Update 3 See here http://extraexploit.blogspot.com/search/label/CVE-2009-4324 more about CVE-2009-4324, it is a classic case.
Update2. It certainly does NOT have CVE-2010-1297. Thanks to Tyler McLeod (Vicheck.ca) and Giuseppe Bonfa (evilcry ) for checking and confirmation.
Update. Ok, exploitation of CVE-2010-1297 is debatable. But what is it?
各位師長:
附檔為新修改之中共撤除海峽對岸飛彈的研析
,請查收。
奕伶敬上
--
劉奕伶
國家政策研究基金會
國安組助理研究員
10052台北市杭州南路一段16號4樓
tel: 02-2343-3405
fax: 02-2343-3512
Chinese to English translation 附檔為新修改之中共撤除海峽對岸飛彈的研析
,請查收。
奕伶敬上
--
劉奕伶
國家政策研究基金會
國安組助理研究員
10052台北市杭州南路一段16號4樓
tel: 02-2343-3405
fax: 02-2343-3512
From: YiLing [mailto: Qiying526@ntu.edu.tw]
Sent: Monday, August 16, 2010 4:09 AM
To: adamma0606@mail.faps.org.tw
Subject: Communist China remove missiles across the Strait of Research and Analysis
Members teachers:
Modify the attached file for the new CPC remove missiles across the Straits Research and Analysis
Please check.
Sincerely, Yi Ling
-
Yi-Ling
National Policy Foundation
National security, an assistant researcher
Hangzhou South Road, Taipei 10052 4th Floor, No. 16
tel: 02-2343-3405
fax: 02-2343-3512
Headers
X-MailGates: (mail_type:PASS,2)(compute_score:DELIVER,40,3)Received: from 140.119.166.2
by mg.nccu.edu.tw with MailGates ESMTP Server V2.9(27464:1:AUTH_RELAY)
(envelope-from
Return-Path:
Received: from 140.119.170.173
by nccu.edu.tw with Mail2000 ESMTP Server V4.00M(792:0:AUTH_RELAY)
(envelope-from
Return-Path:
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "YiLing"
To:
BCC: XXXXXXXXXXXXXXX
Subject: =?big5?B?pKSmQLpNsKOu/K5sue+ppK24vHWquqzjqlI=?=
Date: Mon, 16 Aug 2010 16:08:59 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000D_01CB3D5D.56D84CE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Hostname: 140.119.170.173
ISP: MOEC
Organization: National Chengchi University
Assignment: Static IP
Country: Taiwan
File name:ATT72558.pdfhttp://www.virustotal.com/file-scan/report.html?id=cdb9fd9ddbd9cbd8496747a70ae6708d1805a3e684857d5008da46f49cb83170-1282098895
Submission date:2010-08-18 02:34:55 (UTC)
Result:16/ 42 (38.1%)
Authentium 5.2.0.5 2010.08.18 JS/Pdfka.V
Avast 4.8.1351.0 2010.08.17 JS:Pdfka-gen
Avast5 5.0.332.0 2010.08.17 JS:Pdfka-gen
AVG 9.0.0.851 2010.08.17 Exploit.PDF
BitDefender 7.2 2010.08.18 Exploit.PDF-JS.Gen
DrWeb 5.0.2.03300 2010.08.18 Exploit.PDF.1301
Emsisoft 5.0.0.39 2010.08.18 Exploit.JS.Pdfka!IK
eTrust-Vet 36.1.7797 2010.08.17 PDF/CVE-2010-1297.B!exploit - No, it is not
F-Prot 4.6.1.107 2010.08.18 JS/Pdfka.VF-Secure 9.0.15370.0 2010.08.18 Exploit.PDF-JS.Gen
GData 21 2010.08.18 Exploit.PDF-JS.Gen
Ikarus T3.1.1.88.0 2010.08.18 Exploit.JS.Pdfka
Kaspersky 7.0.0.125 2010.08.18 Exploit.JS.Pdfka.cqx
McAfee-GW-Edition 2010.1B 2010.08.18 Heuristic.BehavesLike.PDF.Suspicious.O
Norman 6.05.11 2010.08.17 JS/Shellcode.IZ
nProtect 2010-08-17.01 2010.08.18 Exploit.PDF-JS.Gen
Additional information
MD5 : 6227e1594775773a182e1b631db5f6bb
Vicheck.ca
Exploit call to media.newPlayer CVE-2009-4324 (pdfexploit/full)
REPORT: https://www.vicheck.ca/
=========
Created files
%Tmp%\1.pdf
%Tmp%\hpqimzone.exe
Adobe 8.1
1.pdf (0/42 VT)
hpqimzone.exe
http://www.virustotal.com/file-scan/report.html?id=7f0e5d608fa54e139cf7f7e699b68877f281337b751743c15d08c4359cad6f9a-1282103202
Submission date:2010-08-18 03:46:42 (UTC)
8 /41 (19.5%)
Authentium 5.2.0.5 2010.08.18 W32/Heuristic-245!Eldorado
ClamAV 0.96.2.0-git 2010.08.18 PUA.Packed.ASPack
F-Prot 4.6.1.107 2010.08.18 W32/Heuristic-245!Eldorado
McAfee 5.400.0.1158 2010.08.18 Suspect-D!36EE61663FC4
Microsoft 1.6004 2010.08.18 Backdoor:Win32/Ixeshe.A
Panda 10.0.2.7 2010.08.17 Suspicious file
Sophos 4.56.0 2010.08.18 Mal/PdfExDr-B
TrendMicro 9.120.0.1004 2010.08.17 PAK_Generic.001
MD5 : 36ee61663fc41496642850c4293fed01
Threatexpert report of hpqimzone.exe
http://www.threatexpert.com/report.aspx?md5=36ee61663fc41496642850c4293fed01
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 [file and pathname of the sample #1] 16,384 bytes MD5: 0x36EE61663FC41496642850C4293FED01
SHA-1: 0xE6119E18B54EDB0B87466D2EF3129285EE8925C0 Mal/PdfExDr-B [Sophos]
packed with ASPack [Kaspersky Lab]
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 45,056 bytes
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
+ SP = "[file and pathname of the sample #1]"
so that [file and pathname of the sample #1] runs every time Windows starts
* The following ports were open in the system:
Port Protocol Process
1054 TCP [file and pathname of the sample #1]
1055 TCP [file and pathname of the sample #1]
Remote Host Port Number
120.126.34.94 80
* The data identified by the following URL was then requested from the remote web server:
o http://oltnsck.dnsrd.com/AWS96.jsp?8Bl3SGQJ1pvY0=LPI5RVjs9Kh/Dwjs9Kj/DMI5DmIZMmY5+fp8AA
120.126.34.94
Hostname: ymu034-094.ym.edu.tw
ISP: Ministry of Education Computer Center
Organization: Ministry of Education Computer Center
Proxy: None detected
Type: Broadband
Assignment: Static IP
Country: Taiwan
State/Region: T'ai-pei
Appears to be a compromised machine at the university
No comments:
Post a Comment