Dec 23 Zeus/Zbot driven espionage using Merry Christmas card from spoofed jeff.jones@whitehouse.gov

  General File Information

#1 File: card.exe
Size: 177152
MD5:  A486EDD5D966FD167F9D8FA94087913E
SHA1 6cc60b1efb8d82b827634e7e42f2c3c981b1aff6
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://iphonedevelopersdk.com/wp-admin/includes/card.zip (still active as of Jan 2, 2011)

#2 File: card.exe
Size: 179712 bytes
MD5: D51F45E1985DC69CC6BC2B3AE1DA48F1
SHA1 b3b6e3cf9d9e268d2c5d3e692721ed0cdd9e323d
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://quimeras.com.mx/images/card.zip (not active) as seen at http://jsunpack.jeek.org/dec/go?report=908cfa23d23391577a6a5834bf6377d327c7053b

Read more

Dec 21 CVE-2009-0556 (corrected CVE) Christmas Messages.pps with stolen cert from Syniverse from nicholas.bennett53@hotmail.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

CVE-2010-2572  Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint 95 document, aka "PowerPoint Parsing Buffer Overflow Vulnerability."

Update

I would like to have a more technical analysis and identification of CVE in addition to this preliminary testing, so if you do it, please send over, I will add :) thank you

Comments: Shih-hao Weng (thank you) noted that he thinks it is CVE-2009-0556.  I tested, indeed - the patch for CVE-2009-0556 (MS09-017 KB957784 May 12 2009) fixes it.

The only patch from Microsoft Updates that is automatically available and fixes it these days is MS10-088, which is for CVE-2010-2572. However MS10-088 replaced earlier patches, including MS09-017 ( CVE-2009-0556 ). CVE-2009-0556 was used a in a lot in malicious attachments in the past 

  You cannot automatically install MS09-017 via Microsoft Updates - see below but if you find it and install manually (for Sp3 MS09-017 KB957784 May 12 2009) .  MS10-004 KB976881 Feb 4, 2010 would also fix it.

Everything in the post stays the same - except the CVE number changes to CVE-2009-0556 and the patches that will keep you safe are 

For Office 2003 SP3

MS10-088, which is for CVE-2010-2572 OR MS09-017 KB957784  OR MS10-004 KB976881 Feb 4, 2010

  General File Information

File      Christmas Messages.pps 

MD5   51d3e2bd306495de50bfd0f2f4e19ae9

 SHA1  7edd6beff619f86fae7f94a60ac4bcdb04473dfb 

Size :    838144 bytes

Type:    PPS
Distribution: Email attachment                                       

Download

 

• Download -Christmas Messages.pps and dropped+downloaded files as a password protected archive (contact me if you need the password)
• Pcap file download --
• Decrypted file download  (with MANY thanks to Giuseppe Bonfa -evilcry- for his script)(same pass as on the main file)

Dec 15 CVE-2010-3333 DOC, CVE-2010-0188 PDF Health Tips Collection from jackey870@yahoo.com.tw

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability." .

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.  (LibTIFF exploit)

  General File Information

CVE-2010-3333

File      ATT78214.doc
MD5   C31341DF029E6DC2804BA2F97DB7BAF7
SHA1  518ca81280f5bcf7ce98a6a262ac7d74ca261faf
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-3333

File      ATT27390.doc
MD5   b4e256982947b3c68aaa84545b61c9b1
SHA1  8a6aacaf1a3a741a4c0cf707dcc70ffaa9442fee
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-0188

File ....pdf
MD5   92db03a6d1db9a9012ccc7bd9b45ed7a
SHA1  b92dd18baf2dc041062b1e862db05a4d097a2411
File size :  232743 bytes
Type:  PDF
Distribution: Email attachment

Read more...

Nov 19 CVE-2010-2883 with Flash JIT Spray (PDF in PDF) Event Invitation from The Heritage Foundation from spoofed Heritage address

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

  General File Information

File  Event Invitation from Heritage.pdf
MD5   529AE8C6AC75E555402AA05F7960EB0D
SHA1   d793f0c3e051bc03b0cd5e2c2f87f3be33612d49
File size : 358996
Type:  PDF
Distribution: Email attachment

Read more...