Clicky

Pages

Wednesday, January 20, 2010

Jan 20 CVE-2009-4324 Chinese cyberattack from spoofed XXXXXXXXXX@gwu.edu 20 Jan 2010 14:26:00 -0000

This is my favorite of all times, they have some nerve. I know the George Washington University did not move to China yet. Plus we already received his file yesterday.

Update Jan 21. F-Secure analysts reported that this pdf attachment (or identical file they got)  drops Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435), which gets detected as W32/PoisonIvy.NQ, aka Poison Ivy RAT.



Download 238ecf8c0aee8bfd216cf3cad5d82448 - Chinese_cyberattack.pdf as password protected archive (please contact me if you need the password)



From: XXXXXXX [mailto: XXXX@gwu.edu]
Sent: 2010-01-20 9:26 AM
To: "Undisclosed-Recipient:;"
Subject: Chinese cyberattack

Colleagues,

Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.

If you have any good idea / comments,  are warmly welcome to feedback.

Best,

David




Received: (qmail 4722 invoked from network); 20 Jan 2010 14:26:00 -0000
Received: from sideq01.attnet.ne.jp (HELO sideq01.attnet.ne.jp) (165.76.72.11)
  by XXXXXXXXXXXXXXXXX
Received: by sideq01.attnet.ne.jp (8.12.11/ver5(11/20/06)) id o0KEPwZv027218; Wed, 20 Jan 2010 23:25:58 +0900
Received: from virus05.attnet.ne.jp (virus05 [10.10.13.25])
    by purify-out01.attnet.ne.jp (Postfix) with ESMTP id 127D333642
    for XXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:58 +0900 (JST)
Received: from purify05.attnet.ne.jp (purify.attnet.ne.jp [165.76.8.44])
    by virus05.attnet.ne.jp (Postfix) with ESMTP id A7F8635C46
    for XXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:57 +0900 (JST)
Received: from jhc.co.jp (www.jhc.co.jp [202.211.150.106])
    by purify05.attnet.ne.jp (Postfix) with SMTP id 09AF434002
    for XXXXXXXXXXXXXXXX; Wed, 20 Jan 2010 23:25:52 +0900 (JST)
Received: (qmail 11732 invoked from network); 20 Jan 2010 23:25:46 +0900
Received: from unknown (HELO 3me8de026f8d12) (opepek@222.95.43.226)
  by www.jhc.co.jp with SMTP; 20 Jan 2010 23:25:46 +0900
Message-ID:
From: "Shambaugh, David"
To: <"Undisclosed-Recipient:;">
Subject: Chinese cyberattack
Date: Wed, 20 Jan 2010 15:25:45 +0100

Hostname: 222.95.43.226
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Cable/DSL
Country: China  
City: Nanjing


Virustotal



File has already been analyzed
http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1263958772



Rescan http://www.virustotal.com/analisis/b1f01fe0908772cfd1224a9645c9abb270b98a95d4cf83418eeb7188099607dd-1264008736
File Chinese_cyberattack.pdf received on 2010.01.20 17:32:16 (UTC)
Result: 12/41 (29.27%)
a-squared 4.5.0.50 2010.01.20 Exploit.PDF-JS!IK
AntiVir 7.9.1.146 2010.01.20 HTML/Malicious.PDF.Gen
Avast 4.8.1351.0 2010.01.20 JS:Pdfka-VO
AVG 9.0.0.730 2010.01.19 Script/Exploit
BitDefender 7.2 2010.01.20 Trojan.Script.256073
F-Secure 9.0.15370.0 2010.01.20 Exploit:W32/Pidief.CKZ
GData 19 2010.01.20 Trojan.Script.256073
Ikarus T3.1.1.80.0 2010.01.20 Exploit.PDF-JS
Kaspersky 7.0.0.125 2010.01.20 Exploit.JS.Pdfka.bex
McAfee 5866 2010.01.19 Exploit-PDF.b.gen
McAfee+Artemis 5866 2010.01.19 Exploit-PDF.b.gen
McAfee-GW-Edition 6.8.5 2010.01.20 Script.Malicious.PDF.Gen
Additional information
File size: 435947 bytes
MD5...: 238ecf8c0aee8bfd216cf3cad5d82448


Wepawet detects it under a different name
 http://wepawet.iseclab.org/view.php?hash=238ecf8c0aee8bfd216cf3cad5d82448&type=js
from a file we scanned earlier - same MD5hash - we have a post for this one already
Sample Overview
File Obama\'s First Year in Foreign Policy.pdf
MD5 238ecf8c0aee8bfd216cf3cad5d82448
Analysis Started 2010-01-19 20:07:01
Report Generated 2010-01-19 20:12:10
Jsand 1.03.02 benign 









No comments:

Post a Comment