Monday, June 14, 2010

Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from

Adobe will fix this vulnerability on June 29

Many thanks To Scott D, JM, AK1010, Villy  for their information, relevant discussions and ideas and Binjo for his shellcode analysis

Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)

Tested on  Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.



  File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:13/41 (31.71%)
a-squared    2010.06.22    Exploit.SWF.Agent!IK
AntiVir    2010.06.21    EXP/CVE-2010-1297
Antiy-AVL    2010.06.18    Exploit/SWF.Agent
BitDefender    7.2    2010.06.22    Exploit.SWF.J
Comodo    5178    2010.06.22    UnclassifiedMalware
F-Prot    2010.06.21    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.22    Exploit.SWF.J
GData    21    2010.06.22    Exploit.SWF.J
Ikarus    T3.    2010.06.22    Exploit.SWF.Agent
Kaspersky    2010.06.22    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.22    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.22    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

Javascript code snapshot

On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.

The dropped files are the following:
  • 9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left
  •  D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
  •  TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe

  File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    2010.06.22    Backdoor.Win32.Ixeshe!IK
AhnLab-V3    2010.06.22.00    2010.06.22    Backdoor/Win32.Small
AntiVir    2010.06.21    BDS/Small.jjf
Avast    4.8.1351.0    2010.06.21    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.21    Win32:Malware-gen
AVG    2010.06.21    Small.CCX
BitDefender    7.2    2010.06.22    Trojan.Generic.4211739
Comodo    5178    2010.06.22    Backdoor.Win32.Small.jjf
eSafe    2010.06.20    Win32.Small.Nem
F-Secure    9.0.15370.0    2010.06.22    Trojan.Generic.4211739
GData    21    2010.06.22    Trojan.Generic.4211739
Ikarus    T3.    2010.06.22    Backdoor.Win32.Ixeshe
Kaspersky    2010.06.22    Backdoor.Win32.Small.jjf
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32    5216    2010.06.21    probably a variant of Win32/Small.NEM
nProtect    2010-06-21.01    2010.06.21    Trojan.Generic.4211739
Panda    2010.06.21    Suspicious file
Sunbelt    6483    2010.06.21    Trojan.Win32.Generic!BT
ViRobot    2010.6.21.3896    2010.06.22    Backdoor.Win32.S.Small.30720.E
VirusBuster    2010.06.21    -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c

older scan

Traffic information
DNS Queries       DNS_TYPE_A       YES       udp      DNS_TYPE_A      YES      udp
TCP Connections

Intersesting traffic, really.  Looks like they configured their domain name  to point to, which you can see also being used by this malware is very similar.
 I think they just made a typo and directed it to DoD instead of their machine.
Or they temporarily set that domain to (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..

Unconfirmed theory here is that malware receives DNS replies and and transforms them into by transposing 21 for the IP address and  by using the following forumula to turn into the port number a.b.c.d -, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking and achieves nothing) and ability to change IP ports by just changing IP address on their domain in

Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.

 Traffic. Malware IPs are marked - see picture below

DNS query for returns is

DoD Network Information Center is Department of Defense
DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.
OrgName: DoD Network Information Center 
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: -
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642

 General IP Information
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China 
State/Region: Beijing


VT SCAN JUNE 17 (with minor improvement)
 File WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result: 9/41 (21.96%)
a-squared    2010.06.17    Exploit.SWF.Agent!IK
AntiVir    2010.06.17    EXP/CVE-2010-1297
Antiy-AVL    2010.06.17    Exploit/SWF.Agent
F-Prot    2010.06.16    JS/Pdfka.V
Ikarus    T3.    2010.06.17    Exploit.SWF.Agent
Kaspersky    2010.06.17    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.17    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.17    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

BitDefender     7.2     2010.06.15     Exploit.SWF.J
F-Prot     2010.06.14     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.06.15     Exploit.SWF.J
GData     21     2010.06.15     Exploit.SWF.J
Kaspersky     2010.06.15     Exploit.SWF.Agent.dp
Microsoft     1.5802     2010.06.14     Exploit:SWF/CVE-2010-1297.A
Sophos     4.54.0     2010.06.15     Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5   : 81f31e17d97342c8f3700fdd56019972

No comments:

Post a Comment