Pages

Thursday, December 23, 2010

Dec 23 Zeus/Zbot driven espionage using Merry Christmas card from spoofed jeff.jones@whitehouse.gov

  General File Information

#1 File: card.exe
Size: 177152
MD5:  A486EDD5D966FD167F9D8FA94087913E
SHA1 6cc60b1efb8d82b827634e7e42f2c3c981b1aff6
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://iphonedevelopersdk.com/wp-admin/includes/card.zip (still active as of Jan 2, 2011)



#2 File: card.exe
Size: 179712 bytes
MD5: D51F45E1985DC69CC6BC2B3AE1DA48F1
SHA1 b3b6e3cf9d9e268d2c5d3e692721ed0cdd9e323d
File Type:  exe
Distribution: Link in email message - download in zip archive
from http://quimeras.com.mx/images/card.zip (not active) as seen at
http://jsunpack.jeek.org/dec/go?report=908cfa23d23391577a6a5834bf6377d327c7053b

Read more

Tuesday, December 21, 2010

Dec 21 CVE-2009-0556 (corrected CVE) Christmas Messages.pps with stolen cert from Syniverse from nicholas.bennett53@hotmail.com

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-0556 Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac, allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an an invalid index value that triggers memory corruption, as exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen, aka "Memory Corruption Vulnerability."

CVE-2010-2572  Buffer overflow in Microsoft PowerPoint 2002 SP3 and 2003 SP3 allows remote attackers to execute arbitrary code via a crafted PowerPoint 95 document, aka "PowerPoint Parsing Buffer Overflow Vulnerability."

Update

I would like to have a more technical analysis and identification of CVE in addition to this preliminary testing, so if you do it, please send over, I will add :) thank you

Comments: Shih-hao Weng (thank you) noted that he thinks it is CVE-2009-0556.  I tested, indeed - the patch for CVE-2009-0556 (MS09-017 KB957784 May 12 2009) fixes it.

The only patch from Microsoft Updates that is automatically available and fixes it these days is MS10-088, which is for CVE-2010-2572. However MS10-088 replaced earlier patches, including MS09-017 ( CVE-2009-0556 ). CVE-2009-0556 was used a in a lot in malicious attachments in the past 

  You cannot automatically install MS09-017 via Microsoft Updates - see below but if you find it and install manually (for Sp3 MS09-017 KB957784 May 12 2009)MS10-004 KB976881 Feb 4, 2010 would also fix it.

Everything in the post stays the same - except the CVE number changes to CVE-2009-0556 and the patches that will keep you safe are 

For Office 2003 SP3

MS10-088, which is for CVE-2010-2572 OR MS09-017 KB957784  OR MS10-004 KB976881 Feb 4, 2010


  General File Information

File      Christmas Messages.pps 

MD5   51d3e2bd306495de50bfd0f2f4e19ae9

 SHA1  7edd6beff619f86fae7f94a60ac4bcdb04473dfb 

Size :    838144 bytes

Type:    PPS
Distribution: Email attachment
                                       

Download

Wednesday, December 15, 2010

Dec 15 CVE-2010-3333 DOC, CVE-2010-0188 PDF Health Tips Collection from jackey870@yahoo.com.tw

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability." .

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.  (LibTIFF exploit)

  General File Information

CVE-2010-3333

File      ATT78214.doc
MD5   C31341DF029E6DC2804BA2F97DB7BAF7
SHA1  518ca81280f5bcf7ce98a6a262ac7d74ca261faf
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-3333

File      ATT27390.doc
MD5   b4e256982947b3c68aaa84545b61c9b1
SHA1  8a6aacaf1a3a741a4c0cf707dcc70ffaa9442fee
File size :  1066411 bytes
Type:  DOC
Distribution: Email attachment 

CVE-2010-0188

File ....pdf
MD5   92db03a6d1db9a9012ccc7bd9b45ed7a
SHA1  b92dd18baf2dc041062b1e862db05a4d097a2411

File size :  232743 bytes
Type:  PDF
Distribution: Email attachment


Friday, November 26, 2010

CVE-2009-4324 CVE-2009-0927 CVE-2008-2992 regional security in east asia.pdf


Common Vulnerabilities and Exposures (CVE)number

This post is to be continued..

CVE-2009-4324

CVE-2009-0927

CVE-2008-2992

  General File Information

File regional security in east asia.pdf
MD5  80e5432f7806564c5fc50738741abf7
SHA1  dc4f71609171e93bb1ad66fb52e8bb330f362a76
File size 37238 bytes
Type:  PDF
Distribution: Email attachment

Download

Monday, November 22, 2010

APT IPs

These 200+ IP addresses and IP ranges were used for targeted attacks, APT malware C&Cs and targeted malware distributions (many thanks to Anon and CJ for their additions).
Please note that the dates are AS registration dates for the blocks, not the attacks. Attacks are mostly from 2010 and some from 2009

4134 | 114.221.79.181 | 114.221.0.0/16 | CN | apnic | 6/24/2008 | CHINANET-BACKBONE No.31,Jin-rong Street






38661 | 115.92.107.178 | 115.92.104.0/22 | KR | apnic | 7/24/2008 | HCLC-AS-KR HCLC
4134 | 116.21.179.130 | 116.21.128.0/17 | CN | apnic | 3/7/2007 | CHINANET-BACKBONE No.31,Jin-rong Street
4837 | 117.11.158.98 | 117.8.0.0/13 | CN | apnic | 5/25/2007 | CHINA169-BACKBONE CNCGROUP China169 Backbone
4134 | 117.88.248.10 | 117.88.128.0/17 | CN | apnic | 7/4/2007 | CHINANET-BACKBONE No.31,Jin-rong Street
4134 | 117.89.37.193 | 117.89.0.0/16 | CN | apnic | 7/4/2007 | CHINANET-BACKBONE No.31,Jin-rong Street
38186 | 119.47.80.0 | 119.47.80.0/24 | HK | apnic | 1/14/2008 | FTG-AS-AP Forewin Telecom Group Limited, ISP at HK
17858 | 119.68.7.79 | 119.68.0.0/14 | KR | apnic | 1/15/2008 | KRNIC-ASBLOCK-AP KRNIC
13938 | 12.33.114.0 | 12.33.114.0/24 | US | arin | 8/23/1983 | SSNC-AS - SS&C Technologies, Inc.
27440 | 12.33.114.0 | 12.33.114.0/24 | US | arin | 8/23/1983 | SSNC-CHI - SS&C Technologies, Inc.
9931 | 122.155.7.194 | 122.155.0.0/20 | TH | apnic | 1/8/2007 | CAT-AP The Communication Authoity of Thailand, CAT
9981 | 122.199.123.8 | 122.199.120.0/21 | KR | apnic | 6/7/2006 | SAERONET-AS-KR Saero Network Service LTD
4808 | 123.125.156.137 | 123.125.128.0/18 | CN | apnic | 1/29/2007 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4808 | 123.125.156.138 | 123.125.128.0/18 | CN | apnic | 1/29/2007 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
4808 | 123.125.156.151 | 123.125.128.0/18 | CN | apnic | 1/29/2007 | CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network

Sunday, November 21, 2010

Hello World

Due to technical issues (currently have no access to any VMs and tools), there will be no new posts for a few days.
Cheers,
-Mila


Tuesday, November 16, 2010

Links and resources for malware samples

Malware links.
 Here are good resources, links, download locations for malware. Use caution.

This link is from Lenny Zeltser's Malware Sample Sources for Researchers. The original post is here

In addtion, there is a full list collected and published at kernelmode.info (many thanks to Evilcry, Jaxryley, markusg, EP_X0FF, Meriadoc, CloneRanger, Brookit and gigaz)  The original list is here

Monday, November 15, 2010

Nov 14 Java/Boonana-A Facebook OSX Trojan

Malware Type

Secure Mac: Trojan horse [.] that affects Mac OS X, including Snow Leopard (OS X 10.6), the latest version of OS X. The trojan horse, trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"

  General File Information

File jnana.tsa (v 11.7) and jnana.jar (v 11.8)

MD5  7a04e9185daf9551edd90e7bff2daa8e and 2533F62C321117C46D6DF6122C3009BD (unpacked)
File size : 171980 bytesType:  PDF
Distribution: Facebook
Source: kernelmode.info (many thanks to xhandsome) and www.kaldata.com
(many thanks to Васил)                       

Read about versions here Malware Diaries: Jnana, Boonana: as many names as variants?   Image from Malware Diaries


Wednesday, November 10, 2010

CVE-2010-3654 Adobe Reader 0 day + CVE-2010-2883 Flash 10.1.102.64 + Reader 9.4.0.195 PDF Federal Benefits

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information. 

Post Updates

Update 6, Nov 16  2010-------------------------------------------------------------------------------------------
After yesterday tweets (snowfl0w and sempersecurus), GoDaddy took notice and suspended mysundayparty.com domain
here is the email
---------- Forwarded message ----------
From: GoDaddy Abuse Department
Date: Tue, Nov 16, 2010 at 11:16 AM
Subject: RE: reminder - mysundayparty.com complaint
To: Mila

Dear Mila Parkour,

Thank you for bringing this situation to our attention. We have gone
ahead and suspended the domain name in question.
Please let us know if you find any other domain names connected to C&C
servers or other malware distribution.
Regards,
Joe
GoDaddy.com
Spam and Abuse Department
24/7 Abuse Department Hotline: 480-624-2505
ARID1003
 Here is current Whois
Registrant:
debby ryan
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MYSUNDAYPARTY.COM
Created on: 15-Sep-10
Expires on: 15-Sep-11
Last Updated on: 15-Sep-10

Administrative Contact:
ryan, debby g.debbei_@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Technical Contact:
ryan, debby g.debbei_@yahoo.com
411 N. 6th Street, Emery, SD
Emery, SD
sd, shen zhen 90002
China
+86.9801455 Fax --

Domain servers in listed order:
NS1.SUSPENDED-FOR.SPAM-AND-ABUSE.COM
NS2.SUSPENDED-FOR.SPAM-AND-ABUSE.COM

Update 5, Nov 15 2010-------------------------------------------------------------------------------------------
mysundayparty.com domain is still active. resent the message below to abuse@godaddy.com
24.248.182.214  
Hostname:    wsip-24-248-182-214.ph.ph.cox.net  - Is it C&C or someone's sinkhole? Anybody?


Update 4, Nov 13 2010-------------------------------------------------------------------------------------------
mysundayparty.com domain is still active
The message that was sent to GoDaddy abuse department on Nov 10, 2010 read
Dear GoDaddy Abuse Department,
mysundayparty.com has been C&C for 0-days malware  

and used in targeted attacks described above.
Please take action asap
Thanks

Monday, November 8, 2010

Nov 3 CVE-2010-4091 Adobe 0 Day "printSeps()" xpl.pdf PoC From scup () hushmail com


Common Vulnerabilities and Exposures (CVE)number. Vendor Advisories

CVE-2010-4091 The EScript.api plugin in Adobe Acrobat Reader 9.4.0, 8.1.7, and probably other versions allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF document that triggers memory corruption, involving the printSeps function. NOTE: some of these details are obtained from third party information.

November 8, 2010 Update:
We plan to resolve this issue in the update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions scheduled for release during the week of November 15, 2010, mentioned in Security Advisory APSA10-05. We have assigned CVE-2010-4091 to this issue. As of today, Adobe is not aware of any exploits in the wild or public exploit code for this issue.

--------------------------------

November 4, 2010 Adobe is aware of a potential issue in Adobe Reader posted publicly today on the Full Disclosure list. A proof-of-concept file demonstrating a Denial of Service was published. Arbitrary code execution has not been demonstrated, but may be possible. We are currently investigating this issue. In the meantime, users of Adobe Reader 9.2 or later and 8.1.7 or later can utilize the JavaScript Blacklist Framework to prevent the issue by following the instructions below. Note that Adobe Acrobat is not affected by this issue.

Vupen Adobe Acrobat and Reader "printSeps()" Heap Corruption Vulnerability

 General File Information

MD5  d000e74163e34fc65914676674776284
SHA1  94358cebc08f6677df9b28e5b893dce71003081a
File Name: xpl_pdf.pdf
File size : 1928 bytes
Type:  PDF
Source:
Wed, 03 Nov 2010 [0dayz] Acrobat Reader Memory Corruption Remote Arbitrary Code Execution Full Disclosure


CVE-2010-2883 PDF An invitation to the Nobel Prize ceremony of Liu Xiaobo

Common Vulnerabilities and Exposures (CVE)number

  CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information

  General File Information

File invitation.pdf
MD5   : 29db2fba7975a16dbc4f3c9606432ab2
SHA1  : 5d65e6984e521936707b32219b39388efb4296fa

File size :
344218 bytes
Type:  PDF
Distribution: Email attachment 

Post Updates

More about similar attacks

Sunday, October 24, 2010

Oct 24 CVE-2010-2883 PDF Vision Poll Center from ynnchang@gmail.com

CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.3.4 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information



Download 20101024S01AL01PR1R.pdf as a password protected archive (contact me if you need the password)


From: 遠見民調中心 張雅琳 [mailto:ynnchang@gmail.com]
Sent: Sunday, October 24, 2010 11:51 PM
To: ynnchang@gmail.com
Subject: 遠見民調中心_台灣民心指數調查結果

    遠見民調中心 設計與執行
    台灣民心指數( Taiwan Public Mood Index, TPMI )
    2010年10月調查結果
         --------------------------------------------------------
                 遠見民調中心  張雅琳
           Global Views Survey Research Center
              104 台北市松江路93巷1號
               行動:0916-828-482
               電話:02-2517-3688分機638
               專線:02-2517-8537
               傳真:02-2517-6275

Chinese to English translation

From: Vision polling centers Zhang Yalin [mailto: ynnchang@gmail.com]Sent: Sunday, October 24, 2010 11:51 PMTo: ynnchang@gmail.comSubject: Vision polling center _ the findings of the Taiwan people index

    
Survey Center design and implementation of the vision
    
Taiwan Public Mood Index (Taiwan Public Mood Index, TPMI)
    
October 2010 survey results
         
-------------------------------------------------- ------
                 
Vision polls Center Zhang Yalin
           
Global Views Survey Research Center
              
Lane 93, Sung Chiang Road, Taipei 104, No. 1
               
Action :0916 -828-482
               
Tel :02 -2517-3688 ext 638
               
Line :02 -2517-8537
               
Fax :02 -2517-6275
 


File name:20101024S01AL01PR1R.pdf
http://www.virustotal.com/file-scan/report.html?id=0a45313368c6437fa419d034e0bdb6ca5eb6ca4359c607d90d1027ec7a6bfda8-1288175111
Submission date:2010-10-27 10:25:11 (UTC)
15/ 41 (36.6%)
AntiVir    7.10.13.47    2010.10.27    HTML/Malicious.PDF.Gen
Avast    4.8.1351.0    2010.10.27    PDF:CVE-2010-2883
Avast5    5.0.594.0    2010.10.27    PDF:CVE-2010-2883
AVG    9.0.0.851    2010.10.27    Exploit_c.KGX
BitDefender    7.2    2010.10.27    Exploit.PDF-TTF.Gen
Comodo    6526    2010.10.27    UnclassifiedMalware
DrWeb    5.0.2.03300    2010.10.27    Exploit.PDF.1641
F-Secure    9.0.16160.0    2010.10.27    Exploit.PDF-TTF.Gen
Fortinet    4.2.249.0    2010.10.27    PDF/CoolType!exploit.CVE20102883
GData    21    2010.10.27    Exploit.PDF-TTF.Gen
Ikarus    T3.1.1.90.0    2010.10.27    Exploit.Win32.CVE-2010-2883
Microsoft    1.6301    2010.10.27    Exploit:Win32/CVE-2010-2883.A
PCTools    7.0.3.5    2010.10.27    HeurEngine.MaliciousExploit
Sophos    4.58.0    2010.10.27    Troj/PDFJs-NA
Symantec    20101.2.0.161    2010.10.27    Bloodhound.Exploit.357
Additional information
Show all
MD5   : 1618d09ff580014b251794222bb0f0f9