Jul 28 CVE-2009-4324 PDF 990729 Summary of Network Intelligence from ljw@gsn.gov.tw 210.69.115.235

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

 Download 738af108a6edd46536492b1782589a04 -990729.pdf as a password protected archive (contact me if you need the password)

From: ljw [mailto:ljw@gsn.gov.tw]
Sent: Wednesday, July 28, 2010 11:24 PM
To: agefr6nt@yahoo.com.tw
Subject: 990729網情彙編

 From: ljw [mailto: ljw@gsn.gov.tw]Sent: Wednesday, July 28, 2010 11:24 PMTo: agefr6nt@yahoo.com.twSubject: 990729  Summary of Network Intelligence

Headers

Received: from mail2000.tccg.gov.tw (HELO mail2000.tccg.gov.tw) (210.69.115.235)
  by XXXXXXXXXXXXX
Received: from 192.168.4.154
    by mail2000.tccg.gov.tw with Mail2000 ESMTP Server V4.00S(4662:0:AUTH_LOGIN)
    (envelope-from ); Thu, 29 Jul 2010 17:28:08 +0800 (CST)
Return-Path:
Message-ID: <1975e5623c$23fce32a$0ae1d8b4@nccu212af2ce2>
From: "ljw"
To: ,
BCC:XXXXXXXXXXX
Subject: =?big5?B?OTkwNzI5uvSxobdKvXM=?=
Date: Thu, 29 Jul 2010 11:24:22 +0800
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0033_01CB2F10.990CB480"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
 (210.69.115.235)
Hostname:    mail2000.tccg.gov.tw
ISP:    GSN, Taiwan Government Service Network.
Organization:    Taichung City Government
Country:    Taiwan

File name:
http://www.virustotal.com/file-scan/report.html?id=c1d9cd02799bbb45aa6a37a16f2da1dca86f55e474b0a33e0034232c176b5f99-1280460987
-990729.pdf
Submission date:
2010-07-30 05:36:27 (UTC)
12 /42 (28.6%)
Authentium     5.2.0.5     2010.07.30     JS/Pdfka.V
Avast     4.8.1351.0     2010.07.30     JS:Pdfka-gen
Avast5     5.0.332.0     2010.07.30     JS:Pdfka-gen
AVG     9.0.0.851     2010.07.29     Exploit.PDF
BitDefender     7.2     2010.07.30     Exploit.PDF-JS.Gen
eTrust-Vet     36.1.7750     2010.07.30     PDF/CVE-2010-1297.B!exploit  - NOT
F-Prot     4.6.1.107     2010.07.30     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.07.30     Exploit.PDF-JS.Gen
GData     21     2010.07.30     Exploit.PDF-JS.Gen
McAfee-GW-Edition     2010.1     2010.07.29     Heuristic.BehavesLike.PDF.Suspicious.O
Norman     6.05.11     2010.07.29     JS/Shellcode.IZ
nProtect     2010-07-30.01     2010.07.30     Exploit.PDF-JS.Gen
Additional information
Show all
MD5   : 738af108a6edd46536492b1782589a04

==============================================================

Windows XP SP2 Adobe Reader 9.1

Files created

%tmp%\jqc.exe

%tmp%\1,pdf 

1.pdf
http://www.virustotal.com/file-scan/report.html?id=26a0711f9cb1dc0d53e524ed9b90f3356c8e5c4c4b6da942d8371662e800fcd5-1282796454

jqc.exe

http://www.virustotal.com/file-scan/report.html?id=7224943665fb630f371aeef1f8d6402ce4e53150c1fd8ff044977c659b514fdd-1282796115
AntiVir 8.2.4.38 2010.08.25 BDS/Ixeshe.A.20
Authentium 5.2.0.5 2010.08.26 W32/Heuristic-245!Eldorado
Avast 4.8.1351.0 2010.08.25 Win32:Rootkit-gen
Avast5 5.0.594.0 2010.08.25 Win32:Rootkit-gen
BitDefender 7.2 2010.08.26 Trojan.Generic.4549982
CAT-QuickHeal 11.00 2010.08.24 Backdoor.Ixeshe.a
ClamAV 0.96.2.0-git 2010.08.26 PUA.Packed.ASPack
Emsisoft 5.0.0.37 2010.08.26 Backdoor.Win32.Ixeshe!IK
F-Prot 4.6.1.107 2010.08.26 W32/Heuristic-245!Eldorado
F-Secure 9.0.15370.0 2010.08.26 Trojan.Generic.4549982
Fortinet 4.1.143.0 2010.08.25 W32/PdfExDr.B!tr
GData 21 2010.08.26 Trojan.Generic.4549982
Ikarus T3.1.1.88.0 2010.08.26 Backdoor.Win32.Ixeshe
Microsoft 1.6103 2010.08.25 Backdoor:Win32/Ixeshe.A
NOD32 5397 2010.08.25 probably a variant of Win32/Ixeshe.A
nProtect 2010-08-25.02 2010.08.25 Trojan.Generic.4549982
Panda 10.0.2.7 2010.08.25 Trj/CI.A
PCTools 7.0.3.5 2010.08.26 Trojan.Gen
Sophos 4.56.0 2010.08.26 Mal/PdfExDr-B
Sunbelt 6795 2010.08.26 Trojan.Win32.Generic!BT
Symantec 20101.1.1.7 2010.08.26 Trojan.Gen
TrendMicro 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
TrendMicro-HouseCall 9.120.0.1004 2010.08.26 TSPY_AGENT.AVEP
VBA32 3.12.14.0 2010.08.25 Trojan-Downloader.Dreamtouch.xb
VirusBuster 5.0.27.0 2010.08.25 Trojan.Ixeshe.Z
Additional informationShow all 
MD5   : d27e5643f1e5422be6cba2d98506ebbf

• CWanalysis http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=69268965&cs=EAFC7E20EB976E4A740E9C95F733A8C2
• Threatexpert report http://www.threatexpert.com/report.aspx?md5=d27e5643f1e5422be6cba2d98506ebbf

120.126.54.189
Hostname:    ymu054-189.ym.edu.tw
ISP:    Ministry of Education Computer Center
Organization:    Ministry of Education Computer Center
Country:    Taiwan

• Outgoing Connections






• HTTP Data






• Method: GET
• Url: 120.126.54.189/AWS7838.jsp?2al314Le1g0315QgjaZ/I5Rojs9Khs9fI/xoIOmM=k+ojnhT
• HTTP Version: HTTP/1.1




• Header Data





• x_bigfix_client_string: 2al314Le1g0315QgjaZ/qDAA
• User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
• Host: oltnsck.dnsrd.com
• Connection: Keep-Alive

 http://www.robtex.com/dns/oltnsck.dnsrd.com.html

oltnsck.dnsrd.com

Incoming mail for oltnsck.dnsrd.com is handled by one mail server at dnsrd.com. Oltnsck.dnsrd.com has one IP number (120.126.34.94) , but the reverse is ymu034-094.ym.edu.tw.

Ymu034-094.ym.edu.tw point to the same IP. Oltnsck.dnsrd.com use this as a mail server.

dnsrd.com

Dnsrd.com is a domain controlled by three name servers at changeip.org. Two of them are on the same IP network. The primary name server is ns3.changeip.org. Incoming mail for dnsrd.com is handled by one mail server at changeip.com. Dnsrd.com has one IP number (204.16.173.30).

More information

oltnsck.dnsrd.com is hosted on a server in Taiwan

Transport Protocol: TCP
Remote Address: 140.112.155.252
Remote Port: 80
Protocol: HTTP
Connection Established: 0
Socket: 2020


Hostname:    140.112.155.252
ISP:    National Taiwan University

Organization:    National Taiwan University
Country:    Taiwan