Jan 7 CVE-2009-4324 Us-J-India_strategic_dialogue from katieedouglas@yahoo.com Thu, 7 Jan 2010 10:07:18 -0800 (PST)

Update 3 See analysis by SANS, Extraexploit and Wh's Behind

• January 14  CVE-2009-4324 Doc.media.newPlayer (Us-J-India_strategic_dialogue.pdf) by Wh's Behind New
• January 14 PDF Babushka by Bojan Zdrnja and Daniel (Wesemann?) - ISC New
• January 12, 2010  Adobe CVE-2009-4324 by extraexploit– Another one with AsciiHexDecode waiting for the patch day -- New

Update2. Please see http://extraexploit.blogspot.com  for a detailed technical analysis

Update1. One of the readers (thanks, Richard) reported that it is heavily obfuscated and exploits CVE-2009-4324 (util.printd()) vulnerability - possibly among other things.

 I don't know yet which CVE it is, but I will look into it later. 


Download 12AAB3743C6726452EB0A91D8190A473   - Us-J-India_strategic_dialogue.pdf (password protected archive, you have to contact me for the password)

Details: 12AAB3743C6726452EB0A91D8190A473   - Us-J-India_strategic_dialogue.pdf

From: Katie Douglas [mailto:katieedouglas@yahoo.com]
Sent: Thursday, January 07, 2010 1:07 PM
To: XXXXXX XXXXXXXX
Subject: Us-J-India_strategic_dialogue

Dear XXXXXXXX,

In the new year there's a new strategy change.Please kindly find the attachment for your reference.

Best Regards,

Katie.

The message sender was
    katieedouglas@yahoo.com
The message originating IP was 76.13.13.79 The message recipients were
    xxxxxxxxxx
The message was titled Us-J-India_strategic_dialogue The message date was Thu, 7 Jan 2010 10:07:18 -0800 (PST) The message identifier was <219808.45632.qm@web114006.mail.gq1.yahoo.com>
The virus or unauthorised code identified in the email is:
attach/5963816_3X_PM5_EMS_MA-OCTET=2DSTREAM__Us=2DJ=2DIndia=5Fstrategic=5Fdialogue.pdf: Infected: Exploit.JS.Pdfka.axx [AVP]

 Virustotal
http://www.virustotal.com/analisis/67602c88edc029808f5d0907b0b0119193968db36e63ed7ce0a13dc324aaa560-1263210461
 File Us-J-India_strategic_dialogue.pdf received on 2010.01.11 11:47:41 (UTC)
Result: 2/40 (5%)
Kaspersky    7.0.0.125    2010.01.11    Exploit.JS.Pdfka.axx
Sophos    4.49.0    2010.01.11    Mal/PDFEx-D
Additional information
File size: 70437 bytes
MD5...: 12aab3743c6726452eb0a91d8190a473

Wepawet
 http://wepawet.cs.ucsb.edu/view.php?hash=12aab3743c6726452eb0a91d8190a473&type=js
File    Us-J-India_strategic_dialogue.pdf
MD5    12aab3743c6726452eb0a91d8190a473
Analysis Started    2010-01-11 04:08:14
Report Generated    2010-01-11 04:11:58
Jsand 1.03.02    benign :(

VMware -When file opened, it just crashes. No text to enjoy.I see no traffic on Wireshark, not yet.

to be continued..