contagio: June 2010

Wednesday, June 30, 2010

Jun 30 CVE-2010-1297 PDF 2020 National Defense Industrial Strategy Forum from techdm@csistdup.org.tw

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download 497bd7eb4be6ae9b68c624e3fb594502 2020.pdf as a password protected archive (contact me if you need the password)

File 2020.pdf received on 2010.07.04 05:20:15 (UTC)
http://www.virustotal.com/analisis/000c6d021e9678184f059dd1dfacf75558bdd3f62e259e789836005efbf0e6b1-1278220815
Result: 14/41 (34.15%)
a-squared    5.0.0.31    2010.07.03    Exploit.SWF.CVE-2010-1297!IK
AntiVir    8.2.4.2    2010.07.02    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.07.02    Exploit/SWF.CVE-2010-1297
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-Name.Gen
eTrust-Vet    36.1.7684    2010.07.03    SWF/CVE-2010-1297.A!exploit
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-Name.Gen
GData    21    2010.07.04    Exploit.PDF-Name.Gen
Ikarus    T3.1.1.84.0    2010.07.03    Exploit.SWF.CVE-2010-1297
Kaspersky    7.0.0.125    2010.07.04    Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-Name.Gen
Sophos    4.54.0    2010.07.04    Mal/PDFEx-D
Additional information
File size: 237302 bytes
MD5...: 497bd7eb4be6ae9b68c624e3fb594502

Headers
Received: from mta-101.dothome.co.kr (HELO mta-101.dothome.co.kr) (211.239.118.134)
by XXXXXXXXXXXXXXXXX
X-AuthUser: aks@a-one.co.kr
Received: from techdm ([218.234.32.224]:4032)
    by mta-101.dothome.co.kr with [XMail 1.22 PassKorea090507 ESMTP Server]
    ...
    Wed, 30 Jun 2010 23:21:06 +0900
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@techdm212af2ce2>
From: "???K??"
To: XXXXXXXXXXXXXXX
Subject: =?big5?B?MjAyMLDqqL6s7KfesqO3frWmsqS9177CrKGwyg==?=
Date: Wed, 30 Jun 2010 22:07:21 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_000B_01CB18A0.9EBCFA10"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

218.234.32.224

 Hostname:    218.234.32.224
ISP:    Hanaro Telecom Co.
Organization:    ARO INFORMATION TECH
Type:    Broadband
Assignment:    Static IP
Country:    Korea, Republic of
State/Region:    Soul-t'ukpyolsi
City:    Seocho

From: §õ¨K©É [mailto:techdm@csistdup.org.tw]
Sent: Wednesday, June 30, 2010 10:07 AM
To: XXXXXXXXXXXX
Subject: 2020國防科技產業策略論壇活動

中山科學研究院預計於99年7月29日(星期四)AM09：30於本院龍園研究園區W48館
舉辦「2020國防科技產業策略論壇」活動，歡迎聯盟成員及各界人士踴躍報名參加。

一、論壇目的：
中科院預計99年7月29日於龍園研究園區舉辦「2020年國防科技產業策略論壇」活
動，主題為「整合產學科技能量，推動國防科技產業」，子題分別為 (一)結合週
邊園區、發展軍通科技。(二)轉化國防科技、創造產業價值。(三)引進民間資源、
建構自主國防。
本活動將邀請行政院科技顧問組萬執秘其超主持、工業局、技術處、中小企業處及
軍備局等主管擔任共同主持人，聽取國防科技產業聯盟成員(產業及學界)對未來年
國防科技能量釋出及參與國防研發機會之寶貴意見，期望透過此次活動整合出產學
研策略方向與共識，完成2020年我國國防科技產業發展策略報告，提供政府主管產
業(經濟部)及國防決策單位(國防部)，作為推動國防產業及發展軍民通用科技政策
之參考。

二、活動日期及地點
1.日期：99年7月29日(星期四)
2.時間：上午09：30至下午15：30
3.地點：龍園研究園區w48館一樓(國際會議廳)

三、報名方式
1.傳真：03-4117119
2.E-mail：techdm@csistdup.org.tw

四、報名截止：99年7月15日

五、聯絡人：李沛怡小姐：電話：03-4712201轉32982

Jun 30 CVE-2009-3129 XLS Mission to China Permanent Contact info

CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

Download 15a22ac5b7ed9fd640d6220dac0b4488 Permanent Contact info.xls as a password protected archive (contact me if you need the password)

From: Gary Crowley [mailto:gcgarycrowley@yahoo.com]
Sent: Wednesday, June 30, 2010 8:56 PM
To: gcgarycrowley@yahoo.com
Subject: Fw: U.S. Mission to China Permanent Contact info

Dear all

Attached is U.S. Mission to China Permanent Contact.

Result: 8/42 (19.05%)
http://www.virustotal.com/analisis/68809148ea164e7e9c605e51740e229160540c301c1148d5a9732cd62a43022c-1280205402
Antivirus     Version     Last Update     Result
AntiVir    8.2.4.26    2010.07.26    EXP/Excel.CVE-2009-3129
Authentium    5.2.0.5    2010.07.27    MSExcel/Dropper.B!Camelot
Emsisoft    5.0.0.34    2010.07.27    Exploit.Win32.CVE-2009!IK
Ikarus    T3.1.1.84.0    2010.07.27    Exploit.Win32.CVE-2009
Microsoft    1.6004    2010.07.26    Exploit:Win32/CVE-2009-3129

Norman   6.05.11   2010.07.26   ShellCode.M
TrendMicro    9.120.0.1004    2010.07.27    TROJ_DROPPER.QRX
TrendMicro-HouseCall    9.120.0.1004    2010.07.27    TROJ_DROPPER.QRX
Additional information
File size: 56714 bytes
MD5...: 15a22ac5b7ed9fd640d6220dac0b4488

Headers

Received: from [180.150.229.29] by web120112.mail.ne1.yahoo.com via HTTP; Wed, 30 Jun 2010 17:56:09 PDT
X-Mailer: YahooMailClassic/11.1.4 YahooMailWebService/0.8.104.274457
Date: Wed, 30 Jun 2010 17:56:09 -0700
From: Gary Crowley
Subject: Fw: U.S. Mission to China Permanent Contact info
To: gcgarycrowley@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-415109960-1277945769=:30240"

netnum:    180.150.224.0 - 180.150.231.255
netname:    EHOSTIDC
country:    KR
admin-c:    JK1606-AP
tech-c:    JK1606-AP
status:    Allocated Portable
remarks:    www.ehostidc.co.kr
mnt-by:    MNT-KRNIC-AP
mnt-lower:    MNT-KRNIC-AP
changed:    XXXXXXXXXX@apnic.net 20090909
source:    APNIC
person:    Jinyoung Lee
nic-hdl:    JK1606-AP
e-mail:    XXXXXXX@ehostidc.co.kr
address:    Newticastle Geumcheon-gu Gasan-dong Seoul
phone:    +82-2-6277-3316
fax-no:    +82-2-6277-3311
country:    KR
changed:    XXXXXXXXXX@nida.or.kr 20090512
mnt-by:    MNT-KRNIC-AP
source:    APNIC
inetnum:    180.150.224.0 - 180.150.231.255
netname:    EHOSTIDC-KR

Monday, June 28, 2010

Jun 28 CVE-2010-1297 Global Economic Policies and Prospects from xxx.crisisgroup.org

Download 6932d141916cd95e3acaa3952c7596e4 Global.pdf as a password protected archive (contact me if you need the password)

-----Original Message-----

From: Daniel Pinkston [mailto:XXXXXXXXXXXXXX]

Sent: Monday, June 28, 2010 12:49 PM

To: sitrep@crisisgroup.org

Subject: Global Economic Policies and Prospects

The attachment is quite useful for you .

Sincerely

Daniel A. Pinkston, Ph.D.

North East Asia Deputy Project Director

ph: +XXXXXXXXXXX

Mobile: XXXXXXXXXXXX

File Global.pdf received on 2010.07.04 03:03:52 (UTC)
http://www.virustotal.com/analisis/ab8a06d95935b07ad241c17d2c0bd2855e0ee77b24611805cd95fd4871052311-1278212632
Result: 16/41 (39.03%)
Antivirus    Version    Last Update    Result
a-squared   5.0.0.31   2010.07.03   Exploit.SWF.CVE-2010-1297!IK
AntiVir   8.2.4.2   2010.07.02   EXP/CVE-2010-1297
Antiy-AVL   2.0.3.7   2010.07.02   Exploit/SWF.CVE-2010-1297
Avast   4.8.1351.0   2010.07.03   JS:Pdfka-AIX
Avast5   5.0.332.0   2010.07.03   JS:Pdfka-AIX
BitDefender   7.2   2010.07.04   Exploit.PDF-Name.Gen
eTrust-Vet   36.1.7684   2010.07.03   SWF/CVE-2010-1297.A!exploit
F-Secure   9.0.15370.0   2010.07.03   Exploit.PDF-Name.Gen
GData   21   2010.07.04   Exploit.PDF-Name.Gen
Ikarus   T3.1.1.84.0   2010.07.03   Exploit.SWF.CVE-2010-1297
Kaspersky   7.0.0.125   2010.07.04   Exploit.SWF.CVE-2010-1297.a
McAfee-GW-Edition   2010.1   2010.07.02   Heuristic.BehavesLike.PDF.Suspicious.O
nProtect   2010-07-03.02   2010.07.03   Exploit.PDF-Name.Gen
Sophos   4.54.0   2010.07.03   Mal/PDFEx-D
TrendMicro   9.120.0.1004   2010.07.03   TROJ_PDFSWF.C
TrendMicro-HouseCall   9.120.0.1004   2010.07.04   TROJ_PDFSWF.C
Additional information
File size: 492149 bytes
MD5...: 6932d141916cd95e3acaa3952c7596e4

Headers
Received: from mail.crisisweb.org (HELO mail.crisisweb.org) (217.64.242.146)
by XXXXXXXXXXXXXXXXXXXXXXXXXXX
Received: from apaitpdc.apaitonline.org ([12.11.239.25]) by mail.crisisweb.org with Microsoft SMTPSVC(6.0.3790.4675);
    Mon, 28 Jun 2010 18:49:32 +0200
Received: from 127.0.0.1 ([127.0.0.1]) by apaitpdc.apaitonline.org with Microsoft SMTPSVC(6.0.3790.4675);
    Mon, 28 Jun 2010 09:49:13 -0700
To: ""
From: "Daniel Pinkston"
Subject: Global Economic Policies and Prospects
X-Mailer: Ghost Mail 5.1 http://ay.home.ml.org/
X-Priority: 3 (Normal)
Return-Path: XXXXXXXXXXXXXXXXXXXXXXXXX
Message-ID:
X-OriginalArrivalTime: 28 Jun 2010 16:49:13.0640 (UTC) FILETIME=[D6BDB280:01CB16E1]
Date: Mon, 28 Jun 2010 09:49:13 -0700
X-TM-AS-Product-Ver: SMEX-8.6.0.1168-6.000.1038-17472.004
X-TM-AS-Result: No--11.273500-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
MIME-Version: 1.0
X-ConvertedToMime: 1

12.11.239.25

Hostname:    apaitpdc.apaitonline.org

ISP:    AT&T WorldNet Services

Organization:    ACC-ASIAN PACIFIC AIDS INTERVENT

Proxy:    None detected

Type:    Corporate

Assignment:    Static IP

Services:    Web Server (1 or more domains)

Geolocation Information

State/Region:    California

City:    Los Angeles

Sunday, June 27, 2010

Malware Analysis and Forensics tools links

Beginner Malware Analysis and Reverse Engineering

Informational slides about malware

Malware: Rootkits and Viruses by Vitaly Shmatikov

How-To Forensics and RE links

Decoding Data Exfiltration – Reversing XOR Encryption - Crucial Security Harris
Prefetch Files at Face Value - Crucial Security Harris
Resurrecting “Dead” Images for Live Analysis ( Virtual Forensic Computing (VFC)) - Crucial Security Harris
ZeroAccess / Max++ / Smiscer Crimeware Rootkit sample for Step-by-Step Reverse Engineering by Giuseppe Bonfa
ReVeRsInG by Lena151
Facebook Forensics Valkyrie-X Security Research Group (VXRL)
IDA video tutorials TiGA
IDA documents
CodeProject Code Injection methods

Malware Analysis and Forensics tools

List of Malware Analysis Tools (Paul Melson's Blog)
Free Computer Forensic Tools (forensiccontrol.com)
http://cracklab.ru/ - Is Russian, wonderful resource
Collaborative RCE Tool Library
Malzilla: Malware hunting tool
Wireshark
PaiMei
OllyDbg
COFEE - Computer forensics tool
Rex Swain's HTTP Viewer
ackack Steve Ocepek
A program to monitor network traffic and detect unauthorized sessions. Provides the ability to send alerts based on source and/or duration of each session, which aids in the detection of malware such as botnets and bind shells.
Fireshark by Stephan Chenette
Fireshark is a tool, made up of a Firefox plugin and a set of postprocessing scripts that allows you to capture web traffic from the core of your web browser, enabling you to log events and download content to disk for post-process analysis.
PDF Stream Dumper
Analyzing Malware Through MS-Office Documents Ethical-Hacker.net blog
Andre M. DiMino Sempersecurus Malware Sandbox Services and Software
Maltego Community Edition
Netwitness Investigator Freeware

Scan websites for malware

http://www.urlvoid.com/

AV Scanners

vicheck.ca - for document analysis

ReCon2010 Slides (many many thanks to ARTeam)

DigitalNinjitsu.com - A (great) resource for security professionals to perform research.

Malware Analysis -- Links and resources for malware samples

Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.

Download 6e14c7a424c2eef7f37810ff65650837 ATT27173.pdf as a password protected archive (contact me if you need the password)

File ATT27173.pdf received on 2010.07.04 05:42:18 (UTC)
http://www.virustotal.com/analisis/6ed5186f31852eb5533670ae0d08737940148fe8587bdc44c5474426d92362c7-1278222138
Result: 11/41 (26.83%)
Antivirus     Version     Last Update     Result
Avast    4.8.1351.0    2010.07.03    JS:Pdfka-AIX
Avast5    5.0.332.0    2010.07.03    JS:Pdfka-AIX
BitDefender    7.2    2010.07.04    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.06.30    Win32.Pidief.D
F-Secure    9.0.15370.0    2010.07.03    Exploit.PDF-JS.Gen
GData    21    2010.07.04    Exploit.PDF-JS.Gen
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.cnj
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.JS.BufferOverflow.D
nProtect    2010-07-04.01    2010.07.04    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.D
Additional information
File size: 132181 bytes
MD5...: 6e14c7a424c2eef7f37810ff65650837

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=6e14c7a424c2eef7f37810ff65650837&type=js

Adobe getIcon

Stack-based buffer overflow in Adobe Reader and Acrobat via the getIcon method of a Collab object

CVE-2009-0927

From: ³Å¼¢©t [mailto:guanpen@gio.gov.tw]
Sent: Sunday, June 27, 2010 9:23 PM
To: achengster@gmail.com
Subject: 兩岸海上合作芻議

釐清當前兩岸合作的理由、方式、目的、地點與自我檢討。
-----------------------------------------------------------------
中華孫子兵法研究學會
會長傅慰孤

Terrible machine translation :)

From: ³ Å ¼ ¢ © t
[mailto: guanpen@gio.gov.tw]
Sent: Sunday,June 27, 2010 9:23 PM
To: achengster@gmail.com
Subject: Discussion on cross-strait maritime cooperation

Clarify the reasons for the current cross-strait cooperation, methods, purpose, location and self-examination.
-------------------------------------------------- ---------------Research Institute of Chinese Art of WarFu Wei-ku, president of

Saturday, June 26, 2010

Ru-Eng-Eng Glossary. Russian (human computer slang) -> English (Google machine) -> English (human computer slang)

Many of us use machine Google and other machine translation services to read sites and forums in other languages. As you know, the main problem with any machine translation is that it needs additional human translation afterwords because it cannot recognize many colloquial, misspelled, technical, transliterated, or slang words.

Not everyone knows about Google Translator Toolkit allowing you to upload your documents or to select an URL and save the results for future reference (see Google video below) You can also add your own glossaries to enhance and customize the translation results. I find that they do not work as you would expect (do not get automatically used sort of like your personal dictionaries in MS Office) but they are still semi useful for creating custom vocabulary lists to assist you in translation of "Google machine English" into human English.

I made a quick draft of a custom Ru-GoogleEng-Eng glossary with less than 100 words and you can see a few screenshots below. The English words in bold in the first column are the words offered by Google Translate - these are wrong words and in no way reflect the correct Russian and English versions that you can see in the other two columns.

There are a couple of ways of using Google Translate kit site - download the csv to your computer and use a plain search for words through the file or to use Google translate toolkit (if you have Gmail, just go to http://translate.google.com/toolkit to see it for searching through the uploaded custom glossary. Other languages can be added too.

Download csv Glossary importable to Google translate kit (unicode UTF-8)
Download a HTML page - glossary

screenshot 1
(1st column shows WRONG translation consistently offered by Google translate ,
2nd column - part of speech and case,
3rd column - correct English and Russian pairs.
(Let me know if you have any corrections or comments)

Thursday, June 24, 2010

Jun 17 Win XP (SP2, SP3) 0-Day - CVE-2010-1885 Samples and analysis links

CVE-2010-1885 The MPC::HexToNum function in helpctr.exe in Microsoft Windows Help and Support Center in Windows XP and Windows Server 2003 does not properly handle malformed escape sequences, which allows remote attackers to bypass the trusted documents whitelist (fromHCP option) and execute arbitrary commands via a crafted hcp:// URL.

Zero Day Vulnerability in Windows Help Center CVE-2010-1885.
Exploit for the “Windows Help Center” of Windows XP ServicePack 2 and ServicePack 3.

Full Disclosure post by Tavis Ormandy
Microsoft Security Advisory (2219475) Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
Microsoft Fix-It solution
See a good description of this particular malware on CVE 2010-1885 exploited in the wild by Donato Ferrante - Sophos Labs
Microsoft Help Center XSS and Command Execution Metasploit
Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog)
Video and exploit sequence explanation by Hardez
CVE-2010-1885 Analysis:
Exploit methods and files involved are well described in Microsoft Help Center Zero-Day Exploits Loose by Carolyn Guevarra (Trendlabs malware blog) You can download all the files described (except o.exe) from the download link below

Image from Trendlabs malware blog

Download CVE-2010-1885 files listed below as a password protected archive (contact me if you need the password)

File 62f4daf19da62595609d6a0c0089fcac received on 2010.06.24 04:16:26 (UTC)
Current status: finished
Result: 28/41 (68.29%)
a-squared     5.0.0.30     2010.06.24     Exploit.Win32.CVE-2010-1885!IK
AhnLab-V3     2010.06.24.00     2010.06.24     Exploit/Cve-2010-1885
AntiVir     8.2.4.2     2010.06.23     EXP/CVE-2010-1885
Avast     4.8.1351.0     2010.06.23     HTML:CVE-2010-1885-A
Avast5     5.0.332.0     2010.06.23     HTML:CVE-2010-1885-A
AVG     9.0.0.836     2010.06.23     Generic2_c.AMOL
BitDefender     7.2     2010.06.24     Exploit.CVE-2010-1885.A
CAT-QuickHeal     10.00     2010.06.23     HCP/CVE-2010-1885
Comodo     5198     2010.06.23     UnclassifiedMalware
DrWeb     5.0.2.03300     2010.06.24     Exploit.Hcp
eSafe     7.0.17.0     2010.06.23     Win32.Exploit.HelpOv
eTrust-Vet     36.1.7663     2010.06.24     HTML/HCP.A
F-Secure     9.0.15370.0     2010.06.24     Exploit.CVE-2010-1885.A
GData     21     2010.06.24     Exploit.CVE-2010-1885.A
Ikarus     T3.1.1.84.0     2010.06.24     Exploit.Win32.CVE-2010-1885
Kaspersky     7.0.0.125     2010.06.24     Exploit.HTML.CVE-2010-1885.a
McAfee     5.400.0.1158     2010.06.24     Exploit-HelpOverflow
McAfee-GW-Edition     2010.1     2010.06.23     Exploit-HelpOverflow
Microsoft     1.5902     2010.06.23     Exploit:Win32/CVE-2010-1885.A
NOD32     5223     2010.06.23     HTML/Exploit.CVE-2010-1885
nProtect     2010-06-23.02     2010.06.23     Exploit.CVE-2010-1885.A
PCTools     7.0.3.5     2010.06.24     Exploit.CVE_2010_1885
Sophos     4.54.0     2010.06.24     Mal/HcpExpl-A
Sunbelt     6498     2010.06.24     Exploit.HTML.HCP.a (v)
Symantec     20101.1.0.89     2010.06.24     Bloodhound.Exploit.337
TrendMicro     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
TrendMicro-HouseCall     9.120.0.1004     2010.06.24     TROJ_HCPEXP.A
ViRobot     2010.6.21.3896     2010.06.24     JS.S.Exploit.1938
Additional information
File size: 1938 bytes
MD5   : 62f4daf19da62595609d6a0c0089fcac

Tuesday, June 22, 2010

Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Download e3f5ef4fa17b4e08388ae4b0e2373728 100621.pdf as a password protected archive (contact me if you need the password)

-----Original Message-----
From: 大川　正人 [mailto:maseto.okawa@cas.go.jp]
Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: 最近の日米経済関係について
Importance: High
......
�i‘ã•\�j03-5453-2111�i“à�ü�j82657
�i’¼’Ê�j03-3581-4445
�iFAX�j03-3581-5601
masato.okawa@cas.go.jp
=====================================
----- Original Message -----From: Ookawa Masato [mailto: maseto.okawa @ cas.go.jp]Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxxSubject: About the recent US-Japan Economic RelationsImportance: High

 Headers

Received: from unknown (HELO cas.go.jp) (60.26.142.253) 

Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
with SMTP id 4C7BCC96; Mon, 21 Jun 2010 12:28:56 +0800
From: =?ISO-2022-JP?B?GyRCQmdAbiEhQDU/TRsoQg==?=
Subject: =?ISO-2022-JP?B?GyRCOkc2YSRORnxKRjdQOlE0WDc4JEskRCQkJEYbKEI=?=
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="iso-2022-jp"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: maseto.okawa@cas.go.jp
Date: Mon, 21 Jun 2010 12:29:29 +0800
X-Priority: 2
X-Mailer: Foxmail 4.1 [cn]

60.26.142.253
ISP:    China Unicom Tianjin province network
Organization:    China Unicom Tianjin province network
Type:    Broadband
Assignment:    Static IP
Country:    China cn flag
State/Region:    Tianjin

File 100621.pdf received on 2010.06.22 00:33:39 (UTC)

http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1277166819
Result: 9/41 (21.95%)
a-squared    5.0.0.30    2010.06.21    Exploit.JS.Pdfka!IK
AntiVir    8.2.2.6    2010.06.21    HTML/Malicious.PDF.Gen
BitDefender    7.2    2010.06.22    Exploit.PDF-JS.Gen
GData    21    2010.06.22    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.06.21    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.06.21    Exploit.JS.Pdfka.clv
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Sophos    4.54.0    2010.06.21    Troj/PDFJs-KY
VirusBuster    5.0.27.0    2010.06.21    JS.Pdfka.Gen.11
Additional information
File size: 969411 bytes
MD5   : e3f5ef4fa17b4e08388ae4b0e2373728

Many thanks to JM for sharing the following information
Dropped files
100621.PDF (95210e66bc040ee0f6b5601390658007 – benign decoy, notice the size difference 105 kb
SUCHOST.EXE (abf8e40d7c99e9b3f515ec0872fe099e – 45k) - appears to be Poison Ivy RAT

VT Result: 19/41 (46.34%)
SUCHOST.EXE
http://www.virustotal.com/analisis/8264a96a954c9a3f661bd21b9493377a710aaac1e96fe276d8d9095ea286c84a-1277147963
AhnLab-V3   2010.06.21.02     2010.06.21 Win-Trojan/Agent.45056.AMQ
Antiy-AVL   2.0.3.7     2010.06.18 Trojan/Win32.Agent.gen
Authentium 5.2.0.5     2010.06.21 W32/Trojan2.MIBZ
Avast 4.8.1351.0 2010.06.21 Win32:Malware-gen
Avast5      5.0.332.0   2010.06.21 Win32:Malware-gen
AVG   9.0.0.787   2010.06.21 Agent2.ALLE
BitDefender 7.2   2010.06.21 Trojan.Inject.XI
CAT-QuickHeal     10.00 2010.06.18 Trojan.Agent.dgqy
DrWeb 5.0.2.03300 2010.06.21 Trojan.Siggen1.43943
F-Prot      4.6.1.107   2010.06.20 W32/Trojan2.MIBZ
F-Secure    9.0.15370.0 2010.06.21 Trojan.Inject.XI
GData 21    2010.06.21 Trojan.Inject.XI
Jiangmin    13.0.900    2010.06.15 Trojan/Agent.cule
McAfee-GW-Edition 2010.1      2010.06.21 Heuristic.LooksLike.Trojan.Backdoor.Poison.I
Microsoft   1.5902      2010.06.21 Backdoor:Win32/Poison.AP
NOD32 5216 2010.06.21 a variant of Win32/Poison.NDQ
nProtect    2010-06-21.01     2010.06.21 Trojan/W32.Agent.45056.TM
Panda 10.0.2.7    2010.06.21 Suspicious file
ViRobot     2010.6.21.3896    2010.06.21 Trojan.Win32.Agent.45056.HO

Jun 20 CVE-2010-1297 PDF Adobe 0-Day Meeting agenda from alexis.mo88@gmail.com

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Download fb2523d17b3fa3b19a914bf23a61827c Agenda.pdf as a password protected archive (contact me if you need the password)

From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: xxxxxx
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents! With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting. I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis

The PDF file is very similar to the one described in this Symantec blog post

http://www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader

http://www.virustotal.com/analisis/5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3-1277184081

File Agenda.PDF received on 2010.06.21 05:05:57 (UTC)
Result: 5/41 (12.20%)
AntiVir     8.2.2.6     2010.06.20     HTML/Malicious.PDF.Gen
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.20     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.20     JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5   : fb2523d17b3fa3b19a914bf23a61827c

Monday, June 21, 2010

Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations

Download e3f5ef4fa17b4e08388ae4b0e2373728 100621.pdf as a password protected archive (contact me if you need the password)

File 100621.pdf received on 2010.07.04 06:06:32 (UTC)
http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1278223592
Result: 18/41 (43.91%)
a-squared   5.0.0.31   2010.07.04   Exploit.JS.Pdfka!IK
AntiVir   8.2.4.2   2010.07.02   HTML/Malicious.PDF.Gen
Comodo   5309   2010.07.04   UnclassifiedMalware
eSafe   7.0.17.0   2010.06.30   Win32.Pidief.J
eTrust-Vet   36.1.7684   2010.07.03   PDF/Pidief.RU
Ikarus   T3.1.1.84.0   2010.07.04   Exploit.JS.Pdfka
Kaspersky   7.0.0.125   2010.07.04   Exploit.JS.Pdfka.clv
McAfee   5.400.0.1158   2010.07.04   Exploit-PDF.ca
McAfee-GW-Edition   2010.1   2010.07.02   Exploit-PDF.ca
Microsoft   1.5902   2010.07.03   Exploit:SWF/CVE-2010-1297.E
NOD32   5249   2010.07.04   JS/Exploit.Pdfka.CLV
Norman   6.05.10   2010.07.03   JS/Shellcode.IT
PCTools   7.0.3.5   2010.07.02   Trojan.Pidief
Sophos   4.54.0   2010.07.04   Troj/PDFJs-KY
Symantec   20101.1.0.89   2010.07.04   Trojan.Pidief.J
TrendMicro   9.120.0.1004   2010.07.04   TROJ_PIDIEF.WL
TrendMicro-HouseCall   9.120.0.1004   2010.07.04   TROJ_PIDIEF.WL
VirusBuster   5.0.27.0   2010.07.03   JS.Pdfka.Gen.11
File size: 969411 bytes
MD5...: e3f5ef4fa17b4e08388ae4b0e2373728

Sunday, June 20, 2010

Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com

Download fb2523d17b3fa3b19a914bf23a61827c Agenda.PDF as a password protected archive (contact me if you need the password)

From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: XXXXXXXXXXXXXX
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents! With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting. I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis

File Agenda.PDF received on 2010.07.04 16:55:23 (UTC)
http://www.virustotal.com/analisis/5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3-1278262523
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.04    Exploit.JS.Pdfka!IK
AhnLab-V3    2010.07.03.00    2010.07.03    PDF/Exploit
AntiVir    8.2.4.2    2010.07.02    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.07.04    PDF/Pidief.BY
eSafe    7.0.17.0    2010.07.04    Win32.Pidief.J
Ikarus    T3.1.1.84.0    2010.07.04    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.clv
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.07.03    Exploit:SWF/CVE-2010-1297.E
NOD32    5250    2010.07.04    JS/Exploit.Pdfka.CLV
Norman    6.05.10    2010.07.04    JS/Shellcode.IT
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.04    Troj/PDFJs-KY
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
VirusBuster    5.0.27.0    2010.07.04    JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5...: fb2523d17b3fa3b19a914bf23a61827c

Monday, June 14, 2010

Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com

CVE-2010-1297. The vulnerability (CVE-2010-1297 ) causes the application to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Many thanks To Scott D, JM, AK1010, Villy for their information, relevant discussions and ideas and Binjo for his shellcode analysis

Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)

Tested on Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.

Message:

VT SCAN JUNE 21
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1277107857

File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:13/41 (31.71%)
a-squared    5.0.0.30    2010.06.22    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.21    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.18    Exploit/SWF.Agent
BitDefender    7.2    2010.06.22    Exploit.SWF.J
Comodo    5178    2010.06.22    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.21    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.22    Exploit.SWF.J
GData    21    2010.06.22    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.22    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.22    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.22    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.22    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

Javascript code snapshot

On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.

The dropped files are the following:

9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left

D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe

File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1277182875
Result: 19/41 (46.35%)
Antivirus    Version    Last Update    Result
a-squared   5.0.0.30   2010.06.22   Backdoor.Win32.Ixeshe!IK
AhnLab-V3   2010.06.22.00   2010.06.22   Backdoor/Win32.Small
AntiVir   8.2.2.6   2010.06.21   BDS/Small.jjf
Avast   4.8.1351.0   2010.06.21   Win32:Malware-gen
Avast5   5.0.332.0   2010.06.21   Win32:Malware-gen
AVG   9.0.0.787   2010.06.21   Small.CCX
BitDefender   7.2   2010.06.22   Trojan.Generic.4211739
Comodo   5178   2010.06.22   Backdoor.Win32.Small.jjf
eSafe   7.0.17.0   2010.06.20   Win32.Small.Nem
F-Secure   9.0.15370.0   2010.06.22   Trojan.Generic.4211739
GData   21   2010.06.22   Trojan.Generic.4211739
Ikarus   T3.1.1.84.0   2010.06.22   Backdoor.Win32.Ixeshe
Kaspersky   7.0.0.125   2010.06.22   Backdoor.Win32.Small.jjf
McAfee-GW-Edition   2010.1   2010.06.21   Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32   5216   2010.06.21   probably a variant of Win32/Small.NEM
nProtect   2010-06-21.01   2010.06.21   Trojan.Generic.4211739
Panda   10.0.2.7   2010.06.21   Suspicious file
Sunbelt   6483   2010.06.21   Trojan.Win32.Generic!BT
ViRobot   2010.6.21.3896   2010.06.22   Backdoor.Win32.S.Small.30720.E
VirusBuster   5.0.27.0   2010.06.21   -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c

older scan

http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1276575253

http://anubis.iseclab.org/?action=result&task_id=103e66936121161044dbaae530a892283&format=html

=============================================

Traffic information

DNS Queries
ftp.jlesher.xxuz.com DNS_TYPE_A 21.216.185.67 YES udp
www.jlesher.xxuz.com DNS_TYPE_A 110.4.3.2 YES udp
TCP Connections
216.185.67.21:443

Intersesting traffic, really. Looks like they configured their Changeip.com domain name ftp.jlesher.xxuz.com to point to 21.216.185.67.
216.185.67.21, which you can see also being used by this malware is very similar.
~~I think they just made a typo and directed it to DoD instead of their machine.~~
~~Or they temporarily set that domain to 21.216.185.67 (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..~~

Unconfirmed theory here is that malware receives DNS replies 21.216.185.67 and 110.4.3.2 and transforms them into 216.185.67.21:443 by transposing 21 for the IP address and by using the following forumula to turn 110.4.3.2 into the port number a.b.c.d - 110.4.3.2, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking 110.4.3.2 and 21.216.185.67 achieves nothing) and ability to change IP ports by just changing IP address on their domain in Changeip.com.

Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.

Traffic. Malware IPs are marked - see picture below

DNS query for ftp.jlesher.xxuz.com returns 21.216.185.67
21.216.185.67 is http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=21.216.185.67

DoD Network Information Center is Department of Defense http://www.nic.mil/

DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.

OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 21.0.0.0 - 21.255.255.255
CIDR: 21.0.0.0/8
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642

General IP Information
Hostname: 61.177.42.5
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China
State/Region: Beijing

OLDER SCANS

VT SCAN JUNE 17 (with minor improvement)
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276774425
File WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result: 9/41 (21.96%)
a-squared    5.0.0.26    2010.06.17    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.17    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.17    Exploit/SWF.Agent
F-Prot    4.6.0.103    2010.06.16    JS/Pdfka.V
Ikarus    T3.1.1.84.0    2010.06.17    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.17    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.17    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.17    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

VT SCAN JUNE 16
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276571931
BitDefender    7.2    2010.06.15    Exploit.SWF.J
F-Prot    4.6.0.103    2010.06.14    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.15    Exploit.SWF.J
GData    21    2010.06.15    Exploit.SWF.J
Kaspersky    7.0.0.125    2010.06.15    Exploit.SWF.Agent.dp
Microsoft    1.5802    2010.06.14    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.15    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5   : 81f31e17d97342c8f3700fdd56019972

Pages

Wednesday, June 30, 2010

Monday, June 28, 2010

Sunday, June 27, 2010

Saturday, June 26, 2010

Thursday, June 24, 2010

Tuesday, June 22, 2010

Monday, June 21, 2010

Sunday, June 20, 2010

Monday, June 14, 2010