Adobe will fix this vulnerability on June 29
Many thanks To
Scott D, JM, AK1010, Villy for their information,
relevant discussions and ideas and Binjo for his shellcode analysis
Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)
Tested on Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.
Message:
VT SCAN JUNE 21
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1277107857
File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:
13/41 (31.71%)
a-squared 5.0.0.30 2010.06.22
Exploit.SWF.Agent!IK
AntiVir 8.2.2.6 2010.06.21
EXP/CVE-2010-1297
Antiy-AVL 2.0.3.7 2010.06.18
Exploit/SWF.Agent
BitDefender 7.2 2010.06.22
Exploit.SWF.J
Comodo 5178 2010.06.22
UnclassifiedMalware
F-Prot 4.6.1.107 2010.06.21
JS/Pdfka.V
F-Secure 9.0.15370.0 2010.06.22
Exploit.SWF.J
GData 21 2010.06.22
Exploit.SWF.J
Ikarus T3.1.1.84.0 2010.06.22
Exploit.SWF.Agent
Kaspersky 7.0.0.125 2010.06.22
Exploit.SWF.Agent.dp
McAfee-GW-Edition 2010.1 2010.06.21
Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft 1.5902 2010.06.22
Exploit:SWF/CVE-2010-1297.A
Sophos 4.54.0 2010.06.22
Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...:
81f31e17d97342c8f3700fdd56019972
Javascript code snapshot
On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.
The dropped files are the following:
- 9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left
- D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
- TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe
File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1277182875
Result:
19/41 (46.35%)
Antivirus Version Last Update Result
a-squared 5.0.0.30 2010.06.22 Backdoor.Win32.Ixeshe!IK
AhnLab-V3 2010.06.22.00 2010.06.22 Backdoor/Win32.Small
AntiVir 8.2.2.6 2010.06.21 BDS/Small.jjf
Avast 4.8.1351.0 2010.06.21 Win32:Malware-gen
Avast5 5.0.332.0 2010.06.21 Win32:Malware-gen
AVG 9.0.0.787 2010.06.21 Small.CCX
BitDefender 7.2 2010.06.22 Trojan.Generic.4211739
Comodo 5178 2010.06.22 Backdoor.Win32.Small.jjf
eSafe 7.0.17.0 2010.06.20 Win32.Small.Nem
F-Secure 9.0.15370.0 2010.06.22 Trojan.Generic.4211739
GData 21 2010.06.22 Trojan.Generic.4211739
Ikarus T3.1.1.84.0 2010.06.22 Backdoor.Win32.Ixeshe
Kaspersky 7.0.0.125 2010.06.22 Backdoor.Win32.Small.jjf
McAfee-GW-Edition 2010.1 2010.06.21 Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32 5216 2010.06.21 probably a variant of Win32/Small.NEM
nProtect 2010-06-21.01 2010.06.21 Trojan.Generic.4211739
Panda 10.0.2.7 2010.06.21 Suspicious file
Sunbelt 6483 2010.06.21 Trojan.Win32.Generic!BT
ViRobot 2010.6.21.3896 2010.06.22 Backdoor.Win32.S.Small.30720.E
VirusBuster 5.0.27.0 2010.06.21 -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c
older scan
http://anubis.iseclab.org/?action=result&task_id=103e66936121161044dbaae530a892283&format=html
=============================================
Traffic information
DNS Queries
ftp.jlesher.xxuz.com DNS_TYPE_A 21.216.185.67 YES udp
www.jlesher.xxuz.com DNS_TYPE_A 110.4.3.2 YES udp
TCP Connections
216.185.67.21:443
Intersesting traffic, really. Looks like they configured their Changeip.com domain name
ftp.jlesher.xxuz.com to point to
21.216.185.67.
216.185.67.21, which you can see also being used by this malware is very similar.
I think they just made a typo and directed it to DoD instead of their machine.
Or they temporarily set that domain to 21.216.185.67 (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..
Unconfirmed theory here is that malware receives DNS replies 21.216.185.67 and 110.4.3.2 and transforms them into 216.185.67.21:443 by transposing 21 for the IP address and by using the following forumula to turn 110.4.3.2 into the port number a.b.c.d - 110.4.3.2, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking 110.4.3.2 and 21.216.185.67 achieves nothing) and ability to change IP ports by just changing IP address on their domain in Changeip.com.
Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.
Traffic. Malware IPs are marked - see picture below
DNS query for
ftp.jlesher.xxuz.com returns 21.216.185.67
21.216.185.67 is
http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=21.216.185.67
DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.
OrgName:
DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 21.0.0.0 - 21.255.255.255
CIDR: 21.0.0.0/8
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642
General IP Information
Hostname: 61.177.42.5
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China
State/Region: Beijing
OLDER SCANS
VT SCAN JUNE 17 (with minor improvement)
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276774425
File
WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result:
9/41 (21.96%)
a-squared 5.0.0.26
2010.06.17
Exploit.SWF.Agent!IK
AntiVir
8.2.2.6 2010.06.17
EXP/CVE-2010-1297
Antiy-AVL
2.0.3.7 2010.06.17
Exploit/SWF.Agent
F-Prot
4.6.0.103 2010.06.16
JS/Pdfka.V
Ikarus
T3.1.1.84.0 2010.06.17
Exploit.SWF.Agent
Kaspersky
7.0.0.125 2010.06.17
Exploit.SWF.Agent.dp
McAfee-GW-Edition
2010.1 2010.06.16
Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft
1.5902 2010.06.17
Exploit:SWF/CVE-2010-1297.A
Sophos 4.54.0
2010.06.17
Troj/SWFDlr-S
Additional
information
File size: 121898 bytes
MD5...:
81f31e17d97342c8f3700fdd56019972
VT SCAN JUNE 16
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276571931
BitDefender
7.2 2010.06.15
Exploit.SWF.J
F-Prot
4.6.0.103 2010.06.14
JS/Pdfka.V
F-Secure
9.0.15370.0 2010.06.15
Exploit.SWF.J
GData
21 2010.06.15
Exploit.SWF.J
Kaspersky
7.0.0.125 2010.06.15
Exploit.SWF.Agent.dp
Microsoft 1.5802 2010.06.14
Exploit:SWF/CVE-2010-1297.A
Sophos
4.54.0 2010.06.15
Troj/SWFDlr-S
Additional
information
File size: 121898 bytes
MD5 :
81f31e17d97342c8f3700fdd56019972