Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-3654 Adobe Flash Player 10.1.85.3 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.95.2 and earlier on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

 

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.  

 

CVE-2009-0927 Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.  

 

CVE-2008-0655 Buffer overflow via specially crafted arguments to Collab.collectEmailInfo

  General File Information

File  JAN 2011.pdf
MD5  F928C39F0BFEBAAF3A5FB149557DDF66
SHA1  87c17dc9282792906ef41670011c2473c87c9b9b   
File size :  384271
Type:  PDF
Distribution: Email attachment 

read more...

Download

Download -JAN 2011.pdf-and created files as a password protected archive (contact me if you need the password)

Download pcap file

Villy decoded and sent flash  - you can download the code here (no password)

Malware Information

The sender is not spoofed and we see the same operators/actors behind this attack as in  Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce)

The conclusion was made based on the embedded trojan (userinit.exe), which is the same as in the aforementioned post, connects to the same C&C server in China. It appears that the attacker logged in to the compromised Thai police mailbox at mail.police.go.th (Zimbra Webmail) from 114.248.93.2 in China and sent the malicious message from there.This is not a spoofed message

114.248.93.2  -- see 114.248.83.92 as the malware destination IP in Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce)

Userinit.exe connects to 114.248.85.92 (compare to 114.248.83.92 the previous post.)

Original Message

---------Original Message-----
From: Pol.Lt.Col.MaXXXX SwXXXX [mailto:maXXXX@police.go.th]
Sent: Wednesday, January 12, 2011 10:12 AM
Subject: Fw: JANUARY 2011
    The spillover effects of Sidi Bouzid: a survivability test to the Tunisian regime
    Diogo Noivo
    JANUARY 2011
   
    Full Text Below.
    If you wish to update your account:   
    http://www.ipris.org/?menu=24   
    If the IPRIS Viewpoints has been forwarded to you by another subscriber and you wish to join our email list:   
    http://www.ipris.org/?page=50   
    If you have questions or need assistance, please contact:   
    ipris@ipris.org   

    Email subscription of the IPRIS Viewpoints is free of charge.   
    Kind regards,   
    Sponsors
   
--
This message has been scanned for viruses and dangerous content by SRAN AntiSpam, and is believed to be clean.
This message has been scanned for viruses and dangerous content by SRAN AntiSpam, and is believed to be clean.

Message Headers

Received: (qmail 23556 invoked from network); 12 Jan 2011 15:11:55 -0000
Received: from 58-97-43-170.static.asianet.co.th (HELO mailfilter.police.go.th) (58.97.43.170)
  by XXXXXXXXXXXXX with SMTP; 12 Jan 2011 15:11:55 -0000
Received: from mail.police.go.th (mail.police.go.th [192.168.1.8])
    by mailfilter.police.go.th (Postfix) with ESMTP id 7BD0B4E00C0;
    Wed, 12 Jan 2011 22:11:45 +0700 (ICT)
Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.police.go.th (Postfix) with ESMTP id 9C94B900005;
    Wed, 12 Jan 2011 22:12:06 +0700 (ICT)
X-Virus-Scanned: amavisd-new at mail.police.go.th
Received: from mail.police.go.th ([127.0.0.1])
    by localhost (mail.police.go.th [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id FCWsfmc9xfBB; Wed, 12 Jan 2011 22:12:02 +0700 (ICT)
Received: from mail.police.go.th (mail1.police.go.th [192.168.1.8])
    by mail.police.go.th (Postfix) with ESMTP id CE843900002;
    Wed, 12 Jan 2011 22:12:00 +0700 (ICT)
Date: Wed, 12 Jan 2011 22:12:00 +0700
From: "Pol.Lt.Col.MaXXXXXX SwXXXXX"
Message-ID: <1273131486.60.1294845120486.JavaMail.root@mail.police.go.th>
Subject: Fw: JANUARY 2011
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_Part_59_986980525.1294845120473"
X-Originating-IP: [114.248.93.2]
X-Mailer: Zimbra 6.0.8_GA_2661 (zclient/6.0.8_GA_2661)
To: undisclosed-recipients:;
X-Police-Thai-MailScanner-ID: 7BD0B4E00C0.A47CC
X-Police-Thai-MailScanner: Found to be clean
X-Police-Thai-MailScanner-From: maXXXX@police.go.th
X-Spam-Check: NO

Sender

It appears that the attacker logged in to the compromised Thai police mailbox at mail.police.go.th (Zimbra Mail system  from 114.248.93.2 in China and sent the malicious message from there.This is not a spoofed message

114.248.93.2 (see 114.248.83.92 as malware network traffic destination IP in this post Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce)

person:       ChinaUnicom Hostmaster
nic-hdl:      CH1302-AP
e-mail:     
address:      No.21,Jin-Rong Street
address:      Beijing,100140
address:      P.R.China
phone:        +86-10-66259940
fax-no:       +86-10-66259764
country:      CN
changed:       20090408
mnt-by:       MAINT-CNCGROUP
source:       APNIC

person:       sun ying
address:      fu xing men nei da jie 97, Xicheng District
address:      Beijing 100800
country:      CN
phone:        +86-10-66030657
fax-no:       +86-10-66078815
e-mail:     
nic-hdl:      SY21-AP
mnt-by:       MAINT-CNCGROUP-BJ
changed:       19980824
changed:       20060717
changed:        20090630
source:       APNIC

Thai police mail server

CNET 58.97.43
                 58.97.0.0/17 PACNET (proxy-registered route object)   AS7470 (not announced)
                  58.97.0.0/18 Proxy-registered route object   AS7470

Base	Record	Name		IP	Reverse	Route	AS
58-97-43-170.static.asianet.co.th	a			58.97.43.170 Thailand		58.97.0.0/18 Proxy-registered route object	AS7470 AsiaNet Asia Infonet Co.,Ltd.
mailfilter.police.go.th	a			58.97.43.170 Thailand	58-97-43-170.static.asianet.co.th
mailfilter.royalthaipolice.go.th	a			58.97.43.170 Thailand	58-97-43-170.static.asianet.co.th

Zimbra mail system

Automated Scans

JAN 2011.pdf
http://www.virustotal.com/file-scan/report.html?id=8e5cd7cb93d63d1c67f61b37f142f8726328161483d571acde97b1de8abe65cc-1295352340
Submission date:2011-01-18 12:05:40 (UTC)
Result:15/ 43 (34.9%)
AhnLab-V3    2011.01.18.00    2011.01.17    SWF/Cve-2010-3654
AntiVir    7.11.1.169    2011.01.18    EXP/CVE-2010-3654.A
Antiy-AVL    2.0.3.7    2011.01.18    Exploit/Win32.CVE-2010-3654
Avast    4.8.1351.0    2011.01.18    JS:Pdfka-gen
Avast5    5.0.677.0    2011.01.18    JS:Pdfka-gen
Comodo    7429    2011.01.18    UnclassifiedMalware
Emsisoft    5.1.0.1    2011.01.18    Exploit.Win32.CVE-2010-3654!IK
GData    21    2011.01.18    JS:Pdfka-gen
Ikarus    T3.1.1.97.0    2011.01.18    Exploit.Win32.CVE-2010-3654
Kaspersky    7.0.0.125    2011.01.18    Exploit.Win32.CVE-2010-3654.a
PCTools    7.0.3.5    2011.01.18    Trojan.Pidief
Sophos    4.61.0    2011.01.18    Troj/PDFJs-PO

Symantec    20101.3.0.103    2011.01.18    Trojan.Pidief
TrendMicro    9.120.0.1004    2011.01.18    SWF_DLOADR.SMZ
TrendMicro-HouseCall    9.120.0.1004    2011.01.18    SWF_DLOADR.SMZ
MD5   : f928c39f0bfebaaf3a5fb149557ddf66
SHA1  : 87c17dc9282792906ef41670011c2473c87c9b9b

Analysis

 Exploit choice will depend on the Adobe Reader version. The malicious pdf is designed for versions 6-9.4

Exploits used (please correct me if any mistakes or if I missed any)

CVE-2010-3654

Flash 1 - jit-spray.swf (it is not jit-spray, just a name of the loading swf file) Flash 2 - 2.swf

Villy decoded and sent flash (try Flash Decompiler Trilix if you wish to do it yourself)  - you can download the code here (no password)

  

CVE-2009-4324

CVE-2009-0927

 CVE-2008-0655

 

Files Created

 Read more about this malware at at Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce)

Local Settings\Application Data\Windows

 File: userinit.exe
Size: 49664
MD5:  F9E35028BD5E25164044FBFBE93EBAC2
 File name:userinit.exe
Submission date:2011-01-18 10:08:46 (UTC)
Result:27 /43 (62.8%)
http://www.virustotal.com/file-scan/report.html?id=3be9fc978b5354b09af2c1910420eee48d106a8e29e45bda595197289eee68a8-1295345326
Antivirus     Version     Last Update     Result
AhnLab-V3     2011.01.18.00     2011.01.17     Downloader/Win32.Generic
AntiVir     7.11.1.164     2011.01.18     TR/Dynamer.dtc.2237
Avast     4.8.1351.0     2011.01.18     Win32:Malware-gen
Avast5     5.0.677.0     2011.01.17     Win32:Malware-gen
AVG     10.0.0.1190     2011.01.18     BackDoor.Agent.AJQG
CAT-QuickHeal     11.00     2011.01.18     TrojanDownloader.Agent.nd
Comodo     7429     2011.01.18     TrojWare.Win32.Trojan.Agent.Gen
DrWeb     5.0.2.03300     2011.01.18     Trojan.MulDrop1.47445
Emsisoft     5.1.0.1     2011.01.18     Gen.Trojan.Heur!IK
eSafe     7.0.17.0     2011.01.17     Win32.GenHeur.LP.Cu@
F-Secure     9.0.16160.0     2011.01.18     Gen:Trojan.Heur.LP.cu5@a8zokfo
GData     21     2011.01.17     Win32:Malware-gen
Ikarus     T3.1.1.97.0     2011.01.18     Gen.Trojan.Heur
Jiangmin     13.0.900     2011.01.18     Trojan/Genome.epw
K7AntiVirus     9.77.3570     2011.01.18     Riskware
McAfee     5.400.0.1158     2011.01.18     Generic.dx!vne
McAfee-GW-Edition     2010.1C     2011.01.18     Generic.dx!vne
Microsoft     1.6402     2011.01.18     Trojan:Win32/Dynamer!dtc
NOD32     5796     2011.01.18     Win32/Agent.RMB
Panda     10.0.2.7     2011.01.17     Suspicious file
PCTools     7.0.3.5     2011.01.18     Downloader.Generic
Rising     22.83.01.03     2011.01.18     Trojan.Win32.Generic.525ACF21
Sophos     4.61.0     2011.01.18     Troj/Dynamer-A
SUPERAntiSpyware     4.40.0.1006     2011.01.18     -
Symantec     20101.3.0.103     2011.01.18     Downloader
TrendMicro     9.120.0.1004     2011.01.18     TROJ_GEN.R47C2AF
TrendMicro-HouseCall     9.120.0.1004     2011.01.18     TROJ_GEN.R47C2AF
VIPRE     8108     2011.01.18     Trojan.Win32.Generic!BT
MD5   : f9e35028bd5e25164044fbfbe93ebac2

File: userinit.dll
Size: 40960
MD5:  7A4AC523C9AA6C14B8090C97CA87F7C3
 Virustotal http://www.virustotal.com/file-scan/report.html?id=a6ce3be7a9c4423979463c318b83f5054efdbbfb834be2550c804d2d7a7f8303-1295345397

Network activity

 Read more about this traffic analysis at Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce)

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    DNS Queries:
        Name: [ toolsbar.dns0755.net ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 114.248.85.192 ], Successful: [ 1 ], Protocol: [ udp ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    HTTP Conversations:
to 114.248.85.192:80  

Download pcap file 

-