Pages

Saturday, April 10, 2010

Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

Download  Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa as a password protected archive (please contact me if you need the password)

Details Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa

Ok, let's see - the Nuclear Summit starts in DC on Monday



From: [Redacted]@yahoo.com;
Date: Sat, Apr 10, 2010 at 10:02 AM
Subject: [Redacted] Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit
To: [Redacted]

Dear Sir/Madam,

The 2010 Nuclear Posture Review (NPR) outlines the Administration’s approach to promoting the President’s agenda for reducing nuclear dangers and pursuing the goal of a world without nuclear weapons, while simultaneously advancing broader U.S. security interests.

According to the White House, the end goal of the upcoming Nuclear Security Summit 2010 will be “a communiqué pledging efforts to attain the highest levels of nuclear security, which is essential for international security as well as the development and expansion of peaceful nuclear energy worldwide.”

Accompanying this letter is the [Redacted]Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit. Please let us know whether you find it useful, and whether there is additional information you would like to see included in future editions. We very much value your support and assistance.


[Redacted address and signature]

Header info
Sender  174.139.92.6

Received: (qmail 32240 invoked by uid 60001); 10 Apr 2010 08:02:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1270886521; bh=2tVtzPiN2q8LTxw5hs/fzwRo62bOjhWpm4283Sg9FiU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=GBBCANmJTi+Vd8WPrPdg0A60ZhZ+z8bKVPaAgKB1nn2/7TI7otWMCtpRvecxwfjEzyMZ6Ex5NwDczw90m8XRq5Qedcxdhw2Oqmyx+2fUUc8ECPGejQAPhbFIdxAO3byGQolXILXw4NGNviJ9YkABWcXOEp0jz8gZG4MjZiMz9G8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=QrLDUXjtUu5Y65+czVR6Fwmw/5PB8qfi3rdwZYHFGKlTgfrbcNkZSCJvZ/LqbW62vT3rqbpkXuh+mDo3MDYW4W0WYvJ1iYHr2No4W1f+SgpDE26A+50ECRxrsI0nVmqO9w9mSwNshfms64QlRhLFQcewz63LMdr/MjoqHF5XenI=;
Message-ID: <197929.29181.qm@web113108.mail.gq1.yahoo.com>
X-YMail-OSG: CFQsBtgVM1lXpDCBIaFH3fawifbGkB4yrT4AuuGLJQkt_xt
YYzj9YZ7fg4zcPi4axvKpLIBB93mP3E2QmjFJok0Ci7G1FBJsyjjEh4tINno
MCSYNdXDqJlfKIkQYjWUoGKWPIUyJMOAf.BYtYh5e_qOHXMCplW7t84cIkVO
57SiyqE2kEZnP4Q4yNRXn41WL9l2sjAQ7iRpVUQiighLiDdrMlNPd.JrS4qZ
nTbeLCUhFeb6RED8pSoX8Ah8xdVWLHP4yOjLlpTUq2vJ009J_63PxOOGucuD
B_jfI
Received: from [174.139.92.6] by web113108.mail.gq1.yahoo.com via HTTP; Sat, 10 Apr 2010 01:02:01 PDT
X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964
Date: Sat, 10 Apr 2010 01:02:01 -0700 (PDT)
Malware binaries generate traffic to the same IP


File Research_Paper_on_Nuclear_Posture  received on 2010.04.10 14:12:49 (UTC)
http://www.virustotal.com/analisis/5e29cf69389e3b1d15dcf50df1c0e28ec53382ec7ece4451f29ac28acf94876e-1270908769
Result: 5/39 (12.83%)
Avast    4.8.1351.0    2010.04.10    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.04.10    PDF:CVE-2010-0188
GData    19    2010.04.10    PDF:CVE-2010-0188
Kaspersky    7.0.0.125    2010.04.10    Exploit.JS.Pdfka.bzh
Sophos    4.52.0    2010.04.10    Troj/PDFJs-II
File size: 80065 bytes
MD5...: 8ae20aabfb207f5bb4e3918b043d37fa

Malicious PDF results

CVE-2010-0188

Created files
  1. %Temp%\AcrRd32.EXE     MD5 5a67c2a64e17a2e3e5efd0ae94db715c

    AcrRd32.EXE creates and opens
  •      %Temp%\11111111.pdf   MD5 6b4162954594a6c6e4287773fced7e5f
  •       %Temp%\wuweb.exe   MD5  8ae20aabfb207f5bb4e3918b043d37fa

 AcrRd32.EXE
http://www.virustotal.com/analisis/4ee80dcbba4142f4207345c684c6a6802ad356dc16f07d21b5828b62deb5f75d-1270912091
  File AcrRd32.EXE received on 2010.04.10 15:08:11 (UTC)
Result: 15/39 (38.47%)
a-squared    4.5.0.50    2010.04.10    Trojan-Dropper.Win32.Bewbeu!IK
AhnLab-V3    5.0.0.2    2010.04.10    Win-Trojan/Pincav.167936
AntiVir    7.10.6.55    2010.04.09    TR/Crypt.ZPACK.Gen
Antiy-AVL    2.0.3.7    2010.04.09    Trojan/Win32.Pincav.gen
Avast    4.8.1351.0    2010.04.10    Win32:Malware-gen
Avast5    5.0.332.0    2010.04.10    Win32:Malware-gen
AVG    9.0.0.787    2010.04.10    Agent2.AMXA
GData    19    2010.04.10    Win32:Malware-gen
Ikarus    T3.1.1.80.0    2010.04.10    Trojan-Dropper.Win32.Bewbeu
Jiangmin    13.0.900    2010.04.10    Trojan/PSW.Small.lz
McAfee-GW-Edition    6.8.5    2010.04.09    Trojan.Crypt.ZPACK.Gen
Microsoft    1.5605    2010.04.10    TrojanDropper:Win32/Bewbeu.A
Sophos    4.52.0    2010.04.10    Mal/PdfExDr-A
Symantec    20091.2.0.41    2010.04.10    Trojan.Dropper
VBA32    3.12.12.4    2010.04.09    Trojan-PSW.Win32.Small.ma
File size: 76800 bytes
MD5...: 5a67c2a64e17a2e3e5efd0ae94db715c

http://anubis.iseclab.org/?action=result&task_id=12e29997f49bc0484690d863b50580e46



DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ sinmail.byinter.net ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ]
        Name: [ 88521.kwik.to ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ]

wuweb.exe
File wuweb.exe received on 2010.04.10 14:56:49 (UTC)
http://www.virustotal.com/analisis/38c3fb2100b2e8f7c5b821ac3716c791628e89a761cf24f18e18800fc9e6f109-1270911409
Result: 2/37 (5.41%)
AntiVir  7.10.6.55  2010.04.09  TR/Crypt.ZPACK.Gen
McAfee-GW-Edition  6.8.5  2010.04.09  Heuristic.BehavesLike.Win32.Worm.B
File size: 29696 bytes
sdsdMD5   : 4c7ef8790f9be0adf666f39b468a8ca0
 


http://anubis.iseclab.org/?action=result&task_id=1bc2f09c6536ef9d4d93363c76394b70a =================================================================

Domain names used (Robtex.com)
SINMAIL.BYINTER.NET
sinmail.byinter.net has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. byinter.net is a domain controlled by five nameservers at sitelutions.com. Two of them are on the same IP network. byinter.net has one IP number. It is blacklisted in one list.


 not whoisable
 And this is the traffic produced on the test machine


 Information about the IP  174.139.92.6 - The malware traffic and the sender share the same IP address this time.


http://www.robtex.com/ip/174.139.92.6.html#whois
      Hostname:    yum6.pinewoodchips.com
      ISP:    VPLS Inc. d/b/a Krypt Technologies
      Organization:    VPLS Inc. d/b/a Krypt Technologies
      Proxy:    None detected
      Type:    Corporate
      Assignment:    Static IP
      Country:    United States
      State/Region:    California
      City:    Orange

 The ip address belongs to Krypt - a hosting company  in CA

















 =====================================================

SEXIDUDE.COM


sexidude.com ("Dynamic Dns >> Sexidude.com > How-to") is a domain controlled by three nameservers at changeip.org. Two of them are on the same IP network. Incoming mail for sexidude.com is handled by one mailserver at changeip.com. sexidude.com has one IP number , but the reverse is vanity.changeip.com. 3-a.net, 25u.com, ddns.us, 4pu.com, ns01.us and at least 35 other hosts point to the same IP and also shares both nameservers and mailservers. ns02.biz, ns01.biz, ocry.com, myz.info, toh.info and at least 30 other hosts point to the same IP and also shares nameservers. wha.la, ns02.us, ddns.ms, epac.to, dns2.us and at least 93 other hosts point to the same IP and also shares mailservers. dns1.us, zyns.com, ns3.name, my03.com, jkub.com and at least 97 other hosts point to the same IP. h1x.com, ns1.name, dhcp.biz, ns02.info, dumb1.com and at least 26 other hosts share both nameservers and mailservers with this domain. sixth.biz, jetos.com, ddns.info, ns01.info, mrface.com and at least 21 other hosts share nameservers with this domain. dns1.us, 4dq.com, ns02.biz, zyns.com, ns3.name and at least 100 other hosts share mailservers with this domain. a.sexidude.com, http://www.blogger.com/www.sexidude.com.html, is-a.sexidude.com, info.sexidude.com, tel-mag.sexidude.com and at least three other hosts are subdomains to this hostname. sexidude.com is ranked #6264971 world wide and is hosted on a server in United States. Child safety of this site is very poor. (more on reputation).It is blacklisted in three lists. It has 4 organic keywords. It has been online for nine years.
 Domain Name: SEXIDUDE.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.CHANGEIP.ORG
Name Server: NS2.CHANGEIP.ORG
Name Server: NS3.CHANGEIP.ORG
Status: clientTransferProhibited
Updated Date: 04-jan-2010
Creation Date: 14-jan-2001
Expiration Date: 14-jan-2011
 ========================================================================
88521.KWIK.TO

88521.kwik.to has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. kwik.to is delegated to three nameservers, however two extra nameservers are listed in the zone. kwik.to has one IP number. It is blacklisted in one list.



not whoisable

 =======================================================================
 COREPIPER.SEXIDUDE.COM
Incoming mail for corepiper.sexidude.com is handled by one mailserver at sexidude.com. corepiper.sexidude.com has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. corepiper.sexidude.com use this as a mailserver. www.corepiper.sexidude.com and ftp.corepiper.sexidude.com are subdomains to this hostname. sexidude.com is a domain controlled by three nameservers at changeip.org. Two of them are on the same IP network. Incoming mail for sexidude.com is handled by one mailserver at changeip.com. sexidude.com has one IP number. It is blacklisted in two lists.
======================================================================


No comments:

Post a Comment