Pages

Thursday, September 16, 2010

Sep14 CVE-2010-2883 Adobe 0-Day Fwd: China-U.S. Trade Issues from sara.ml.davis@gmail.com



Download  RL33536.pdf and dropped files  as a password protected archive (contact me if you need the password)



1. Adobe PSIRT team confirmed that the attached exploit pdf is indeed for CVE-2010-2883 vulnerability and that their next update on October 4 will protect from a pdf like this one.

2. The message is from a gmail account but it is crafted to appear like a forwarded message by a CRS researcher. The real report with the researcher's name is published online and this is where they probably got the information.
(thanks to @xanda for sending the link to the report)

3. The pdf appears to be generated with Metasploit. (thanks to villy for the clue)

From: Davis L.M. [mailto:sara.ml.davis@gmail.com]
Sent: Tuesday, September 14, 2010 10:11 AM
To: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Subject: Fwd: China-U.S. Trade Issues

---------- Forwarded message ----------
From: Wayne M. Morrison
Date: 2010/9/14
Subject: China-U.S. Trade Issues
To: sara.ml.davis@gmail.com


FYI.

Wayne M. Morrison
Congressional Research Service
Specialist in Asian Trade and Finance




 File name:
RL33536.pdf
http://www.virustotal.com/file-scan/report.html?id=3b3f0813353fbd0fa056875e66b1319feb4cbe692b6b31b6cad3f4d33d94874e-1284551305
14 /43 (32.6%)
AntiVir     8.2.4.52     2010.09.15     HEUR/HTML.Malware
Avast     4.8.1351.0     2010.09.15     JS:Pdfka-gen
Avast5     5.0.594.0     2010.09.15     JS:Pdfka-gen
BitDefender     7.2     2010.09.15     Exploit.PDF-JS.Gen
F-Secure     9.0.15370.0     2010.09.15     Exploit.PDF-JS.Gen
GData     21     2010.09.15     Exploit.PDF-JS.Gen
Kaspersky     7.0.0.125     2010.09.15     Exploit.Win32.CVE-2010-2883.a
McAfee-GW-Edition     2010.1B     2010.09.15     Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft     1.6103     2010.09.15     Exploit:Win32/Pdfjsc.HX
NOD32     5452     2010.09.15     PDF/Exploit.Gen
Norman     6.06.06     2010.09.14     PDF/Suspicious.D
nProtect     2010-09-15.01     2010.09.15     Exploit.PDF-Name.Gen
Panda     10.0.2.7     2010.09.14     Exploit/PDF.Exploit
Sophos     4.57.0     2010.09.15     Mal/JSShell-B
Show all
MD5   : eed8e7000326b8a3c3f234db361c862a
SHA1  : 02f3add91309c1735807336271b5c4c38ddd9a74
SHA256: 3b3f0813353fbd0fa056875e66b1319feb4cbe692b6b31b6cad3f4d33d94874e

Headers are from Gmail, not very useful here
Received: by 10.224.28.77 with SMTP id l13mr8958qac.375.1284473462500; Tue, 14
 Sep 2010 07:11:02 -0700 (PDT)
Received: by 10.229.62.197 with HTTP; Tue, 14 Sep 2010 07:11:02 -0700 (PDT)
In-Reply-To: <4c8f76b1.0b3e8e0a.14f7.ffff93dbSMTPIN_ADDED@mx.google.com>
References: <4c8f76b1.0b3e8e0a.14f7.ffff93dbSMTPIN_ADDED@mx.google.com>
Date: Tue, 14 Sep 2010 22:11:02 +0800
Message-ID:
Subject: Fwd: China-U.S. Trade Issues
From: "Davis L.M."
To: XXXXXXXXXXXXXXXXXXX
Content-Type: multipart/mixed; boundary="0015175caa2474b688049038c879"

Tested on Windows XP sp2 Adobe Reader 9.3.4
Created files
http://anubis.iseclab.org/?action=result&task_id=14b8b6613d6a722a4114cd33bfd1e4cb9&format=html
 File: AcroRd32.exe Size: 52992 MD5:  5EED0E486855A8C69A9D3FA2F0832537
http://www.virustotal.com/file-scan/report.html?id=b26edc4d89e01db3cfea446ed8f8a86a23c1aab07b5bd70b6136f3b5b74442ea-1284615332
AcroRd32.exe
12/ 43 (27.9%)
AhnLab-V3    2010.09.16.00    2010.09.15    Win-Trojan/Agent.52992
AntiVir    8.2.4.52    2010.09.15    BDS/Delf.ukq.5
Antiy-AVL    2.0.3.7    2010.09.16    Backdoor/Win32.Delf
DrWeb    5.0.2.03300    2010.09.16    BackDoor.Siggen.26402
Ikarus    T3.1.1.88.0    2010.09.16    Trojan-Dropper.Delf
Jiangmin    13.0.900    2010.09.15    Backdoor/Delf.wee
Kaspersky    7.0.0.125    2010.09.16    Backdoor.Win32.Delf.ukq
McAfee    5.400.0.1158    2010.09.16    Artemis!5EED0E486855
McAfee-GW-Edition    2010.1C    2010.09.15    Artemis!5EED0E486855
nProtect    2010-09-16.01    2010.09.16    Backdoor/W32.Agent.52992.B
TheHacker    6.7.0.0.020    2010.09.16    Backdoor/Delf.ukq
VBA32    3.12.14.0    2010.09.15    Backdoor.Win32.Delf.ukq
Additional information
Show all
MD5   : 5eed0e486855a8c69a9d3fa2f0832537
Additional information
Show all
MD5   : 5eed0e486855a8c69a9d3fa2f0832537


AcroRd32.exe installs a backdoor service and self-deletes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
Error Reporting Service
Allows error reporting for services and applictions running in non-standard environments.

 Service is stopped after it gets installed and starts after a reboot.
  

File name: udsrdi.dll
http://www.virustotal.com/file-scan/report.html?id=ee44670a9ad4d33ee20ca3a78f4e3ce5c9a40dbe4364929c1d85848c4fd52b8f-1284609622
AhnLab-V3 2010.09.16.00 2010.09.15 Win-Trojan/Agent.29184.AIN
Avast 4.8.1351.0 2010.09.15 Win32:Malware-gen
Avast5 5.0.594.0 2010.09.15 Win32:Malware-gen
AVG 9.0.0.851 2010.09.15 Small.CDB
BitDefender 7.2 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Comodo 6093 2010.09.16 TrojWare.Win32.PSW.Kates.ABC
F-Secure 9.0.15370.0 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
GData 21 2010.09.16 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
Norman 6.06.06 2010.09.15 W32/Suspicious_Gen2.BIWYN
nProtect 2010-09-15.01 2010.09.15 Gen:Backdoor.Heur.Hupigon.by4@de3Kfrm
TheHacker 6.7.0.0.019 2010.09.16 Backdoor/Delf.wkg
MD5   : ca1eaf384d1596b8e8d8c8ef2496f01e

The interesting part is the link between this  udsrdi.dll and vcmdbg.dll from the last (non-0day) post Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96
the link is the strings - see

File: udsrdi.dll
MD5:  ca1eaf384d1596b8e8d8c8ef2496f01e
Size: 29184

Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache


vcmdbg.dll from Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96
 File: vcmdbg.dll
MD5:  2185845c8489e637d963217d4f35842e
Size: 29184
Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
CODE
`DATA
.idata
.edata
P.reloc
ZYYd
ZYYd
SYSTEM\CurrentControlSet\Services\
HARDWARE\DESCRIPTION\System\CentralProcessor\0
LinksName
LinksFile
POST / HTTP/1.1
Host: ILoveYou
Content-Length: 2047483648
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 2047483648
Pragma: no-cache  


initial traffic information
 85.221.23.10 NEWS.UCPARLNET.COM (compare to 202.67.231.251 CHECKERROR.UCPARLNET.COM --screenshot--  from
Sep 09 CVE-2009-4324 + CVE-2010-1297 + CVE-2009-0927 PDF U.S. economy slips from spoofed henryAron@brookings.org 210.64.253.96

Hostname:    nsm3.direkte.no
ISP:    Ventelo Norge AS
Organization:    Direkte Nettlosninger
Assignment:    Static IP
Country:    Norway
State/Region:    Sor-Trondelag
City:    Ă…len




No comments:

Post a Comment