Tuesday, February 23, 2010

Feb 22 CVE-2006-6456 MS Word Taiwan 2010 from Febr 22, 2010 4:17 AM

This is an old exploit targeting systems that have been unpatched for a long time. It appears that the document was created using 2007最新DOC捆绑器 (thanks to zha0 for helping translate and spell the tool name). The tool can be easily found online and is designed to exploit CVE-2006-6456 / MS07-014 vulnerabitly. According to the Symantec post describing this tool in April 2007, shellcode in documents generated by the tool usually starts at offset 0x16730, which seems to be our case too. The exploit will not work on Office 2003 SP3 and earlier versions with MS Update kb 929434 (MS07-014).

Update March 3, 2010 - Abhishek Lyall kindly provided additional details about the sample
"The "taskmgr.exe" embedded from offset 0x24E00. The exe is XOR'ed with 64 bit key 0xCA5039AF00000000. If you  XOR the file again with same key you'll find the exe headers at offset 0x24E00." Please see his screenshot below

Download  the following files as a password protected archive. (Please contact me if you need the password)

├───analysis files (by Tom - see below)
exe (taskmgr.ex   441D239744D05B861202E3E25A2AF0CD 32,768 bytes; taskmgr.idb)
│ shell  (shel1.bin; shel1.idb; shel2.bin; shel2.idb)
│ 1.tmp                   441D239744D05B861202E3E25A2AF0CD 32,768 bytes
│ Taiwan 2010.doc 85AF26A74E548B56ADEA933CFB878520 52,224 bytes
│ taskmgr.exe          441D239744D05B861202E3E25A2AF0CD 32,768 bytes
└───original doc
   Taiwan 2010.doc  9EF09819AA5D552ECB15067A14A33152 183,808 bytes

From: 孙丰 []
Sent: Monday, February 22, 2010 4:17 AM
Subject: Taiwan 2010

Feb 20 CVE-2006-2492 MS Word w Trojan.Buzus.U Mainland Affairs Council list of the week itinerary from

Download 20100214陸委楔@週活動一覽表(新增).doc as a password protected archive (please contact me if you need the password)

Details D05E0400B62687B5796C5D1B5CCDF6EE -- 20100214陸委楔@週活動一覽表(新增).doc

Update March 3, 2010  Abhishek Lyall (thank you!) provided additional details for this sample:
"The exe is attached at offset 0x63A0 and XOR'ed with key 0xB9FEAC13 but only first 564 bytes of the binary file are XOR'ed rest of the file is same. The file is dropped as "WinHttp.exe" in the %temp% directory. There is also one genuine doc file attached with exploit, which starts from offset 0xC010.  The size of the file is 45056 bytes. Note the doc headers start from "0xD0CF11E0"  but the doc file attached with the exploit has headers starting from "0xCFD0E011". This means when the doc file is dropped in %temp% the shellcode replaces CF D0 E0 11 with D0 CF 11 E0."

Analysis of the binary 
096239F5CF4E1255634F3F2E7DE8824E - WinHttp.exe 23,664 bytes
1796E908A782FBB445C96D88F4B84D9D original.doc 45056 bytes
 as a password protected archive (please contact me if you need the password)

From: macnews []
Sent: Saturday, February 20, 2010 10:49 PM
Subject: 陸委會一週行程一覽表

附件檔為陸委會一週行程一覽表(新增2/17賴主委行程)新聞參考資料,  提供您參考!

行政院大陸委員會聯絡處 敬上

Google Translate
From: macnews [mailto:]Sent: Saturday, February 20, 2010 10:49 PMTo: XXXXXXXXXXXXXXXXXSubject: MAC list of the week itineraryHello!Attachment file for the Mainland Affairs Council, a list of one week trip (new 2 / 17 Lai, chairman of the stroke) news references for your reference!
Sincerely, the Executive Yuan's Mainland Affairs Council Liaison Office

Received: from CC-8575FC5050CF ( [])
    by (8.9.3/8.9.3) with SMTP id LAA27251
    for  XXXXXXXXXXXXX   Sun, 21 Feb 2010 11:50:19 +0800 (CST)
From: "macnews"
Subject: =?BIG5?B?s7CpZbd8pEC2Z6bmtXukQMT9qu0=?=
Date: Sun, 21 Feb 2010 11:48:35 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-Mailer: OutLook
HiNet Chunghwa Telecom Co., Ltd. Data Communication Business Group (HiNet)inetnum: -
descr: International Changhua Society Educate Nantou Society Educate Workstation
descr: Nantou City County Taiwan
country: TW
admin-c: GRC2-TW
tech-c: GRC2-TW
remarks: This information has been partially mirrored by APNIC from
remarks: TWNIC. To obtain more specific information, please use the
remarks: TWNIC whois server at
changed: 20011002
source: TWNIC

Saturday, February 20, 2010

Slow / busy days

I noticed a significant reduction of targeted mailings during the past week - from many a day to zero. That's right, there were zero arrivals/submissions all week. We get most of targeted email from Asia and it just occurred to me that maybe the Lunar New Year (aka Chinese New Year) and more than two weeks of associated festivities is the reason - much in the same way as weekends I wrote about before. There is no scientific proof, it is just an idle observation. If I am correct, I don't know if sending malware laden messages would bring bad luck to the sender for the whole year or there is some other superstition at play, or they are just busy.  The New Year celebrations continue for 15 days, I am curious if I see anything new next week, or week after that, or all the malware malings stopped forever =)

I do have a lot of older messages and malware items to post and I have not been posting many for the lack of time during the past week. I will soon.

I wish everyone Happy New Year. Please accept our best wishes for the year of the Tiger.

Tuesday, February 16, 2010

Malware links (ESET NOD32 virus names)

  •  Mar 5 hxxp:// contains HTML/ScrInject.B.Gen virus.
  • Feb 24 hxxp:// contains probably a variant of Win32/Agent trojan.
  •  Feb 18 hxxp:// contains a variant of Win32/Kryptik.CLM trojan
  • Feb. 16 hxxtp:// .asp/eHbcb9bc6cV0100f070006R111090bf102Tf7c2bdef201l0409K80667147318J130204010 contains a variant of Win32/Kryptik.CKT trojan.
  • Feb 15 hxxp:// contains JS/TrojanDownloader.Agent.NSA
  • Feb. 05 hxxp:// contains JS/Exploit.Agent.AGC trojan.
  • Feb. 05  hxxp:// contains multiple threats. 
  • Feb. 05 hxxp:// contains probably a variant of Java/TrojanDownloader.Agent.AB trojan.
  •   hxxp:// contains JS/Exploit.Pdfka.NRF trojan. 
  • Feb. 5 hxxp:// contains JS/Exploit.Agent.AGC trojan.
  • Feb. 5 hxxp:// contains JS/Exploit.Pdfka.NQQ trojan.
  • Feb. 5 hxxp:// contains JS/TrojanDownloader.Agent.NRO trojan.
  • Feb. 5 hxxp:// contains JS/TrojanDownloader.Agent.NRL trojan.
  • Feb. 5  hxxp:// contains a variant of Win32/TrojanDownloader.Banload.OEL trojan.
  •  =============================
  • hxxp:// contains JS/Exploit.Pdfka.ASD trojan.
  • hxxp:// contains JS/TrojanDownloader.Agent.NRO trojan.
  •  hxxp:// contains PDF/Exploit.Gen trojan.
  •   hxxp://  -contains JS/Exploit.Pdfka.ASD trojan.
  •   hxxp:// contains JS/Exploit.Pdfka.ASD trojan.
  •  hxxp:// contains JS/Exploit.Pdfka.ASD trojan.
  •  hxxp:// contains JS/TrojanDownloader.Agent.NRK trojan.
  •    hxxp:// contains a variant of Win32/TrojanDownloader.Banload.OEL trojan.
  •   hxxp:// contains JS/TrojanDownloader.Agent.NRL trojan
  •   hxxp:// contains JS/Exploit.Pdfka.ASD trojan
  •  hxxp:// contains PDF/Exploit.Pidief.OJS.Gen trojan   (manual[1].pdf)

Monday, February 15, 2010

MD5 / SHA1 / CRC32 hashes of files available upon request (Malicious mail attachments - MS Office, PDF, and others)

Malicious mail attachments - MS Office, PDF, and others

The following files are available for research upon request. Please check the malware list first, some of them are already listed with download links. 

All these files were scanned with Virustotal. Use VT hash search for more details. I will add more files later.

Full list of files

MD5 / SHA1 / CRC32 hashes of files available upon request (Client side malware, tools, dropped files, etc)

Client side - malware, potentially unwanted applications, and tools

These files are available for research upon request. 

All these files were scanned with Virustotal. Use VT hash search for more details.

If you need information about these files (origin or associated files), email me, I might have a few things to say

Full list of files ---

MD5 / SHA1 / CRC32 hashes of files available upon request (from Malware kits)

These binaries are part of various trojans and malware kits. Full kits / programs / sources are available for research upon request.

Malware kits -  binaries only listed. Some of them were scanned with Virustotal at some point. Use VT hash search for more details

Full list of files

Wednesday, February 10, 2010

Feb 10 CVE-2009-4324 Rep. Mike Castle faking sender 2010-02-10 10:08 AM

This post is to be continued...

According to  Villy (thanks, Villy :)) the file contains two embedded pdfs - one small with js exploiting CVE-2009-4324 and one larger clean file. There is also a xored exe between those two files.
It is a very nice package.

From:[Redacted] [mailto:[Redacted]]
Sent: 2010-02-10 10:08 AM
Subject: Rep. Mike Castle

Attached is an invitation for a February 15 reception honoring Rep. Mike Castle (R-De) in his candidacy for the U.S. Senate.   I hope you will be able to join us.

Although his expected Democrat opponent has dropped out of the race, the New Castle County Executive has already announced his intention to seek the Democractic nomination.  Hence, Mike's political situation is strong, but the Democrats are expected to make a full scale contest out of this race.

Presuming your support, Mike will make a great contribution in the Senate for Delaware and the Country.

Please send your response to me at: [Redacted]

All best,


Direct: +1.[Redacted]
Fax: +1.[Redacted]
Mobile: +[Redacted]

Squire Sanders Public Advocacy, LLC
a wholly owned non-law firm affiliate of
Squire, Sanders & Dempsey L.L.P.
Suite 500
1201 Pennsylvania Avenue, N.W.
Washington, D.C. 20004

Squire Sanders|Legal Counsel Worldwide
32 Offices in 15 Countries
Cincinnati • Cleveland • Columbus • Houston • Los Angeles • Miami • New York • Palo Alto • Phoenix • San Francisco • Tallahassee • Tampa • Tysons Corner • Washington DC • West Palm Beach | Bogotá+ • Buenos Aires+ • Caracas • La Paz+ • Lima+ • Panamá+ • Rio de Janeiro • Santiago+ • Santo  Domingo • São Paulo | Bratislava • Brussels • Bucharest+ • Budapest • Dublin+ • Frankfurt • Kyiv • London • Moscow • Prague • Riyadh+ • Warsaw | Beijing • Hong Kong • Shanghai • Tokyo
+Independent Network Firm

NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.

IRS Circular 230 Notice: To comply with U.S. Treasury regulations, we advise you that any U.S. federal tax advice included in this communication is not intended or written to be used, and cannot be used, to avoid any U.S. federal tax penalties or to promote, market, or recommend to another party any transaction or matter.

Original PDF
  File Invitation_to_Mike_Castle_Event.p received on 2010.02.10 19:01:59 (UTC)
Result: 1/41 (2.44%)
Sophos     4.50.0     2010.02.10     Mal/PDFEx-D
File size: 325206 bytes
MD5   : 7775e7ade13d73919e8dca4695ae7d0a

The first unpacked pdf 1.pdf with CVE-2009-4324
Result: 5/41 (12.2%)
Loading server information...
Avast    4.8.1351.0    2010.02.12    JS:Pdfka-gen
BitDefender    7.2    2010.02.12    Exploit.PDF-JS.Gen
GData    19    2010.02.12    Exploit.PDF-JS.Gen
nProtect    2009.1.8.0    2010.02.12    Exploit.PDF-JS.Gen.C02
Sunbelt    5671    2010.02.11    Exploit.PDF-JS.Gen (v)

File size: 7221 bytes
MD5...: caf3ff27a9688097cf13906c117513ef

1.pdf shellcode (again by Villy)

More flowers with some poison ivy

Mikko Hyppönen from F-Secure posted today a nice postcard with a cute tiger and flowers. Gunther (thank you:)) sent one just like Mikko's as a present to Contagio and now you can enjoy them too.

What is interesting is that I have this file already except I received it as a boring "project.pdf"  (Jan 13 CVE-2009-4324 Re: Project from spoofed [Redacted] 13 Jan 2010 06:17:21 -0000). Of course it is identical to the postcard, despite the uninspiring name.

Update March 8, 2010 -a few additional details thanks to an anonymous contributor. (scroll down)

Download  116d92f036f68d325068f3c7bbf1d535.pdf as a password protected archive (please contact me if you need the password)

Download Javascript, shellcode, stage2 shellcode and dropped exe (scroll down for more information)

File 116d92f036f68d325068f3c7bbf1d535.txt received on 2010.02.09 16:24:16 (UTC)
Result: 21/41 (51.22%)
a-squared 2010.02.09 Exploit.JS.Pdfka!IK
AhnLab-V3 2010.02.09 PDF/Exploit
Authentium 2010.02.09 PDF/Expl.FO
BitDefender 7.2 2010.02.09 Exploit.PDF-JS.Gen
CAT-QuickHeal 10.00 2010.02.09 Expoit.PDF.FlateDecode
ClamAV 2010.02.09 Exploit.PDF-9757
Comodo 3876 2010.02.09 UnclassifiedMalware
DrWeb 2010.02.09 Exploit.PDF.687
eSafe 2010.02.09 Win32.Pidief.H
F-Secure 9.0.15370.0 2010.02.09 Exploit.PDF-JS.Gen
GData 19 2010.02.09 Exploit.PDF-JS.Gen
Ikarus T3. 2010.02.09 Exploit.JS.Pdfka
Kaspersky 2010.02.09 Exploit.JS.Pdfka.adn
McAfee-GW-Edition 6.8.5 2010.02.09 Heuristic.BehavesLike.PDF.Shellcode.Z
Microsoft 1.5406 2010.02.09 Exploit:JS/Heapspray
nProtect 2009.1.8.0 2010.02.09 Exploit.PDF-JS.Gen.C02
PCTools 2010.02.09 Trojan.Pidief
Sophos 4.50.0 2010.02.09 Troj/PDFJs-GQ
Symantec 20091.2.0.41 2010.02.09 Trojan.Pidief.H
TrendMicro 2010.02.09 TROJ_PDFKA.AK
File size: 149706 bytes
MD5   : 116d92f036f68d325068f3c7bbf1d535

Wepawet detects it as project.pdf
Analysis report for Project.pdf
Sample Overview
File Project.pdf
MD5 116d92f036f68d325068f3c7bbf1d535
Analysis Started 2010-01-19 14:15:12
Report Generated 2010-01-19 14:16:24
Jsand version 1.03.02

Detection results
Detector Result
Jsand 1.03.02 benign

F-Secure already pointed out that it generates traffic to 
Indeed, a lot of traffic on port 443

      ISP:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Organization:    NewMedia Express Pte Ltd, Singapore Web Hosting
      Country:    Singapore
      State/Region:    00
      City:    Singapore

Update March 8, 2010 
Here are a few additional details (thanks to an anonymous contributor)
Shellcode imports via ror7 hashes, 
SetFilePointer, GetFileSize, ReadFile, VirtualAlloc.

The GetFileSize filehandle brute force is not exact, but it additionally checks for signature "0x909083c0" at 0x1510 (location of 2nd stage shellcode).
2nd stage shellcode: xor decrypts itself (0x97) for 0x700 bytes.
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.shellcode-stage2.bin skip=5392 bs=1 count=4096
skip decryption stub (0x1b) and xor the rest with 0x97.

Imports via ror7 hashes:

Gets filehandle to pdf by exact filesize (0x248CA, 149706) reads from file @ 0x6BCE file size 0x906E
dd if=116d92f036f68d325068f3c7bbf1d535 of=116d92f036f68d325068f3c7bbf1d535.exe.bin bs=1 skip=27598 count=36974
The last byte of the size (0x6E) is used as xor key, on every byte the key is decreased with 1.
( this is something you can add to your heuristics)

 After that the embedded pdf is decrypted, Acrobat reader starts while the old process gets terminated. 

Monday, February 8, 2010

List of Aurora / Hydraq / Roarur files

I see multiple searches for Hydraq MD5 information leading to this post -Trojan.Hydraq detection and naming so I am adding a few things now.
McAfee issued a guide outlining all the symptoms of Aurora infection "How Can I Tell if I Was Infected By Aurora?"

Links to Virustotal
The list of files provided by McAfee is the following
You also may have the following files or same name files but different MD5 hash

Additional - list from ANTY Security

* Password protected archive, please contact me for the password if you need it.

Friday, February 5, 2010

Contact me If you are the one who submitted binary 09E25BB934D8523FCCD27B86FBF4F8CE to ThreatExpert

 I will tell you what it is, if you don't know and I will seek more information if you have.

Submission received: 2 February 2010, 14:03:33
Processing time: 5 min 58 sec
Submitted sample:
File MD5: 0x09E25BB934D8523FCCD27B86FBF4F8CE
File SHA-1: 0xA51D560158E3D35B1618D236C28AE0B722AC7CC0
Filesize: 215,552 bytes
 Technical Details:
  File System Modifications
The following file was created in the system:
# Filename(s) File Size File Hash
1 [file and pathname of the sample #1]  215,552 bytes MD5: 0x09E25BB934D8523FCCD27B86FBF4F8CE
SHA-1: 0xA51D560158E3D35B1618D236C28AE0B722AC7CC0

Thursday, February 4, 2010

Feb 04 Downloader Trojan "Friends say I am free" from

This came as a rar archive with a password featured on the postcard 12ab34.What does the postcard say - can anyone translate? This is a lame and huge (2mb) mailing but maybe exe will be of interest for someone, it has a very low detection rate.

Download a694466ea431046d2a063db37390abea Content. Exe - 内容.exe as a password protected archive (contact me for the password if you need it)

Friends say I am free

From: joan []
Sent: Thursday, February 04, 2010 12:35 PM
Subject: 朋友们说 我很自由

CW Sandbox


Result: 3/40 (7.5%)
eSafe 2010.02.07 Win32.TrojanHorse
F-Secure 9.0.15370.0 2010.02.09 Suspicious:W32/Riskware!Online
Sophos 4.50.0 2010.02.09 Troj/DwnLdr-IAE
File size: 1536904 bytes
MD5...: a694466ea431046d2a063db37390abea

Feb. 1 DarkMoon-B Video.exe with from 2/1/2010 2:43 AM

This is just an exe (PE32 executable for MS Windows) in zip archive. From China and connecting back to China. Not very creative.

Download Video.exe as a password protected archive (please contact me if you need the password)

From: []
Sent: Monday, February 01, 2010 2:43 AM
Subject: Press(Quake aid starts to arrive for desperate Haitians)

PORT-AU-PRINCE, Haiti (AP) - Desperately needed aid from around the world slowly made its way Thursday into Haiti, where supply bottlenecks and a leadership vacuum left rescuers scrambling on their own to save the trapped and injured and get relief supplies into the capital.

see the full text in the end of the post

Received: (qmail 17548 invoked from network); 1 Feb 2010 07:43:09 -0000
Received: from unknown (HELO fisherxp-pc.domain) (
  by XXXXXXXXXXXXXX SMTP; 1 Feb 2010 07:43:09 -0000
Received: from ([]) by ([]) with SMTPSVC;
     Mon, 01 Feb 2010 15:43:07 +0800
Message-ID: <>
Subject: =?gb2312?B?UHJlc3MoUXVha2UgYWlkIHN0YXJ0cyB0byBhcnJpdmUgZm9yIGRlcw==?=
Date: Mon, 01 Feb 2010 15:43:07 +0800

      ISP:    China Unicom Tianjin province network
      Organization:    China Unicom Tianjin province network
      Country:    China
      City:    Tianjin

Wednesday, February 3, 2010

Feb 3 CVE-2009-0927 Former Minister of Finance Paulson's comments on Obama's $3.8 trillion budget from

Download 2366453EE94A7BA4D296FA4E710ED805-CommentsOnObama2010budget as password protected archive (please contact me if you need the password)

From: Simon Baker []
Sent: Wednesday, February 03, 2010 10:04 PM
Subject: Former Minister of Finance Paulson's comments on Obama's $3.8 trillion budget


If you have read Paulson's comments, you know how ridiculous Obama's $3.8 trillion budget is.
Please do not vote for members of support budget in November's elections.

Best regards

 File CommentsOnObama2010budget.pdf received on 2010.02.18 12:15:53 Result: 18/41 (43.91%)
a-squared    2010.02.18    Exploit.Win32.Pidief!IK
AhnLab-V3    2010.02.17    PDF/Exploit
AntiVir    2010.02.18    HTML/Silly.Gen
Antiy-AVL    2010.02.18    Exploit/Win32.Pidief
Authentium    2010.02.18    PDF/UtlPtf.B!Camelot
Avast    4.8.1351.0    2010.02.18    JS:Pdfka-ME
BitDefender    7.2    2010.02.18    Exploit.PDF-JS.Gen
ClamAV    2010.02.18    Exploit.PDF-11669
Comodo    3980    2010.02.18    TrojWare.Win32.Exploit.Pidief.bxf
Kaspersky Exploit.Win32.Pidief.bxf

eSafe    2010.02.17    PDF.Exploit
F-Secure    9.0.15370.0    2010.02.18    Exploit.PDF-JS.Gen
GData    19    2010.02.18    Exploit.PDF-JS.Gen
Ikarus    T3.    2010.02.18    Exploit.Win32.Pidief
McAfee-GW-Edition    6.8.5    2010.02.18    Script.Silly.Gen
Sophos    4.50.0    2010.02.18    Troj/PDFJS-BX
Sunbelt    5684    2010.02.18    Exploit.PDF.Pidief (v)
VirusBuster    2010.02.18    JS.BOFExploit.Gen
Additional information
File size: 119239 bytes
MD5...: 2366453ee94a7ba4d296fa4e710ed805

 File    CommentsOnObama2010budget.pdf
MD5    2366453ee94a7ba4d296fa4e710ed805
Analysis Started    2010-02-18 04:18:06
Report Generated    2010-02-18 04:21:39
Jsand 1.02.02    malicious
Adobe getIcon    Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object    CVE-2009-0927

Feb. 3 CVE-2009-4324 Maritime Disputes in East Asia from 03 Feb 2010 05:19:02 PST

Download 1f2cc9238129512c6f118ffdfec79189 - East China Sea 2010-1.pdf as a password protected archive (please contact me if you need the password)

Details: 1f2cc9238129512c6f118ffdfec79189 -  East China Sea 2010-1.pdf

From: Natalie S. Wozniak []
Sent: Wednesday, February 03, 2010 8:56 AM
Subject: Maritime Disputes in East Asia


I was able to secure permission to forward you the attached CRS report on Maritime Disputes in East Asia; just came out today. They intentionally kept it short report, in hopes that it would increase its readership. 

Please share with your colleagues. Also, please share their comments, observations and questions.



Message-ID: <>
Received: from [] by via HTTP; Wed, 03 Feb 2010 05:19:02 PST
X-Mailer: YahooMailRC/272.7 YahooMailWebService/
Date: Wed, 3 Feb 2010 05:19:02 -0800 (PST)
From: "Natalie S. Wozniak"
Subject: Maritime Disputes in East Asia
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-410636181-1265203142=:45817"

Lookup IP Address:
General Information
ISP: WholeSale Internet
Organization: Max Dmitry
Country: United States  
State/Region: MO
City: Kansas City