Tuesday, May 3, 2011

May 3 CVE-2010-3333 DOC Courier who led U.S. to Osama bin Laden's hideout identified

Common Vulnerabilities and Exposures (CVE)number


Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability

  General File Information

File   Laden's Death.doc
MD5   dad4f2a0f79db83f8976809a88d260c5
SHA1  4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File size : 163065 bytes
Type:  DOC
Distribution: Email attachment

Post Updates

May 6   Updated analysis by Hermes Bojaxhi from CyberESI 

May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.

It was sent to many targets in the US Government today.

Also see the same payload in the following messages



Tue, 03 May 2011 11:34:06 -0400 (EDT)
Message-ID: <000c01cc0998$15c8ec70$>
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

To whom it may concern.


Content-Type: application/octet-stream;
        name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Laden's Death.doc"

Sender (there are other IPs from that company used as well)

Lotus Notes mail server, apparently compromised

ISP:    New Centry InfoComm Tech. Co., Ltd.
Assignment:    Static IP
Country:    Taiwan

Automated Scans

File name: Laden's Death.doc
Submission date:2011-05-03 15:34:52 (UTC)
1/ 41 (2.4%)
Commtouch    2011.05.03    CVE-2010-3333!Camelot
Show all
MD5   : dad4f2a0f79db83f8976809a88d260c5
SHA1  : d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
File size : 163065 bytes
First seen: 2011-05-03 15:34:52
Last seen : 2011-05-03 15:34:52


May 5, 2011 F-Secure Analysis  Analysis of an Osama bin Laden RTF Exploit

Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)

File name:exe_decoded.bin
Submission date:2011-05-05 03:45:58 (UTC)
Result:17 /40 (42.5%)

AntiVir     2011.05.04     BDS/
BitDefender     7.2     2011.05.05     Trojan.Generic.KDV.211541
Commtouch     2011.05.05     W32/Virut.AI!Generic
rWeb     2011.05.05     BackDoor.Diho.163
eTrust-Vet     36.1.8307     2011.05.04     -
F-Prot     2011.05.04     W32/Virut.AI!Generic
GData     22     2011.05.05     Trojan.Generic.KDV.211541
Ikarus     T3.     2011.05.05     Backdoor.Win32.Protux
Kaspersky     2011.05.05
McAfee     5.400.0.1158     2011.05.05     Artemis!30C8C4C99430
McAfee-GW-Edition     2010.1D     2011.05.05     Artemis!30C8C4C99430
NOD32     6095     2011.05.05     Win32/Protux.NAK
Panda     2011.05.04     Suspicious file
PCTools     2011.05.04     Trojan.Generic
SUPERAntiSpyware     2011.05.05     -
Symantec     20101.3.2.89     2011.05.05     Trojan Horse
TrendMicro     2011.05.04     PAK_Generic.001
TrendMicro-HouseCall     2011.05.05     BKDR_PROTUX.GE
VBA32     2011.05.04     Backdoor.Protux.ta
Additional information
Show all
MD5   : 30c8c4c9943044287cf06996863c2261
SHA1  : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2

See the payload analysis here

Hermes Bojaxhi from CyberESI provided the following details about the payload

File Name:  dhcpsrv.dll
File Size:  44504 bytes
MD5:        06ddf39bc4b5c7a8950f1e8d11c44446
SHA1:       b8c11c68f3e92b60cc4b208bd5905c0365f28978
PE Time:    0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
Sections (4):
 Name      Entropy  MD5
 .text     6.14     5c8b018d10792fdb74b5f289f97c5d06
 .rdata    4.73     88003ece00266ee44c21ac6242a7eafd
 .data     4.99     1d745a13a1f55e75b2f68adee97c6f59
 .reloc    5.7      e437cc92e10504181d7b712478db6af3

beacons to these domains:
C2 domain info   - Hostname:  Digital United Inc. Taiwan  -  ChinaNet Shanghai Province Network China -
Probe Networks Germany - Hostname:  Digital United Inc. Taiwan IP Address hosting history

Event Date Action Pre-Action IP Post-Action IP
2010-08-10 New -none-
2010-08-13 Change
2010-08-23 Change
2010-09-03 Change
2010-09-24 Change
2010-10-25 Change
2010-11-28 Change
2010-12-09 Change
2010-12-31 Change
2011-02-24 Change
2011-04-10 New -none-  - is not a malicious domain

1 comment:

  1. Looks like that malware was also used about 2 years ago to target some foreign correspondants in China: