Sep14 CVE-2010-2883 Adobe 0-Day Fwd: China-U.S. Trade Issues from sara.ml.davis@gmail.com

CVE-2010-2883 Security Advisory for Adobe Reader and Acrobat
A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Download  RL33536.pdf and dropped files  as a password protected archive (contact me if you need the password)

1. Adobe PSIRT team confirmed that the attached exploit pdf is indeed for CVE-2010-2883 vulnerability and that their next update on October 4 will protect from a pdf like this one.

2. The message is from a gmail account but it is crafted to appear like a forwarded message by a CRS researcher. The real report with the researcher's name is published online and this is where they probably got the information.
(thanks to @xanda for sending the link to the report)

3. The pdf appears to be generated with Metasploit. (thanks to villy for the clue)

From: Davis L.M. [mailto:sara.ml.davis@gmail.com]
Sent: Tuesday, September 14, 2010 10:11 AM
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: Fwd: China-U.S. Trade Issues

---------- Forwarded message ----------
From: Wayne M. Morrison
Date: 2010/9/14
Subject: China-U.S. Trade Issues
To: sara.ml.davis@gmail.com


FYI.

Wayne M. Morrison
Congressional Research Service
Specialist in Asian Trade and Finance

 File name:
RL33536.pdf
http://www.virustotal.com/file-scan/report.html?id=3b3f0813353fbd0fa056875e66b1319feb4cbe692b6b31b6cad3f4d33d94874e-1284551305
14 /43 (32.6%)
AntiVir     8.2.4.52     2010.09.15     HEUR/HTML.Malware
Avast     4.8.1351.0     2010.09.15     JS:Pdfka-gen
Avast5     5.0.594.0     2010.09.15     JS:Pdfka-gen
BitDefender     7.2     2010.09.15     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.09.15     Exploit.PDF-JS.Gen
GData     21     2010.09.15     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.09.15     Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition     2010.1B     2010.09.15     Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft     1.6103     2010.09.15     Exploit:Win32/Pdfjsc.HX
NOD32     5452     2010.09.15     PDF/Exploit.Gen
Norman     6.06.06     2010.09.14     PDF/Suspicious.D
nProtect     2010-09-15.01     2010.09.15     Exploit.PDF-Name.Gen
Panda     10.0.2.7     2010.09.14     Exploit/PDF.Exploit
Sophos     4.57.0     2010.09.15     Mal/JSShell-B
Show all
MD5   : eed8e7000326b8a3c3f234db361c862a
SHA1  : 02f3add91309c1735807336271b5c4c38ddd9a74
SHA256: 3b3f0813353fbd0fa056875e66b1319feb4cbe692b6b31b6cad3f4d33d94874e

Headers are from Gmail, not very useful here

Received: by 10.224.28.77 with SMTP id l13mr8958qac.375.1284473462500; Tue, 14
 Sep 2010 07:11:02 -0700 (PDT)
Received: by 10.229.62.197 with HTTP; Tue, 14 Sep 2010 07:11:02 -0700 (PDT)
In-Reply-To: <4c8f76b1.0b3e8e0a.14f7.ffff93dbSMTPIN_ADDED@mx.google.com>
References: <4c8f76b1.0b3e8e0a.14f7.ffff93dbSMTPIN_ADDED@mx.google.com>
Date: Tue, 14 Sep 2010 22:11:02 +0800
Message-ID:
Subject: Fwd: China-U.S. Trade Issues
From: "Davis L.M."
To: XXXXXXXXXXXXXXXXXXX
Content-Type: multipart/mixed; boundary="0015175caa2474b688049038c879"

Tested on Windows XP sp2 Adobe Reader 9.3.4
Created files
http://anubis.iseclab.org/?action=result&task_id=14b8b6613d6a722a4114cd33bfd1e4cb9&format=html
 File: AcroRd32.exe Size: 52992 MD5:  5EED0E486855A8C69A9D3FA2F0832537
http://www.virustotal.com/file-scan/report.html?id=b26edc4d89e01db3cfea446ed8f8a86a23c1aab07b5bd70b6136f3b5b74442ea-1284615332
AcroRd32.exe
12/ 43 (27.9%)
AhnLab-V3    2010.09.16.00    2010.09.15    Win-Trojan/Agent.52992
AntiVir    8.2.4.52    2010.09.15    BDS/Delf.ukq.5
Antiy-AVL    2.0.3.7    2010.09.16    Backdoor/Win32.Delf
DrWeb    5.0.2.03300    2010.09.16    BackDoor.Siggen.26402
Ikarus    T3.1.1.88.0    2010.09.16    Trojan-Dropper.Delf
Jiangmin    13.0.900    2010.09.15    Backdoor/Delf.wee
Kaspersky    7.0.0.125    2010.09.16    Backdoor.Win32.Delf.ukq
McAfee    5.400.0.1158    2010.09.16    Artemis!5EED0E486855
McAfee-GW-Edition    2010.1C    2010.09.15    Artemis!5EED0E486855
nProtect    2010-09-16.01    2010.09.16    Backdoor/W32.Agent.52992.B
TheHacker    6.7.0.0.020    2010.09.16    Backdoor/Delf.ukq
VBA32    3.12.14.0    2010.09.15    Backdoor.Win32.Delf.ukq
Additional information
Show all
MD5   : 5eed0e486855a8c69a9d3fa2f0832537
Additional information
Show all
MD5   : 5eed0e486855a8c69a9d3fa2f0832537


AcroRd32.exe installs a backdoor service and self-deletes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Error Reporting Service
Allows error reporting for services and applictions running in non-standard environments.

 Service is stopped after it gets installed and starts after a reboot.

  

File name: udsrdi.dll
http://www.virustotal.com/file-scan/report.html?id=ee44670a9ad4d33ee20ca3a78f4e3ce5c9a40dbe4364929c1d85848c4fd52b8f-1284609622
AhnLab-V3 2010.09.16.00 2010.09.15 Win-Trojan/Agent.29184.AIN
Avast 4.8.1351.0 2010.09.15 Win32:Malware-gen
Avast5 5.0.594.0 2010.09.15 Win32:Malware-gen
AVG 9.0.0.851 2010.09.15 Small.CDB
BitDefender 7.2 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Comodo 6093 2010.09.16 TrojWare.Win32.PSW.Kates.ABC
F-Secure 9.0.15370.0 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
GData 21 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Norman 6.06.06 2010.09.15 W32/Suspicious_Gen2.BIWYN
nProtect 2010-09-15.01 2010.09.15 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
TheHacker 6.7.0.0.019 2010.09.16 Backdoor/Delf.wkg
MD5   : ca1eaf384d1596b8e8d8c8ef2496f01e

The interesting part is the link between this  udsrdi.dll and vcmdbg.dll from the last (non-0day) post Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96
the link is the strings - see

File: udsrdi.dll
MD5:  ca1eaf384d1596b8e8d8c8ef2496f01e
Size: 29184

Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache


vcmdbg.dll from Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96
 File: vcmdbg.dll
MD5:  2185845c8489e637d963217d4f35842e
Size: 29184
Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache  

initial traffic information
 85.221.23.10 NEWS.UCPARLNET.COM (compare to 202.67.231.251 CHECKERROR.UCPARLNET.COM --screenshot--  from
Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96

Hostname:    nsm3.direkte.no
ISP:    Ventelo Norge AS
Organization:    Direkte Nettlosninger
Assignment:    Static IP
Country:    Norway
State/Region:    Sor-Trondelag
City:    Ålen