Jan. 13 CVE-2009-4324 The Chinese Navy's Budding Overseas Presence from trevor.yancey@gmail.com Wed, 13 Jan 2010 22:25:33 +0800

• CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Adobe Reader and Acrobat 8.0 through 9.2, and possibly earlier versions, allows remote attackers to execute arbitrary code using ZLib compressed streams, as exploited in the wild in December 2009. 

• Details 214f524a7721501e561046a384ba4916 -wm_2752.pdf

Download wm_2752.pdf as 214f524a7721501e561046a384ba4916 -wm_2752.zip (Password protected archive, please contact me if you need it)

 Wed, 13 Jan 2010 22:25:33 +0800

From: Dean Cheng [mailto:trevor.yancey@gmail.com]
Sent: Wednesday, January 13, 2010 9:26 AM
To: XXXXXXXXXXXXXXXXXXX
Subject: The Chinese Navy's Budding Overseas Presence

As 2009 drew to a close, a senior Chinese naval officer raised the idea that the People's Republic of China (PRC) might be interested in establishing a permanent base in the Gulf of Aden area in support of anti-piracy missions. Admiral Yin Zhuo, a senior researcher at the Chinese People's Liberation Army Navy (PLAN) Equipment Research Center, suggested that such a base would facilitate a sustained Chinese presence in the region as part of ongoing anti-piracy efforts.
A base in the Gulf of Aden area would constitute the first formal Chinese overseas military base. It reflects China's growing overseas interests, as well as its expanding military capabilities, including a growing ability to operate far from its shores.
For the United States, the extended Chinese naval deployment in the Gulf of Aden, as well as discussion of the creation of a Chinese naval base in the region, should serve as a reminder that the U.S. Navy will encounter the PLAN more and more--and not solely in the Taiwan Straits, South China Sea, and other waters off China's coast. Given the global nature of China's economic interests, it is inevitable that the Chinese military will also have a more global presence. Nor is there anything that the United States can reasonably do to prevent this.
Rather than trying to forestall the inevitable, U.S. policymakers should recognize the Chinese competitive potential and stay ahead of the game even as the U.S. tries to manage China's emergence to its own advantage. This will entail three key initiatives.
Please find the attached for more detail. Should you have any question, let me know.
Best Regards,
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation
--
Dean Cheng
Research Fellow
Asian Studies Center
The Heritage Foundation

I guess, someone got carried away with paste command (M)
  

  Virustotal -2010.01.13
http://www.virustotal.com/analisis/18872ef10fb361395a03231f98de0d2b6d18deca81093b2a281f957553483424-1263411693
File wm_2752.pdf received on 2010.01.13 19:41:33 (UTC)
Result: 3/40 (7.50%)
Antivirus     Version     Last Update     Result
a-squared     4.5.0.48     2010.01.13     Exploit.JS.Pdfka!IK
Ikarus     T3.1.1.80.0     2010.01.13     Exploit.JS.Pdfka
McAfee-GW-Edition     6.8.5     2010.01.13     Heuristic.BehavesLike.PDF.Shellcode.Z
Additional information
File size: 284451 bytes
MD5   : 214f524a7721501e561046a384ba4916

Virustotal -2010.01.19
http://www.virustotal.com/analisis/18872ef10fb361395a03231f98de0d2b6d18deca81093b2a281f957553483424-1263875566
File wm_2752.pdf received on 2010.01.19 04:32:46 (UTC)
Result: 8/41 (19.52%)
a-squared    4.5.0.50    2010.01.19    Exploit.JS.Pdfka!IK
CAT-QuickHeal    10.00    2010.01.19    Expoit.PDF.FlateDecode
Ikarus    T3.1.1.80.0    2010.01.19    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.01.19    Exploit.JS.Pdfka.bdm
McAfee-GW-Edition    6.8.5    2010.01.19    Heuristic.BehavesLike.PDF.Shellcode.Z
PCTools    7.0.3.5    2010.01.19    HeurEngine.MaliciousExploit
Sophos    4.49.0    2010.01.19    Troj/PDFJs-GQ
Symantec    20091.2.0.41    2010.01.19    Bloodhound.Exploit.288
File size: 284451 bytes
MD5...: 214f524a7721501e561046a384ba4916


Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=214f524a7721501e561046a384ba4916&type=js

File    wm_2752.pdf
MD5    214f524a7721501e561046a384ba4916
Analysis Started    2010-01-13 12:04:05
Report Generated    2010-01-13 12:04:09
Jsand 1.03.02    benign

Download uncompressed  file (with pdf-parser.py)

function pudian1()
{util.printd("iSEBmXdJuJaZPdfHPwpYufjzytWwzFeuuyQm",new Date());
}
function pudian2()
{util.printd("rWVYiRicDUOoKIBKkMkzGoxiXLdrLBPfKPZj",new Date());}
function chufa(str0)
{
try{this.media.newPlayer(null);}
catch(e){}
util.printd(str0,new Date());}

www.vicheck.ca 
 Date: 2010-01-18 21:27:05
Web submission from 68.84.8.144.
wm_2752.pdf:
EXECUTABLE SCAN: Embedded Executable (xor/full)
REPORT: https://www.vicheck.ca/md5query.php?hash=214f524a7721501e561046a384ba4916
Encrypted embedded executable with a key of 256 bytes.
Exploit method detected as pdfexploit - PDF Obfuscated Exploit call to media.newPlayer CVE-2009-4324.
Confidence ranking: 100 (10 hits).
External hash searches:
VIRUS SCAN VirusTotal: 8/41 (20%) detected malware REPORT http://www.virustotal.com/analisis/18872ef10fb361395a03231f98de0d2b6d18deca81093b2a281f957553483424-1263875566
VIRUS SCAN Threat Expert: New
VIRUS SCAN Team-CYMRU.org: New
This email was sent automatically in response to your submission on www.vicheck.ca at 2010-01-18 21:27:05