Wednesday, March 30, 2011
Tuesday, March 29, 2011
Mar 29 CVE-2009-3129 XLS An Interview Request from a Columbia University Student
Common Vulnerabilities and Exposures (CVE)number
CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Just a quick post without any analysis. Have fun.
General File Information
File Lybia.xls
MD5 7795F3C874677C8D95D070D7D40725ADFile size : 7e0e69aff159f8bb31c4e5c62228c952d3ae1fd2
Type: XLS
Distribution: Email attachment
Download
Original Message
From: Steve Perry [mailto:steve.e.perry@gmail.com]
Sent: Tuesday, March 29, 2011 3:52 AM
To:XXXXXXXXXXXXXXX
Subject: An Interview Request from a Columbia University Student
Dear Sir,
My name is Steve Perry, and I am a student at the Columbia University Graduate School of Journalism.I was assigned to focus on current conflict in Libya and was demanded to publish it in a variety of news media outlets, which is a demand for graduation.
I learn you from the following links.
XXXXXXXXXXXXXXXXXXXXXXXXX
You are a famous expert on Middle East problems, so I request to interview your. I would be honored if you receive my interview. I have made an excel diagram including questions. I hope that when you are free, you can fill in the diagram and send it back to me. Thanks very much!
Sincerely,
Steve Perry
Message Headers
Gmail :(Received: (qmail 32598 invoked from network); 29 Mar 2011 07:52:31 -0000
Received: from mail-ww0-f67.google.com (HELO mail-ww0-f67.google.com) (74.125.82.67)
by 29 Mar 2011 07:52:31 -0000
Received: by wwa36 with SMTP id 36so738671wwa.6
for
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:date:message-id:subject:from:to
:content-type;
bh=9+Kwinch+3AeawaoEuQ3RtWBovUsLb0jm49x9OgIWYo=;
b=SQdWqICrXhvehS3/U1o9etl84hC3Wq9SEcaiVOGJd40mTFWwunPj6aq4LocEmdRjGC
eZCsghb/5uT74cuVjf4yWI4IEhNIxDF4g46aAH2vzDk4u/DKqNmXuH/t4jYYAdsExmhO
G16W3iTR8jYQOeZqIu+XYXosOs/Mpv4VHxq+I=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=JxFV5kH+bjtpaW14GKTeoFxH4s5Pai3QJmQrQnUmP5RcMQmDTXFvzgA7sOOcPxtmlo
0HeKcEAqZqh+MboRce6YsfRrama3ZhVPzqQoqhDovYzWUqkK0TgzaE8LvebZxaYEMP0D
9KUb8Pt1uQEukmWxdtZabPIkKKBTkPNOjNQjw=
MIME-Version: 1.0
Received: by 10.216.68.85 with SMTP id k63mr2841503wed.35.1301385149026; Tue,
29 Mar 2011 00:52:29 -0700 (PDT)
Received: by 10.216.166.84 with HTTP; Tue, 29 Mar 2011 00:52:28 -0700 (PDT)
Date: Tue, 29 Mar 2011 15:52:28 +0800
Message-ID:
Subject: An Interview Request from a Columbia University Student
From: Steve Perry
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed; boundary="000e0ce0b1ba86156e049f9a5758"
Automated Scans
File name:Libya.xlshttp://www.virustotal.com/file-scan/report.html?id=b7949a6ac1f2bdf0010423c77740680e396f6234658b1c7574c576e8e7211c79-1301435181
Submission date:2011-03-29 21:46:21 (UTC)
ClamAV 0.96.4.0 2011.03.29 BC.XLS.Exploit.CVE_2009_3129
Commtouch 5.2.11.5 2011.03.24 MSExcel/Dropper.B!Camelot
Jiangmin 13.0.900 2011.03.29 Heur:Exploit.CVE-2009-3129
McAfee 5.400.0.1158 2011.03.29 Exploit-MSExcel.u
McAfee-GW-Edition 2010.1C 2011.03.29 Heuristic.BehavesLike.Exploit.X97.CodeExec.FFOD
Microsoft 1.6702 2011.03.29 Exploit:Win32/CVE-2009-3129
Sophos 4.64.0 2011.03.29 Troj/DocDrop-S
TrendMicro 9.200.0.1012 2011.03.29 TROJ_EXLDROP.SM
TrendMicro-HouseCall 9.200.0.1012 2011.03.29 TROJ_EXLDROP.SM
MD5 : 7795f3c874677c8d95d070d7d40725ad
Monday, March 28, 2011
Mar 25-28 CVE-2009-3129 XLS LES Request or Lybia Crisis from bran343@yahoo.com
Common Vulnerabilities and Exposures (CVE)number
CVE-2009-3129 Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."
Just a quick post without any analysis. Have fun.
General File Information
File CTF 2011 (MF).xls or BBC Monitoring report
MD5 b4c83c1bfa52e8606ddc306625938c21
File size : 65559 bytes
Type: XLS
Distribution: Email Attachment
Download
Original Message
From: Brandy R [mailto:bran343@yahoo.com]Sent: Friday, March 25, 2011 5:26 AM
Subject: Fw: LES Request
Good morning,
Please find attached the LES's you requested.
Thank you and have a good day,
Christina Donald
Contractor, MPSC Systems Analyst ARNG Financial Services Center NGB -ARC-F
ATTN: NGB-ARC-F (Column 118D)
Finance Support Team Indianapolis
1-877-ARNGPAY (1-877-276-4729)
FAX CML 317-510-7017
EMAIL 2 Libya crisis
From: Brandy R
[mailto:bran343@yahoo.com]
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis
Sent: Monday, March 28, 2011 9:34 AM
Subject: Libya crisis
FYI.
Message Headers
EMAIL 1 Fw: LES RequestReceived: (qmail 5543 invoked from network); 25 Mar 2011 09:26:12 -0000
Received: from web120112.mail.ne1.yahoo.com (HELO web120112.mail.ne1.yahoo.com) (98.138.85.159)
by XXXXXXXXXXXXXXXXXXwith SMTP; 25 Mar 2011 09:26:12 -0000
Received: (qmail 27995 invoked by uid 60001); 25 Mar 2011 09:26:12 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301045172; bh=Q62Ncyt0FmiR48qzSD2tYeVDQS315MhWUx3E6d4ifJE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=X2I4ntxH/Fnul07T0st7CxQxfEX5Z6WewIv4veR5FX6ZKDioiQCxxLmvlFR/nRcScQgUWImSHirG2jMFJDig3Lp3urcsL1nRW14a0uo6cLySG+0KGvUxErwQfOPanoimt6cFe3T4wb+/gZLHKp7rpdEp2FCupPEYs+Dy4QkIbLg=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=yEOAl0r6EEbTisJcFejV8CFR38jDRwyX/JEMmQCtD0C//+gadqMg1lSADpI8/KQieDqj5/U50GVuY26xGBA3XB0LstVa88F9ib1UiB53eLB9+7+5iye3vJa3TlZHOvw56KMsD93wp4OUnn9KWGQEyEvsXyzV5ilQK9KmjdCW0x0=;
Message-ID: <126300.8410.qm@web120112.mail.ne1.yahoo.com>
X-YMail-OSG: OFUzx_AVM1n91t0zEacsTpDPyCacKf2bDHKoqB6Vn3hPfTd
IqUqiUZjNAJvjU.tBh7Y08mchb1DO6XwlWqlesWY6RC1xTnjPd16nUJfGWwR
Tuc9T.IQ3FpvpU0JBRq_l6KbOgoSsEVKnJmkkbrAZiNnN2Rt.4Ly9h4H.ZWP
LLFpLCn_yKWiQmmaTUXHNS4JTcJ_rU3VnM5Df3CT1HA8Y_nrHrMhWI5m3F46
tFQJvqGN0cORcXWmMhaQf8Rpikw7BY1uTWAd5S8Akf..VeQyvCrFedOPa3iV
cdC9kTJYEuZj4.x_6wdAcgem9V0AD8K4pXrMprRdlC.cjzCoFPIXgJQyzTcQ
IDMF3DDktcbnLDERPCsU3RgeXtQJZWVwwcqzu3NOxiOmt3IBYaVSUsUKl
Received: from [117.88.250.185] by web120112.mail.ne1.yahoo.com via HTTP; Fri, 25 Mar 2011 02:26:11 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Fri, 25 Mar 2011 02:26:11 -0700
From: Brandy R
Subject: Fw: LES Request
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-422978493-1301045171=:8410"
EMAIL 2 Libya crisis
Received: (qmail 31482 invoked from network); 28 Mar 2011 13:33:54 -0000
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
_KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"
Received: from web120109.mail.ne1.yahoo.com (HELO web120109.mail.ne1.yahoo.com) (98.138.85.156)
by XXXXXXXXXXXXXXXXXXXX with SMTP; 28 Mar 2011 13:33:54 -0000
Received: (qmail 21672 invoked by uid 60001); 28 Mar 2011 13:33:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1301319233; bh=KYu2+ZnqxcpYMv5Jjh4esqvHpQ0m1JZbZASUr8Yt8y0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=HLo1/STzZ10/E7dyLoxHfdvAdRbkLoNYvn9FMIltVGVjIK7vuskv65yQGO2fkGSnCIC7modL5Doxocc0bJEBKDgBAS0yZ/YBoM5w3GFZYdlboS+q5rr6lU0u14vSFAPGBXzoTtiAybhKeR7q5nUzu3926eCuSq0scs4BHN4JAP0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
b=zJnVrp3C96n4JIp+/JrjPKMe+6V/FIUqAkF9W/X6PLPvwkTY687N00JS3fUQQg1Xfv6QrROmVJYqZqzzYqd0nsy7LWnl08HsXxa1vuQezTH8Tw5c2X6l5u7GdHPMNX9d0k6ifYaypGcN8GuWzSaR83EourWpARC3nHtLFobwFZU=;
Message-ID: <392361.59989.qm@web120109.mail.ne1.yahoo.com>
X-YMail-OSG: _o26bK0VM1kBRio8SdKmAGN2J9.AjMCRjJwMgZz3m5sgukn
kIjR.Bkmhk7uNNOdN7FD2sCVdKC2zdHC.LaIDIPoHk.LUlvwjfcFa_HR4jEJ
ep7vem6mDGvEMfsZRizMV.QwJ9JBnHc3N4a.4h.5Z4oBnpmhYhJQ0yI6A.Rw
KXH6WzOHEYDg3nIjRjmbT1pieLwUAoBErZ9_ynJ97G1ZVK2uXmG7bA0bRGwc
D2X_Z335W_0gHNJm2IBsC34Wo5qeRvR.i4Bb6LUhkzGFadB7Y0pQObaqumW.
SI2jy2na7kgoidxSlAiVkSzk.vL4Mf2DfO.wTW6l_k9P9xjPBEJkEcd0mt5t
_KLaw5bxapbg-
Received: from [117.88.171.49] by web120109.mail.ne1.yahoo.com via HTTP; Mon, 28 Mar 2011 06:33:52 PDT
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.295617
Date: Mon, 28 Mar 2011 06:33:52 -0700
From: Brandy R
Subject: Libya crisis
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-993720929-1301319232=:59989"
Sender
Sender EMAIL 2 Fw: LES Request117.88.250.185Hostname: 185.250.88.117.broad.nj.js.dynamic.163data.com.cn
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
Sender EMAIL 1 Libya crisis
117.88.171.49
Hostname: 49.171.88.117.broad.nj.js.dynamic.163data.com.cn
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
City: Nanjing
ISP: CHINANET jiangsu province network
Organization: CHINANET jiangsu province network
Country: China
State/Region: Jiangsu
City: Nanjing
Automated Scans
File name:CTF 2011 (MF).xls
http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301454466
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV 0.96.4.0 2011.03.30 BC.XLS.Exploit.CVE_2009_3129
Jiangmin 13.0.900 2011.03.29 Heur:Exploit.CVE-2009-3129
McAfee 5.400.0.1158 2011.03.30 Exploit-MSExcel.u
McAfee-GW-Edition 2010.1C 2011.03.29 Exploit-MSExcel.u
Microsoft 1.6702 2011.03.30 Exploit:Win32/CVE-2009-3129
Sophos 4.64.0 2011.03.30 Troj/DocDrop-S
MD5 : b4c83c1bfa52e8606ddc306625938c21
Submission date:2011-03-30 03:07:46 (UTC)
6/ 41 (14.6%)
ClamAV 0.96.4.0 2011.03.30 BC.XLS.Exploit.CVE_2009_3129
Jiangmin 13.0.900 2011.03.29 Heur:Exploit.CVE-2009-3129
McAfee 5.400.0.1158 2011.03.30 Exploit-MSExcel.u
McAfee-GW-Edition 2010.1C 2011.03.29 Exploit-MSExcel.u
Microsoft 1.6702 2011.03.30 Exploit:Win32/CVE-2009-3129
Sophos 4.64.0 2011.03.30 Troj/DocDrop-S
MD5 : b4c83c1bfa52e8606ddc306625938c21
SAME MD5 http://www.virustotal.com/file-scan/report.html?id=4e88204771da198cd0a8a77741d927e0662a415c52e83b1fd7b696b97ca21f3c-1301338109 File name:BBC Monitoring reports..xls Submission date:2011-03-28 18:48:29 (UTC) Result:6 /43 (14.0%) |
Monday, March 21, 2011
Request for samples
I don't usually post these but if you happen to have any of these samples, would you please share.
You can email them to me (milaparkour [at] gmail) or upload them here. I will make them available for download here too. Thank you!
Click to download those files that are already available. Many thanks for sharing!
All together here or separate below
0d711f2049a6004cffe447dab78cd7e5 PDF - Virustotal
fd81375f921e6723698f62477c2f9dd2 ZIP Virustotal
b79acae1e48280f1b4d52e68e8b257ba
f973c87234cfc6d29ea46580e8154a8a
6da2c0c57543836e9d65f829db4a02b6
78afb95181180b58baeb0259a9148500
76667db5b3c01946050020bb0c56b6df
de3464432bc58cc1e5c2ebf3e3182f41
af9af27bebd08ade63a380d33e16099f
43c2aad81665ddf0e585f50771a20582 PDF Virustotal Join the mass lobby on March 10Students for a Free Tibet.pdf
b7db936e928b774ace570805bd2f19fe HLP Virustotal G20_REPORT.hlp-1 --- An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
cee5b36d53f221227ed0336c76f3762a PDF - Virustotal The National Military Strategy of the United States of Am[...].pdf
cfd98da8e0ba3d06410341c8c8e84570
9476ed0a007ba332b7da0a657b1608bd DOC Virustotal National situation.doc --- An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
c77c55cc391ff4370b7b386b73f3ccc5 PDF Virustotal Cybercrime and Cyberwar.pdf
c8581fd341459639f4e93361a1bb88e2 XLS Virustotal celebration plan.xls
53d54ffe118642102fe626649f9ffdba DOC Virustotal Impasses, Elections, and the Future of the Tibetan Issue .doc
cc380bfd97164aff5878075e78570ada India-United States Naval Cooperation.DOC Virustotal file-1938795_doc An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
caba55d2efa02358b90cc9413db63b92
049675afd5c9505b9715872d499b9389 PDF Virustotal Semshook Toronto Poster.pdf << Clean, presumably. Posted at the request of the group asking for these samples.
28f5ed6f32f3d9b800cf41c663b6c7f4 CHM Virustotal Desperate Choices.chm
bd863aeebf90fc2b02b6bbf83060178e
fb2c262466eb364657f30f312d87f987
6484267e2e6460384e3f8698aab4a685
You can email them to me (milaparkour [at] gmail) or upload them here. I will make them available for download here too. Thank you!
Click to download those files that are already available. Many thanks for sharing!
All together here or separate below
0d711f2049a6004cffe447dab78cd7e5 PDF - Virustotal
fd81375f921e6723698f62477c2f9dd2 ZIP Virustotal
b79acae1e48280f1b4d52e68e8b257ba
f973c87234cfc6d29ea46580e8154a8a
6da2c0c57543836e9d65f829db4a02b6
78afb95181180b58baeb0259a9148500
76667db5b3c01946050020bb0c56b6df
de3464432bc58cc1e5c2ebf3e3182f41
af9af27bebd08ade63a380d33e16099f
43c2aad81665ddf0e585f50771a20582 PDF Virustotal Join the mass lobby on March 10Students for a Free Tibet.pdf
b7db936e928b774ace570805bd2f19fe HLP Virustotal G20_REPORT.hlp-1 --- An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
cee5b36d53f221227ed0336c76f3762a PDF - Virustotal The National Military Strategy of the United States of Am[...].pdf
cfd98da8e0ba3d06410341c8c8e84570
9476ed0a007ba332b7da0a657b1608bd DOC Virustotal National situation.doc --- An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
c77c55cc391ff4370b7b386b73f3ccc5 PDF Virustotal Cybercrime and Cyberwar.pdf
c8581fd341459639f4e93361a1bb88e2 XLS Virustotal celebration plan.xls
53d54ffe118642102fe626649f9ffdba DOC Virustotal Impasses, Elections, and the Future of the Tibetan Issue .doc
cc380bfd97164aff5878075e78570ada India-United States Naval Cooperation.DOC Virustotal file-1938795_doc An excellent analysis by Shpata Skenderbeut is here- Shpata0xFF
caba55d2efa02358b90cc9413db63b92
049675afd5c9505b9715872d499b9389 PDF Virustotal Semshook Toronto Poster.pdf << Clean, presumably. Posted at the request of the group asking for these samples.
28f5ed6f32f3d9b800cf41c663b6c7f4 CHM Virustotal Desperate Choices.chm
bd863aeebf90fc2b02b6bbf83060178e
fb2c262466eb364657f30f312d87f987
6484267e2e6460384e3f8698aab4a685
Tuesday, March 15, 2011
CVE-2011-0609 - Adobe Flash Player ZeroDay - Update
Common Vulnerabilities and Exposures (CVE)number
A critical
vulnerability exists in Adobe Flash Player 10.2.152.33 and earlier
versions (Adobe Flash Player 10.2.154.18 and earlier for Chrome users)
for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash
Player 10.1.106.16 and earlier versions for Android, and the
Authplay.dll component that ships with Adobe Reader and Acrobat X
(10.0.1) and earlier 10.x and 9.x versions of Reader and Acrobat for
Windows and Macintosh operating systems.
General File Information
SAMPLE1
File crsenvironscan.xls
MD5 4BB64C1DA2F73DA11F331A96D55D63E2
File size : 126,444 bytes
Type: XLS
Distribution: Email attachment
SAMPLE 2
File survey-questions_2011.xls
MD5 4031049FE402E8BA587583C08A25221A
File size : 108032 bytes
Type: XLS
Distribution: Email attachment
SAMPLE 3
File Tentative Agenda.xls
MD5 d8aefd8e3c96a56123cd5f07192b7369
File size : 123300 bytes
Type: XLS
Distribution: Email attachment
SAMPLE4
File Nuclear Radiation Exposure And Vulnerability Matrix.xls
MD5 7CA4AB177F480503653702B33366111F
File size : 279616 bytes
Type: XLS
Distribution: Email attachment
Download
Download CVE-2011-0609 as a password protected archive. (Email me if you need the password)
Files included
- CVE-2011-0609_XLS-SWF-2011-03-08_4BB64C1DA2F73DA11F331A96D55D63E2_crsenvironscan.xls
- CVE-2011-0609_XLS-SWF_2011-03-12_4031049FE402E8BA587583C08A25221A_survey-questions_2011.xls
- CVE-2011-0609_XLS-SWF_2010-03_d8aefd8e3c96a56123cd5f07192b7369_Tentative Agenda.xls
- CVE-2011-0609_XLS-SWF_2011-03-17_Nuclear Radiation Exposure And Vulnerability Matrix.xls
Analysis Links
1. March 15 Villy from BugiX - Security Research posted an interesting static analysis of the malicious sample.Please check it out at CVE-2011-0609 - Adobe Flash Player ZeroDay
2. March 16 CVE-2011-0609 payload a.exe analysis http://shpata0xff.wordpress.com/2011/03/16/cve-2011-0609-payload-a-exe-analysis/
3. March 16 Trojan.Linxder and the Flash 0-day (CVE-2011-0609) FireEye Malware Intelligence Lab
4. March 16 Adobe Flash 0-day, China CNE Operators LoVeZ ‘em Veiled Shadows
5. March 18 Busting the APT can Wide Open -Veiled Shadows Very detailed and interesting post regarding connection of http://twitter.com/yuange1975 with this zero day exploit. I agree that yuange1975 on twitter is the author of the exploit or connected to the author, but am not sure whether the real yuange1975 or 袁哥, who is known as Yuan Colombian "the hacker #1" is the author of tweets, his real English skills are much worse - check out his Full Disclosure posts. The last Sample 4 also carries Yuan.SWF (thanks to villys777 for pulling it out) , which is another link to our friend. Please note, we are talking about the author of the exploit, not the senders. The senders of the payload are those who bought 0day from "Yuange" and used it for the attack. Now, would be nice to know who they are too.
6. March 18 A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability Jeong Wook Oh & Marian Radu
7. March 19 Attack Using CVE-2011-0609 shellcode and flash analysis by Broderick(F-Secure)
Original Message, Sender and Headers
SAMPLE1
Subject: Environmental Scan Matrix of Risk and Security Organizations
Partial headers
Received: from [75.148.254.114] by web121120.mail.ne1.yahoo.com via HTTP; Tue, 08 Mar 2011 05:57:57 PST
X-Mailer: YahooMailRC/559 YahooMailWebService/0.8.109.292656
Date: Tue, 8 Mar 2011 05:57:57 -0800 (PST)
SAMPLE 4
Received: (qmail 2936 invoked from network); 17 Mar 2011 14:54:06 -0000
Received: from mail-iw0-f195.google.com (HELO mail-iw0-f195.google.com) (209.85.214.195)
by XXXXXXXXXXXXXXXXXXX 17 Mar 2011 14:54:06 -0000
Received: by iwn19 with SMTP id 19so678003iwn.6
for XXXXXXXXXXXXX; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:date:message-id:subject:from:to
:content-type;
bh=0xRgb5+/fvZxd0/qwfyRCbJDcn6ChfzZlNrsKyAv2wc=;
b=qGVeBRR/w/6570uTsq5FFwodcGrtx2AfEjO99oW5dvgXV3mfqxhCy5Z2tEJDNOyMUx
ptroBCJneuZvbzhbieQ+AszVNPj5iK/R74AhWrOX7Qi2bd8zYXlPquoRLsOPA/tjtiO0
whvjpmP9PZoa0/bqKEYNXoiWY8aCvIqdTr+O0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=ad7u5tW0S8k16ETcmnMIxdWUwZdK5ImqIlb1/DJkhSycWu99llJVQEhx1E9flh6IPc
ie6Ed9DNccVoWoKyHWby/9ZImkDKRvt3tx4gNB/0azF/PAh71ZNRdZbHGiKNiAjETmC0
FyijnpVHFkwVMerRhj03F7VyQCCQR/hLU0uec=
MIME-Version: 1.0
Received: by 10.43.49.10 with SMTP id uy10mr1977189icb.407.1300373646197; Thu,
17 Mar 2011 07:54:06 -0700 (PDT)
Received: by 10.231.166.139 with HTTP; Thu, 17 Mar 2011 07:54:06 -0700 (PDT)
Date: Thu, 17 Mar 2011 10:54:06 -0400
Message-ID:
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="bcaec529952141c4e3049eaed56e"
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
From: Merrie Sasaki
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="bcaec529952141c4e3049eaed56e"
Original Message
SAMPLE 4
From: Merrie Sasaki [mailto:merrie.sasaki@gmail.com]Sent: Thursday, March 17, 2011 10:54 AM
To: XXXXXXXXXXXXXXX
Subject: Japan Nuclear Radiation Leakage and Vulnerability Analysis
The team has poured in heart and full dedication into this.
Would be grateful if you appreciate it.
V/r,
Merrie
Dr. Merrie Sasaki
Team Leader, Nuclear Materials Operation
Office of Nuclear Security and Incident Response
U.S. Nuclear Regulatory Commission
21 Church Street: C2-A07M
Washington, DC 20555
Automatic Scans
File name:crsenvironscan.xl_
Submission date:2011-03-16 10:21:16 (UTC)
Result:9 /43 (20.9%)
http://www.virustotal.com/file-scan/report.html?id=350943b8187458d880cd47ed881d0695e1373d44ed55a1ff963c631173bff06a-1300270876
AhnLab-V3 2011.03.16.04 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
Emsisoft 5.1.0.2 2011.03.16 Exploit.CVE-2011-0609!IK
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Ikarus T3.1.1.97.0 2011.03.16 Exploit.CVE-2011-0609
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
TrendMicro-HouseCall 9.200.0.1012 2011.03.16 TROJ_ADOBFP.B
MD5 : 4bb64c1da2f73da11f331a96d55d63e2
File name:survey-questions_2011.xls
http://www.virustotal.com/file-scan/report.html?id=454f624958298bf76c5b7ffa1509159b827856095d41672707fcf6416a818ddb-1300269042
Submission date:2011-03-16 11:21:13 (UTC)
Current status:queued queued analysing finished
Result:13/ 43 (30.2%)
AhnLab-V3 2011.03.16.04 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
Emsisoft 5.1.0.2 2011.03.16 Win32.SuspectCrc!IK
eSafe 7.0.17.0 2011.03.15 Win32.Dropper
F-Secure 9.0.16440.0 2011.03.14 Exploit:W32/XcelDrop.F
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Ikarus T3.1.1.97.0 2011.03.16 Win32.SuspectCrc
Kaspersky 7.0.0.125 2011.03.16 Trojan-Dropper.MSExcel.SwfDrop.a
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Symantec 20101.3.0.103 2011.03.16 Trojan.Dropper
TrendMicro 9.200.0.1012 2011.03.16 TROJ_ADOBFP.A
TrendMicro-HouseCall 9.200.0.1012 2011.03.16 TROJ_ADOBFP.A
MD5 : 4031049fe402e8ba587583c08a25221a
File name: Tentative Agenda.xls
http://www.virustotal.com/file-scan/report.html?id=db04002f898e2e8090a2cf1bb3af615d478d746f8986aef7a715e2e322abe42b-1300298219
Result: 8/ 43 (18.6%)
AhnLab-V3 2011.03.17.00 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Sophos 4.63.0 2011.03.16 Troj/XLSDrp-A
VIPRE 8722 2011.03.16 Exploit.SWF.CVE-2011-0609.a (v)
MD5 : d8aefd8e3c96a56123cd5f07192b7369
Nuclear Radiation Exposure And Vulnerability Matrix.xls
Submission date:2011-03-19 15:06:10 (UTC)
Result:8/ 43 (18.6%)
http://www.virustotal.com/file-scan/report.html?id=c4ad40b6b002039fb07bd6539f9003dffb0f46440822e85198a8502a3828d3a3-1300547170
AntiVir 7.11.5.1 2011.03.18 DR/OLE.HiddenEXE.Gen
AVG 10.0.0.1190 2011.03.19 Generic21.AVXW
BitDefender 7.2 2011.03.19 Exploit.D-Encrypted.Gen
Commtouch 5.2.11.5 2011.03.19 MSExcel/Dropper.B!Camelot
F-Secure 9.0.16440.0 2011.03.19 Exploit.D-Encrypted.Gen
GData 21 2011.03.19 Exploit.D-Encrypted.Gen
McAfee 5.400.0.1158 2011.03.19 Exploit-CVE2011-0609
Sophos 4.63.0 2011.03.19 Mal/PdfExDr-B
MD5 : 7ca4ab177f480503653702b33366111f
Submission date:2011-03-16 10:21:16 (UTC)
Result:9 /43 (20.9%)
http://www.virustotal.com/file-scan/report.html?id=350943b8187458d880cd47ed881d0695e1373d44ed55a1ff963c631173bff06a-1300270876
AhnLab-V3 2011.03.16.04 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
Emsisoft 5.1.0.2 2011.03.16 Exploit.CVE-2011-0609!IK
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Ikarus T3.1.1.97.0 2011.03.16 Exploit.CVE-2011-0609
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
TrendMicro-HouseCall 9.200.0.1012 2011.03.16 TROJ_ADOBFP.B
MD5 : 4bb64c1da2f73da11f331a96d55d63e2
File name:survey-questions_2011.xls
http://www.virustotal.com/file-scan/report.html?id=454f624958298bf76c5b7ffa1509159b827856095d41672707fcf6416a818ddb-1300269042
Submission date:2011-03-16 11:21:13 (UTC)
Current status:queued queued analysing finished
Result:13/ 43 (30.2%)
AhnLab-V3 2011.03.16.04 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
Emsisoft 5.1.0.2 2011.03.16 Win32.SuspectCrc!IK
eSafe 7.0.17.0 2011.03.15 Win32.Dropper
F-Secure 9.0.16440.0 2011.03.14 Exploit:W32/XcelDrop.F
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Ikarus T3.1.1.97.0 2011.03.16 Win32.SuspectCrc
Kaspersky 7.0.0.125 2011.03.16 Trojan-Dropper.MSExcel.SwfDrop.a
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Symantec 20101.3.0.103 2011.03.16 Trojan.Dropper
TrendMicro 9.200.0.1012 2011.03.16 TROJ_ADOBFP.A
TrendMicro-HouseCall 9.200.0.1012 2011.03.16 TROJ_ADOBFP.A
MD5 : 4031049fe402e8ba587583c08a25221a
File name: Tentative Agenda.xls
http://www.virustotal.com/file-scan/report.html?id=db04002f898e2e8090a2cf1bb3af615d478d746f8986aef7a715e2e322abe42b-1300298219
Result: 8/ 43 (18.6%)
AhnLab-V3 2011.03.17.00 2011.03.16 Dropper/Cve-2011-0609
BitDefender 7.2 2011.03.16 Exploit.CVE-2011-0609.A
Commtouch 5.2.11.5 2011.03.16 MSExcel/Dropper.B!Camelot
DrWeb 5.0.2.03300 2011.03.16 Exploit.SWF.169
GData 21 2011.03.16 Exploit.CVE-2011-0609.A
Microsoft 1.6603 2011.03.16 Trojan:Win32/Malfws.A
Sophos 4.63.0 2011.03.16 Troj/XLSDrp-A
VIPRE 8722 2011.03.16 Exploit.SWF.CVE-2011-0609.a (v)
MD5 : d8aefd8e3c96a56123cd5f07192b7369
Nuclear Radiation Exposure And Vulnerability Matrix.xls
Submission date:2011-03-19 15:06:10 (UTC)
Result:8/ 43 (18.6%)
http://www.virustotal.com/file-scan/report.html?id=c4ad40b6b002039fb07bd6539f9003dffb0f46440822e85198a8502a3828d3a3-1300547170
AntiVir 7.11.5.1 2011.03.18 DR/OLE.HiddenEXE.Gen
AVG 10.0.0.1190 2011.03.19 Generic21.AVXW
BitDefender 7.2 2011.03.19 Exploit.D-Encrypted.Gen
Commtouch 5.2.11.5 2011.03.19 MSExcel/Dropper.B!Camelot
F-Secure 9.0.16440.0 2011.03.19 Exploit.D-Encrypted.Gen
GData 21 2011.03.19 Exploit.D-Encrypted.Gen
McAfee 5.400.0.1158 2011.03.19 Exploit-CVE2011-0609
Sophos 4.63.0 2011.03.19 Mal/PdfExDr-B
MD5 : 7ca4ab177f480503653702b33366111f
Mar 14 CVE-2010-3333 Disaster in Japan: Watch Report from spoofed mail@response.stratfor.com
Common Vulnerabilities and Exposures (CVE)number
CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003
SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office
for Mac 2011, and Open XML File Format Converter for Mac allows remote
attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack
Buffer Overflow Vulnerability
Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087) 29 Dec 2010 12:10 PM
General File Information
File Disaster in Japan (Watch Report).doc
MD5 7b3208b1dc28b2d5f7641aa212e6aabf
SHA1 8a60a2183a044bbeae90f0354acdbf6f6f052925
File size : 62464 bytes
Type: DOC
Distribution: Email attachment
Download
Friday, March 11, 2011
ESET Nod32 false positive on Java
Update March 16, 2011.
Argh, once again, they detect java as malware. If you have a large enterprise and every user clicks "Clean", you have a lot of computers with damaged Java. Annoying.Anyway, it is fixed in update 5960. It will not fix the broken java or your nerves but will stop the nagging screens.
Tuesday, March 1, 2011
Feb 25 CVE-2010-3333 DOC China's Military Build-up from a compromised IBEW-NECA Joint Trust Funds account
Common Vulnerabilities and Exposures (CVE)number
CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003
SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office
for Mac 2011, and Open XML File Format Converter for Mac allows remote
attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack
Buffer Overflow Vulnerability
Please read a technical analysis of this vulnerability on the Microsoft Threat Research & Response Blog Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087) 29 Dec 2010 12:10 PM
General File Information
File China's Military Build-up in the Early Twenty-first Century
MD5 02B77C3941478A05F2EE6559E3B76FB6
SHA1 cd7a8327dc8917d90bdbe693a310fa75a43a1ae0
File size : 214503 bytes
Type: PDF
Distribution: Email attachment
Download
Sender: It appears that the message is not spoofed but was sent from a compromised account, which belongs to an existing employee of "The Local 26 IBEW-NECA Joint Trust Funds" located in Laurel, Maryland.
This mail server IP 69.85.28.235 is not shared by multiple customers and it was already featured by the Project Honeypot for sending phishing mail
It appears to be a hosted mail server. Please see more information about this in the Sender section below.
This mail server IP 69.85.28.235 is not shared by multiple customers and it was already featured by the Project Honeypot for sending phishing mail
It appears to be a hosted mail server. Please see more information about this in the Sender section below.
Attachment: The attachment is a malicious word (RTF) document (CVE-2010-3333), with the payload described below plus a clean word document - the paper named in the subject of the message "China’s military build-up in the early twenty-first century : from arms procurement to war-fighting capability" The paper itself in pdf format is available at the Nanyang Technological University website (Singapore)
Payload: The embedded binary (Trojan.CryptRedol.Gen.3) creates a copy of itself (same MD5 each time) with a new name in %userprofile%\Local Settings, connects to an IP in Thailand, creates a registry setting to run on startup, it runs under svchost.exe.
The names match standard Windows DLL and EXE files. There are
List of possible names:
Alerter.exe
AppMgmt.exe
CiSvc.exe
ClipSrv.exe
COMSysApp.exe
dmadmin.exe
Dot3svc.exe
EapHost.exe
HidServ.exe
hkmsvc.exe
ImapiService.exe
Messenger.exe
mnmsrvc.exe
MSDTC.exe
MSIServer.exe
napagent.exe
NetDDE.exe
NetDDEdsdm.exe
Netlogon.exe
NtLmSsp.exe
NtmsSvc.exe
ose.exe
RasAuto.exe
RDSessMgr.exe
RemoteAccess.exe
rpcapd.exe
RpcLocator.exe
RSVP.exe
SwPrv.exe
SysmonLog.exe
TlntSvr.exe
upnphost.exe
UPS.exe
VSS.exe
WmdmPmSN.exe
Wmi.exe
WmiApSrv.exe
wuauserv.exe
xmlprov.exe
Subscribe to:
Posts (Atom)