2009.12.30     Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
Microsoft     1.5302     2009.12.31     Exploit:Win32/Apptom.gen
Norman     6.04.03     2009.12.30     ShellCode.A
PCTools     7.0.3.5     2009.12.31     HeurEngine.MaliciousExploit
Sophos     4.49.0     2009.12.31     Troj/ExpPPT-B
Sunbelt     3.2.1858.2     2009.12.31     Trojan-Dropper.MSPPoint.Apptom.b (v)
TrendMicro     9.120.0.1004     2009.12.31     TROJ_PPDROP.AB
File size: 838144 bytes
MD5   : b622b9e294647277dc40205dcf27e086

Attachment 2

CTR_talk.PPT - 0e1fc785eff45ff0b140dbf61abf3eab

Virustotal http://www.virustotal.com/analisis/7c07bf5f71d1cf33195dc0b21a257e0f.

File CTR_talk.PPT received on 2009.04.03 13:00:29 (UTC)
Result: 3/40 (7.50%)
McAfee-GW-Edition 6.7.6 2009.04.03 OLE2.LooksLike.Suspicious.gen
Microsoft 1.4502 2009.04.03 Exploit:Win32/Apptom.gen
Norman 6.00.06 2009.04.02 ShellCode.A
Additional information
File size: 838144 bytes
MD5...: 0e1fc785eff45ff0b140dbf61abf3eab

Virustotal
http://www.virustotal.com/analisis/5c77bc181277f05ac7a91f7c59c2fe9705ddc865432efcab0130575ed040c254-1262234557

File CTR_talk.PPT received on 2009.12.31 04:42:37 (UTC)
Result: 17/40 (42.50%)
a-squared 4.5.0.43 2009.12.31 Exploit.MSPPoint.Apptom!IK
AhnLab-V3 5.0.0.2 2009.12.31 Dropper/Exploit-PPT
BitDefender 7.2 2009.12.31 Exploit.PPT.Gen
Comodo 3423 2009.12.31 UnclassifiedMalware
DrWeb 5.0.1.12222 2009.12.31 Exploit.PowerPoint
F-Secure 9.0.15370.0 2009.12.31 Exploit.PPT.Gen
GData 19 2009.12.31 Exploit.PPT.Gen
Ikarus T3.1.1.79.0 2009.12.31 Exploit.MSPPoint.Apptom
Kaspersky 7.0.0.125 2009.12.31 Exploit.MSPPoint.Apptom.a
McAfee 5847 2009.12.30 Exploit-PPT.k
McAfee+Artemis 5847 2009.12.30 Exploit-PPT.k
McAfee-GW-Edition 6.8.5 2009.12.30 Heuristic.BehavesLike.Exploit.OLE2.CodeExec.PGPG
Microsoft 1.5302 2009.12.31 Exploit:Win32/Apptom.gen
Norman 6.04.03 2009.12.30 ShellCode.A
PCTools 7.0.3.5 2009.12.31 HeurEngine.MaliciousExploit
Sophos 4.49.0 2009.12.31 Troj/ExpPPT-B
TrendMicro 9.120.0.1004 2009.12.31 TROJ_PPDROP.AB
Additional information
File size: 838144 bytes
MD5 : 0e1fc785eff45ff0b140dbf61abf3eab

Disclosure Timeline http://www.zerodayinitiative.com/advisories/ZDI-09-019/

April 7, 2008 - Vulnerability reported to vendor

April 02, 2009 - Public disclosure/In the wild date:

May 12, 2009 - Coordinated public release of advisory

Pages

Thursday, April 2, 2009

April 02, 2009 CVE-2009-0556 PPT - 0 Day One of the first samples. Cooperative threat reduction

Disclosure Timeline http://www.zerodayinitiative.com/advisories/ZDI-09-019/

No comments:

Post a Comment