Common Vulnerabilities and Exposures (CVE)number
CVE-2010-3333
Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability
General File Information
File Laden's Death.doc
MD5 dad4f2a0f79db83f8976809a88d260c5
SHA1 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
File size : 163065 bytes
Type: DOC
Distribution: Email attachment
Post Updates
May 6 Updated analysis by Hermes Bojaxhi from CyberESI
May 5, 2011 F-Secure Analysis Analysis of an Osama bin Laden RTF Exploit
May 4, 2011 Kate Milton sent the extracted binary (decoded and not) and the decoy clean file. Many thanks.
It was sent to many targets in the US Government today.
Also see the same payload in the following messages
http://contagiodump.blogspot.http://contagiodump.blogspot.
Download
Download -- as a password protected archive (contact me if you need the password)Download binary and the decoy file here
Message
Tue, 03 May 2011 11:34:06 -0400 (EDT)
Source-IP: 220.228.120.62
Message-ID: <000c01cc0998$15c8ec70$0201a8c0@protech.com.tw>
From: XXXXXXXXXXXXXXXXXXX
To: XXXXXXXXXXXXXXXXXXX
Subject: FW: Courier who led U.S. to Osama bin Laden's hideout identified
Date: Tue, 3 May 2011 21:43:28 +0800
X-ASG-Orig-Subj: FW: Courier who led U.S. to Osama bin Laden's hideout identified
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0009_01CC09DB.23A97E20"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.2929
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: text/plain;
format=flowed;
charset="big5";
reply-type=original
Content-Transfer-Encoding: 7bit
To whom it may concern.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX Signature spoofed XXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
------=_NextPart_000_0009_01CC09DB.23A97E20
Content-Type: application/octet-stream;
name="Laden's Death.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Laden's Death.doc"
Sender
220.228.120.62 (there are other IPs from that company used as well)Lotus Notes mail server, apparently compromised
ISP: New Centry InfoComm Tech. Co., Ltd.
Organization: PROTECHSYSTEMSCO.,LTD.
Assignment: Static IP
Country: Taiwan
Automated Scans
File name: Laden's Death.docSubmission date:2011-05-03 15:34:52 (UTC)
http://www.virustotal.com/file-scan/report.html?id=4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342-1304436892#
1/ 41 (2.4%)
Commtouch 5.3.2.6 2011.05.03 CVE-2010-3333!Camelot
Show all
MD5 : dad4f2a0f79db83f8976809a88d260c5
SHA1 : d563029a2dfe3cfcddc7326b1b486213095e58e5
SHA256: 4cec9ef7f39d43c7a137d0422c8e6568a2d9e18320d1b376086bcc7327ea1342
ssdeep: 1536:njNRRUfwR/JvinctjMA+2cg1WoQ98k//qL+fV7UswHOv6fNtcrm2XDt/:nBJRvinBADAOk
661UswH/fNGy2XB
File size : 163065 bytes
First seen: 2011-05-03 15:34:52
Last seen : 2011-05-03 15:34:52
Analysis
May 5, 2011 F-Secure Analysis Analysis of an Osama bin Laden RTF Exploit
Clean file (thanks to Kate Milton for the binary and the clean decoy file submission)
The binary - Trojan Protux (read more about it here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Protux.A!dll#techdetails_link)
File name:exe_decoded.bin
http://www.virustotal.com/file-scan/report.html?id=a40b5cf0689aebaaf2352b61e8a9f4544ec69ef8ea3dc558f53646964a85755b-1304567158
Submission date:2011-05-05 03:45:58 (UTC)
Result:17 /40 (42.5%)
AntiVir 7.11.7.150 2011.05.04 BDS/Protux.tg
BitDefender 7.2 2011.05.05 Trojan.Generic.KDV.211541
Commtouch 5.3.2.6 2011.05.05 W32/Virut.AI!Generic
rWeb 5.0.2.03300 2011.05.05 BackDoor.Diho.163
eTrust-Vet 36.1.8307 2011.05.04 -
F-Prot 4.6.2.117 2011.05.04 W32/Virut.AI!Generic
GData 22 2011.05.05 Trojan.Generic.KDV.211541
Ikarus T3.1.1.103.0 2011.05.05 Backdoor.Win32.Protux
Kaspersky 9.0.0.837 2011.05.05 Backdoor.Win32.Protux.tg
McAfee 5.400.0.1158 2011.05.05 Artemis!30C8C4C99430
McAfee-GW-Edition 2010.1D 2011.05.05 Artemis!30C8C4C99430
NOD32 6095 2011.05.05 Win32/Protux.NAK
Panda 10.0.3.5 2011.05.04 Suspicious file
PCTools 7.0.3.5 2011.05.04 Trojan.Generic
SUPERAntiSpyware 4.40.0.1006 2011.05.05 -
Symantec 20101.3.2.89 2011.05.05 Trojan Horse
TrendMicro 9.200.0.1012 2011.05.04 PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012 2011.05.05 BKDR_PROTUX.GE
VBA32 3.12.16.0 2011.05.04 Backdoor.Protux.ta
Additional information
Show all
MD5 : 30c8c4c9943044287cf06996863c2261
SHA1 : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2
Submission date:2011-05-05 03:45:58 (UTC)
Result:17 /40 (42.5%)
AntiVir 7.11.7.150 2011.05.04 BDS/Protux.tg
BitDefender 7.2 2011.05.05 Trojan.Generic.KDV.211541
Commtouch 5.3.2.6 2011.05.05 W32/Virut.AI!Generic
rWeb 5.0.2.03300 2011.05.05 BackDoor.Diho.163
eTrust-Vet 36.1.8307 2011.05.04 -
F-Prot 4.6.2.117 2011.05.04 W32/Virut.AI!Generic
GData 22 2011.05.05 Trojan.Generic.KDV.211541
Ikarus T3.1.1.103.0 2011.05.05 Backdoor.Win32.Protux
Kaspersky 9.0.0.837 2011.05.05 Backdoor.Win32.Protux.tg
McAfee 5.400.0.1158 2011.05.05 Artemis!30C8C4C99430
McAfee-GW-Edition 2010.1D 2011.05.05 Artemis!30C8C4C99430
NOD32 6095 2011.05.05 Win32/Protux.NAK
Panda 10.0.3.5 2011.05.04 Suspicious file
PCTools 7.0.3.5 2011.05.04 Trojan.Generic
SUPERAntiSpyware 4.40.0.1006 2011.05.05 -
Symantec 20101.3.2.89 2011.05.05 Trojan Horse
TrendMicro 9.200.0.1012 2011.05.04 PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012 2011.05.05 BKDR_PROTUX.GE
VBA32 3.12.16.0 2011.05.04 Backdoor.Protux.ta
Additional information
Show all
MD5 : 30c8c4c9943044287cf06996863c2261
SHA1 : e7addde85f18c6ce22f7a1abc1ed78e662ce90f2
----------------------------------------------------------------------------------------------------------
See the payload analysis here http://www.cyberesi.com/2011/05/03/ladens-death-doc-cve-2010-3333/
Hermes Bojaxhi from CyberESI http://www.cyberesi.com provided the following details about the payload
File Name: dhcpsrv.dll==============
File Size: 44504 bytes
MD5: 06ddf39bc4b5c7a8950f1e8d11c44446
SHA1: b8c11c68f3e92b60cc4b208bd5905c0365f28978
PE Time: 0x4D9C2616 [Wed Apr 06 08:36:38 2011 UTC]
Sections (4):
Name Entropy MD5
.text 6.14 5c8b018d10792fdb74b5f289f97c5d06
.rdata 4.73 88003ece00266ee44c21ac6242a7eafd
.data 4.99 1d745a13a1f55e75b2f68adee97c6f59
.reloc 5.7 e437cc92e10504181d7b712478db6af3
beacons to these domains:
checkerror.ucparlnet.com
ssi.ucparlnet.com
www.dnswatch.info
picture.ucparlnet.com
C2 domain info
checkerror.ucparlnet.com - 203.67.127.165 Hostname: protech.com.tw Digital United Inc. Taiwan
ssi.ucparlnet.com - 58.34.152.233 ChinaNet Shanghai Province Network China
www.dnswatch.info - 82.96.118.210 Probe Networks Planet-Hosting.cz Germany
picture.ucparlnet.com - 203.67.127.165 Hostname: protech.com.tw Digital United Inc. Taiwan
ucparlnet.com IP Address hosting history
| Event Date | Action | Pre-Action IP | Post-Action IP | ||
| 2010-08-10 | New | -none- | 58.34.152.162 | ||
| 2010-08-13 | Change | 58.34.152.162 | 58.37.54.66 | ||
| 2010-08-23 | Change | 58.37.54.66 | 58.34.148.241 | ||
| 2010-09-03 | Change | 58.34.148.241 | 220.246.76.125 | ||
| 2010-09-24 | Change | 220.246.76.125 | 127.0.0.1 | ||
| 2010-10-25 | Change | 127.0.0.1 | 58.37.182.29 | ||
| 2010-11-28 | Change | 58.37.182.29 | 58.34.149.104 | ||
| 2010-12-09 | Change | 58.34.149.104 | 58.34.152.202 | ||
| 2010-12-31 | Change | 58.34.152.202 | 127.0.0.1 | ||
| 2011-02-24 | Change | 127.0.0.1 | 125.141.233.16 | ||
| 2011-04-10 | New | -none- | 125.141.233.16 |
dnswatch.info - is not a malicious domain
Looks like that malware was also used about 2 years ago to target some foreign correspondants in China: http://www.infowar-monitor.net/2009/09/targeted-malware-attack-on-foreign-correspondents-based-in-china/
ReplyDelete