Pages

Friday, April 29, 2011

Hwp.exe in Apr. 8 CVE-2011-0611 Flash Player Zero day - SWF in DOC/ XLS - Disentangling Industrial Policy..


According to Cédric Gilbert (SkyRecon R&D), the shellcode’s last command include a “taskkill /im hwp.exe”. This hwp.exe file could be related to a South-Korean Word Processor Software :
“Hangul Word Processor or HWP”. According to Wikipedia :
It is used extensively in South Korea, especially by the government.
According to Hangul’s website, this word processor handle Microsoft .DOC & .DOCX documents.
So the questions are
  1. Is the infected doc with zero-day also ‘compatible’ with it ?
  2. Was it used on targets in Korea or targets who use this processor?
  3. Was it made in Korea?

Your comments and thoughts are welcome.
thanks,

Tuesday, April 26, 2011

Please welcome "Targeted Email Attacks http://targetedemailattacks.tumblr.com"


Targeted Email Attacks
http://targetedemailattacks.tumblr.com/  

these are targeted attacks received by the US-Taiwan Business Council. We are not related but somehow share the same set of overseas "friends" - I recognize many messages posted there and even received targeted messages designed to look like they came from that organization.
The author does not post samples but provides links to Virustotal  so it gives a good idea of what it is.
 

Monday, April 25, 2011

Contagio data - targeted email senders by country / source

 It is what it is.  Analysis of email headers from emails sent to one targeted domain (Nov, 2009 - April 2011). Headers were analyzed to find IP addresses of the sending mail servers. Some of them are compromised, some belong to/leased by attackers. Only Gmail does not allow tracing the senders IP. It is shame, I wish they listed the sender IP addresses.

I can post more detailed statistics, if you are interested, drop me a line.
My dataset is small and not great for industry averages but I still think it is a good representative of the of the situation.

Please note this is based on Contagio data only, which includes targeted messages with malicious attachments meant to compromise networks, steal data (so called APT stuff) and does not include regular spam, banking trojans, and mass mailed malware.

Friday, April 22, 2011

Apr 22 CVE-2011-0611 PDF-SWF Marshall Plan for the North Africa.pdf with Win32/Ixeshe.E

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File  Marshall Plan for the North Africa.pdf
MD5: 6d5fb801b890bfa7cc737c018e87e456
SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
File size: 464485 bytes
Type:  PDF
Distribution: Email attachment

Read more...

Download

Original Message

From: Christy Serrato [mailto:serrato.christy@gmail.com]
Sent: Friday, April 22, 2011 10:32 AM
To: XXXXXXXX
Subject: Marshall Plan for the North Africa

I reach out to you for advice about an initiative we are considering launching for North Africa.The Nicole Berggruen Institute is an action oriented think tank that seeks implement effective systems of governance through projects at various levels across the globe. One such project is the development of a Marshall Plan for the North Africa.
   
How I am hoping you can help is to provide insight and advice on what is currently happening within the region.
    
Thank you in advance for anytime you can give me. I look forward to your reply soon.

Serrato Christy
Senior Program Manager
Middle East and North Africa
NICOLAS BERGGRUEN INSTITUTE

Message Headers


Gmail :(
Received: by wwb39 with SMTP id 39so636530wwb.6        for ;
 Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=4CUY8j8jGJeAnrD/Qo6HSZGR94sdW5P0d67wOrEK55A=;
        b=YADFFJft8LGJmZQoFG+R7nLFlREhueyUJDUULLTy5rbU5ahHOmH/B3VDiHLKxJRDWa
         MFT0VjRiQenP/RjOBKG6uxZPRAkwztUUKD1mPmN7RMOO1lmOuQS2CTtFwGvtxuSPZsG1
         LE0nZf4nZi3CkI7LUx9Ficawc/KRajrJ1StdQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:date:message-id:subject:from:to:content-type;
        b=Om90qyH/txeauhB/b9dr5k/r+FrEABSYzih46JA2QyeA9RDErNdPZnbJpeA4jWMgg0
         /JongciwiC7zE+TVEZDQorGv9qNswKt2dVO7lBgYBkC5ohabgwHqBlK/uBGuSBikkMF0
         8ikYcIMZ33QM7846FCG1HH4k07OWOKz8MGqRo=
MIME-Version: 1.0
Received: by 10.227.165.194 with SMTP id j2mr1203487wby.178.1303482722563;
 Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
Received: by 10.227.157.66 with HTTP; Fri, 22 Apr 2011 07:32:02 -0700 (PDT)
Date: Fri, 22 Apr 2011 22:32:02 +0800
Message-ID: BANLkTikPU6AS48Gyr9BhwKQvN1jmkZ70Sw@mail.gmail.com
Subject: Marshall Plan for the North Africa
From: Christy Serrato
To: XXXXXXXXXXX
Content-Type: multipart/mixed; boundary="90e6ba4768d9a63a6a04a182b841"
Return-Path: serrato.christy@gmail.com


Automated Scans

 Marshall Plan for the North Africa.pdf 
Antivirus Version Last update Result
Avast5 5.0.677.0 2011.04.25 SWF:Agent-K
Commtouch 5.3.2.6 2011.04.25 JS/Pdfka.V
DrWeb 5.0.2.03300 2011.04.25 Exploit.PDF.2177
eTrust-Vet 36.1.8289 2011.04.25 PDF/CVE-2010-1297.B!exploit
Microsoft 1.6802 2011.04.25 Exploit:SWF/CVE-2011-0611.I
TrendMicro 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
TrendMicro-HouseCall 9.200.0.1012 2011.04.25 TROJ_PIDIEF.SMDX
MD5: 6d5fb801b890bfa7cc737c018e87e456
SHA1: 441cfe9d31d271262ff693e83daa1b4fefa0e2c4
SHA256: afe8d2abf6807bb1b83affc20b8fcb424d75cb7ce340c900b59daeb9b3edc628
File size: 464485 bytes
Scan date: 2011-04-25 15:29:18 (UTC)



Analysis Details

-Flash embedded in the file

Extracted flash

AntivirusVersionLast updateResult
Avast4.8.1351.02011.04.25SWF:Agent-K
Avast55.0.677.02011.04.25SWF:Agent-K
GData222011.04.25SWF:Agent-K
Symantec20101.3.2.892011.04.25Trojan.Dropper
MD5: c56dd87772312ba032fc6ac8928d480f
SHA1: 1fe3478d65ba9508b1fdc31d6b3e67b336b06b95
SHA256: fff09d52d2fedc1a85fa04f75fe9a8295a57ddc39d4888ce65662e7a7b9671c0
File size: 7461 bytes
Scan date: 2011-04-25 17:32:54 (UTC)

Action script 


Files Created

%TEMP%

Marshall Plan for the North Africa.pdf  - clean dropped file

MD5: 93b600d4d641321dae860d179d8a35cf

AcroRd32.exe
The file runs as an exe and can be seen in the Windows Task Manager. It installs a link to itself in the Windows Startup folder %Programs%\Startup\Adobe Reader Speed Launcher.lnk
 
MD5: 39822adc9bc7747dadd212e0338948cb


http://www.virustotal.com/file-scan/report.html?id=b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192-1303748025#
Antivirus Version Last update Result
NOD32 6069 2011.04.25 a variant of Win32/Ixeshe.E
Panda 10.0.3.5 2011.04.25 Suspicious file
MD5: 39822adc9bc7747dadd212e0338948cb
SHA1: 00d9650584489914016941fbe28cd1c02306a34b
SHA256: b32482d120f24d88f06edb974e92b301e4bd9be99e5ee7f10e9e6dce1a557192
File size: 430080 bytes
Scan date: 2011-04-25 16:13:45 (UTC)

From ThreatExpert 
Filename(s)File SizeFile Hash
1%Programs%\Startup\Adobe Reader Speed Launcher.lnk1,464 bytesMD5: 0x6A4CD2DA75F64AF7C402BE5BFBC516BD
SHA-1: 0x6F02199A721848449AB4992307220D1F732DA24C
2[file and pathname of the sample #1]430,080 bytesMD5: 0x39822ADC9BC7747DADD212E0338948CB
SHA-1: 0x00D9650584489914016941FBE28CD1C02306A34B

Network activity

----
  • There was registered attempt to establish connection with the remote host. The connection details are:

Remote HostPort Number
68.16.99.165443
  • The following GET request was made:
    • /AWS7446.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
  • The data identified by the following URLs was then requested from the remote web server:
    • http://68.16.99.165/AWS7394.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7414.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7437.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7463.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA
    • http://68.16.99.165/AWS7473.jsp?2rlfgi5C/Sn0TRDqQj5c/Sn0TRDqQvDwTsnJgrl8UaZSxRVYPsUcGjF2GjZoPr/qgspwPrVFPaZN/SnrxRpqGjZFTrK7=MH32b5wPI27=hTL=aYdQ4vV=M9Bph7k=h29Qhvo0aLKQjpJPbYA

Host names sharing IP with A records (4)  - from Robtex

Hostname:    adsl-068-016-099-165.sip.asm.bellsouth.net
ISP:    BellSouth.net
Organization:    BellSouth.net
State/Region:    Georgia
  USA
City:    Norcross

adsl-068-016-099-165.sip.asm.bellsouth.net
mail.the-joy-of-travel.com
the-joy-of-travel.com
www.the-joy-of-travel.com




China



Thursday, April 21, 2011

Apr 20 CVE-2011-0611 PDF - SWF China's Charm diplomacy + more from 69.169.145.80 / 124.160.110.242

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File China's Charm diplomacy in BRICS Summit.pdf
MD5: ae39b747e4fe72dce6e5cdc6d0314c02
SHA1: 18306c34c5769f66573b725dce70a353ff549857
SHA256: f4e861eec510a0d38ae8fa54b630fdda40011891d12925e0e74da39d9280ddd8
File size: 411558 bytes

Type:  PDF
Distribution: Email attachment

 

File The Obama Administration and the Middle East.pdf
MD5: 2368a8f55ee78d844896f05f94866b07
SHA1: f636e24d394e2d6084af877271ef488153b63181
SHA256: 6d05bb31f4ae3f1a2e03879396c301e8bd7f5f53c368e16b006baa459d61c040
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

 

File  Russia's profit from general NATO disunity.pdf
MD5: 4065b98fdcb17a081759061306239c8b
SHA1: bc50074e7b672a59b961f281708b652323a7acc3
SHA256: 3701a5da3f1836d48e10e09b4245d9a53b0ba685732cac69cea0b672cf7b3afb
File size: 411562 bytes

Type:  PDF
Distribution: Email attachment

Post updates

 More attacks with the same payload from the same sender. See analysis here http://contagiodump.blogspot.com/2011/04/apr-22-cve-2011-0611-pdf-swf-marshall.html

Download

Adobe Reader 9.4.4 released today, April 21, 2011 will resolve this issue.Adobe Reader 9.4.3 (even with the lastest Flash Player) and below is vulnerable. 


Apr 21 CVE-2011-0611 PDF - SWF Data requirements.pdf from williams.jennifer16@yahoo.com 65.49.2.181

Common Vulnerabilities and Exposures (CVE)number

CVE-2011-0611 -- Adobe Flash Player 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; 10.2.154.25 and earlier for Chrome; and 10.2.156.12 and earlier for Android; Adobe AIR 2.6.19120 and earlier; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader and Acrobat 9.x through 9.4.3 and 10.x through 10.0.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content, related to a size inconsistency in a "group of included constants," object type confusion, and Date objects, as demonstrated by a .swf file embedded in a Microsoft Word document, and as exploited in the wild in April 2011.

  General File Information

File Name Data requirements.pdf
MD5: 0d3584985627fa1c7b39c8cc8a870e58
SHA1: 3a29e57930bbfe4467b037c12e1f11a032e43420
SHA256: 773afdbd5a52aa2685857ccece94c2920e3bd9b74b2a2cfed86befc61b3b9dec
File size: 44073 bytes
File Type: PDF
Distribution: Email attachment

Download


Original Message



 From: Jennifer Williams [mailto:williams.jennifer16@yahoo.com]
Sent: Thursday, April 21, 2011 10:05 AM
To: XXXXXX
Subject: Initialization

The attachment is only an initialization,some amendment should be made. Please give us some advice.