Monday, August 16, 2010

Aug 16 CVE-2009-4324 PDF Communist China remove missiles from (

Update 3  See here more about CVE-2009-4324, it is a classic case. 

Update2. It certainly does NOT have CVE-2010-1297. Thanks to Tyler McLeod ( and Giuseppe Bonfa (evilcry ) for checking and confirmation.The presence of j_exp function made it similar to other files exploiting CVE-2010-1297 but this one has just this piece of code without apparent reason (malware writer mistake?) It is also not clear why it is checking versions.

Update. Ok, exploitation of CVE-2010-1297 is debatable. But what is it? 

Download :ATT72558.pdf 6227e1594775773a182e1b631db5f6bb as a password protected archive (contact me if you need the password)




tel: 02-2343-3405
fax: 02-2343-3512
Chinese to English translation 
From: YiLing [mailto:]
Sent: Monday, August 16, 2010 4:09 AM
Subject: Communist China remove missiles across the Strait of Research and Analysis

Members teachers:

Modify the attached file for the new CPC remove missiles across the Straits Research and Analysis
Please check.

Sincerely, Yi Ling
National Policy Foundation
National security, an assistant researcher
Hangzhou South Road, Taipei 10052 4th Floor, No. 16
tel: 02-2343-3405
fax: 02-2343-3512

X-MailGates: (mail_type:PASS,2)(compute_score:DELIVER,40,3)
Received: from
    by with MailGates ESMTP Server V2.9(27464:1:AUTH_RELAY)
    (envelope-from ); Tue, 17 Aug 2010 09:59:54 +0800 (CST)
Received: from
    by with Mail2000 ESMTP Server V4.00M(792:0:AUTH_RELAY)
    (envelope-from ); Tue, 17 Aug 2010 09:59:53 +0800 (CST)
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "YiLing"
To: ,
Subject: =?big5?B?pKSmQLpNsKOu/K5sue+ppK24vHWquqzjqlI=?=
Date: Mon, 16 Aug 2010 16:08:59 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579

Organization:    National Chengchi University
Assignment:    Static IP
Country:    Taiwan

File name:ATT72558.pdf
Submission date:2010-08-18 02:34:55 (UTC)
Result:16/ 42 (38.1%)
Authentium    2010.08.18    JS/Pdfka.V
Avast    4.8.1351.0    2010.08.17    JS:Pdfka-gen
Avast5    5.0.332.0    2010.08.17    JS:Pdfka-gen
AVG    2010.08.17    Exploit.PDF
BitDefender    7.2    2010.08.18    Exploit.PDF-JS.Gen
DrWeb    2010.08.18    Exploit.PDF.1301
Emsisoft    2010.08.18    Exploit.JS.Pdfka!IK
eTrust-Vet    36.1.7797    2010.08.17    PDF/CVE-2010-1297.B!exploit  - No, it is not
F-Prot    2010.08.18    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.08.18    Exploit.PDF-JS.Gen
GData    21    2010.08.18    Exploit.PDF-JS.Gen
Ikarus    T3.    2010.08.18    Exploit.JS.Pdfka
Kaspersky    2010.08.18    Exploit.JS.Pdfka.cqx
McAfee-GW-Edition    2010.1B    2010.08.18    Heuristic.BehavesLike.PDF.Suspicious.O
Norman    6.05.11    2010.08.17    JS/Shellcode.IZ
nProtect    2010-08-17.01    2010.08.18    Exploit.PDF-JS.Gen
Additional information
MD5   : 6227e1594775773a182e1b631db5f6bb
Exploit call to media.newPlayer CVE-2009-4324 (pdfexploit/full)

 CVE-2009-4324 and CVE-2010-1297   

Created files

Adobe 8.1

Adobe 9.1
1.pdf (0/42 VT)

Submission date:2010-08-18 03:46:42 (UTC)
8 /41 (19.5%)
Authentium     2010.08.18     W32/Heuristic-245!Eldorado
ClamAV     2010.08.18     PUA.Packed.ASPack
F-Prot     2010.08.18     W32/Heuristic-245!Eldorado
McAfee     5.400.0.1158     2010.08.18     Suspect-D!36EE61663FC4
Microsoft     1.6004     2010.08.18     Backdoor:Win32/Ixeshe.A
Panda     2010.08.17     Suspicious file
Sophos     4.56.0     2010.08.18     Mal/PdfExDr-B
TrendMicro     2010.08.17     PAK_Generic.001
MD5   : 36ee61663fc41496642850c4293fed01
Threatexpert report of hpqimzone.exe
File System Modifications

    * The following file was created in the system:

#    Filename(s)    File Size    File Hash    Alias
1     [file and pathname of the sample #1]     16,384 bytes     MD5: 0x36EE61663FC41496642850C4293FED01

SHA-1: 0xE6119E18B54EDB0B87466D2EF3129285EE8925C0     Mal/PdfExDr-B [Sophos]
packed with ASPack [Kaspersky Lab]

    Memory Modifications

    * There was a new process created in the system:

Process Name    Process Filename    Main Module Size
[filename of the sample #1]    [file and pathname of the sample #1]    45,056 bytes

    Registry Modifications

    * The newly created Registry Value is:
          o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
                + SP = "[file and pathname of the sample #1]"

            so that [file and pathname of the sample #1] runs every time Windows starts

    * The following ports were open in the system:
Port    Protocol    Process
1054    TCP    [file and pathname of the sample #1]
1055    TCP    [file and pathname of the sample #1]

Remote Host    Port Number    80

    * The data identified by the following URL was then requested from the remote web server:
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan
State/Region:    T'ai-pei

Appears to be a compromised machine at the university

No comments:

Post a Comment