Common Vulnerabilities and Exposures (CVE)number
CVE-2010-3333 Stack-based buffer overflow in Microsoft Office XP SP3, Office 2003 SP3, Office 2007 SP2, Office 2010, Office 2004 and 2008 for Mac, Office for Mac 2011, and Open XML File Format Converter for Mac allows remote attackers to execute arbitrary code via crafted RTF data, aka "RTF Stack Buffer Overflow Vulnerability
General File Information
File President Obama's Speech.doc
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment
The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)
See others
File Size 73891 bytes
MD5 35C33BBD97D7F5629D64153A1B3E71F1
Distribution Email Attachment
The trojan within a word document was sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.(I have other examples of phish mail sent via that server - pretty much everything is the same - note additional C2 ip in this post)
See others
- Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor
- May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor
|
|
Download
Original Message
-----Original Message-----
From: Daily News [mailto:Everyday@mail.dailynews.com]
Sent: Tuesday, May 31, 2011 9:56 AM
To: XXXXXXXXXXX
Subject: President Obama's Speech
THE PRESIDENT: Thank you. Thank you. Thank you very much. Thank you.
Please, have a seat. Thank you very much. I want to begin by thanking Hillary Clinton, who has traveled so much these last six months that she is approaching a new landmark - one million frequent flyer miles. I count on Hillary every single day, and I believe that she will go down as one of the finest Secretaries of State in our nation's history.
The State Department is a fitting venue to mark a new chapter in American diplomacy. For six months, we have witnessed an extraordinary change taking place in the Middle East and North Africa. Square by square, town by town, country by country, the people have risen up to demand their basic human rights. Two leaders have stepped aside. More may follow. And though these countries may be a great distance from our shores, we know that our own future is bound to this region by the forces of economics and security, by history and by faith.
Today, I want to talk about this change - the forces that are driving it and how we can respond in a way that advances our values and strengthens our security.
etc... text of the speech follows..
Message Headers
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)by xxxxxxxxxxxxxx
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
Tue, 31 May 2011 09:56:41 -0400
Subject: Fw:President Obama's Speech
Date: Tue, 31 May 2011 09:56:41 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_000C_01CC1F78.350AAB50"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Daily News"
xxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: Everyday@mail.dailynews.com
Sender
66.147.51.202
The sender email address was used cbricks@gmail.com , which is a spoof of gmail
Automated Scans
File name: President Obama's Speech.docSubmission date: 2011-06-14 01:29:39 (UTC)
Result: 18/ 42 (42.9%)
http://www.virustotal.com/file-scan/report.html?id=7e9be305cdf932eadf9a7fa53c9f50ae951a27ee1c0b0c583c93c814bea4be8c-1308014979
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.06.14.00 2011.06.13 Dropper/Cve-2010-3333
AntiVir 7.11.9.168 2011.06.14 EXP/CVE-2010-3333
Antiy-AVL 2.0.3.7 2011.06.13 Exploit/MSWord.CVE-2010-3333
BitDefender 7.2 2011.06.14 Exploit.RTF.Gen
ClamAV 0.97.0.0 2011.06.14 PUA.RFT.EmbeddedOLE
Commtouch 5.3.2.6 2011.06.14 CVE-2010-3333!Camelot
DrWeb 5.0.2.03300 2011.06.14 Exploit.Rtf.based
F-Secure 9.0.16440.0 2011.06.14 Exploit.RTF.Gen
Fortinet 4.2.257.0 2011.06.13 Data/CVE20103333.A!exploit
GData 22 2011.06.14 Exploit.RTF.Gen
Ikarus T3.1.1.104.0 2011.06.14 Exploit.Win32.CVE-2010
Kaspersky 9.0.0.837 2011.06.13 Exploit.MSWord.CVE-2010-3333.p
Microsoft 1.6903 2011.06.13 Exploit:Win32/CVE-2010-3333
PCTools 7.0.3.5 2011.06.10 HeurEngine.MaliciousExploit
Symantec 20111.1.0.186 2011.06.14 Bloodhound.Exploit.366
TrendMicro 9.200.0.1012 2011.06.13 Possible_ARTIEF
TrendMicro-HouseCall 9.200.0.1012 2011.06.14 Possible_ARTIEF
VIPRE 9576 2011.06.14 Exploit.MSWord.CVE-2010-3333.c (v)
MD5 : 35c33bbd97d7f5629d64153a1b3e71f1
Created files
This trojan is characterized by the traffic it generates -http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string
Local Settings\Temp\2.doc
Local Settings\UPS.exe 5EA58C5F12405A4E959234134123380D
(same file as %Temp%\~Svchost.exe 5EA58C5F12405A4E959234134123380D from May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor )
created and deleted
Local Settings\Temp\\~dfds3.reg
Text of the document is the Obama's speech in Chinese.
The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office
contents of the file:
created and deleted
Local Settings\Temp\\~dfds3.reg
2.doc - decoy clean file
Text of the document is the Obama's speech in Chinese.
The document properties
FCAA-VA Meeting
Cstro3
Lura Harrison FCAA-VA Meeting, indicating that it was created by Fairfax County Government, however, the custom tab shows KSOProductBuildVer, which means it was created using Kingsoft Office
Kingsoft Office, commonly known simply as KSO, developed by Zhuhai based Chinese software developer Kingsoft, is an alternative to Microsoft Office. The product has had a long history of development in China, where it is still sold as WPS Office. "Kingsoft Office" is the company's attempt to crack, primarily, the Western and Japanese markets. Since Kingsoft Office 2005, the user interface bears resemblance to the Microsoft Office products, and the suite reads and writes the files generated by Office in addition to its native documents. The personal edition is free for download.
~dfds3.reg
this is to achieve persistence in the system upon rebootcontents of the file:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UPS"="C:\\Documents and Settings\\mila\\Local Settings\\UPS.exe"
UPS.exe 5EA58C5F12405A4E959234134123380D
UPS.exe Submission date: 2011-06-13 21:48:47 (UTC)
Result: 22/ 42 (52.4%)
http://www.virustotal.com/file-scan/report.html?id=bb40b1e17e37e0fba0f40d42d2064e97d32cb20f1fc3ea49f33781c570182196-1308001727
AhnLab-V3 2011.06.14.00 2011.06.13 Win-Trojan/Injector.17925.E
AntiVir 7.11.9.167 2011.06.13 TR/Crypt.ZPACK.Gen
Avast 4.8.1351.0 2011.06.13 Win32:Malware-gen
Avast5 5.0.677.0 2011.06.13 Win32:Malware-gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYWE
BitDefender 7.2 2011.06.13 Trojan.CryptRedol.Gen.3
DrWeb 5.0.2.03300 2011.06.13 Trojan.Taidoor
F-Secure 9.0.16440.0 2011.06.13 Trojan.CryptRedol.Gen.3
Fortinet 4.2.257.0 2011.06.13 W32/Sasfis.BKXQ!tr
GData 22 2011.06.13 Trojan.CryptRedol.Gen.3
Ikarus T3.1.1.104.0 2011.06.13 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.13 Trojan.Win32.Sasfis.bkxq
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6204 2011.06.13 Win32/TrojanDownloader.Agent.PTT
Norman 6.07.10 2011.06.13 W32/Malware.TJAQ
nProtect 2011-06-13.02 2011.06.13 Trojan.CryptRedol.Gen.3
Panda 10.0.3.5 2011.06.13 Trj/CI.A
PCTools 7.0.3.5 2011.06.10 Trojan.Gen
Rising 23.62.00.03 2011.06.13 Suspicious
Sophos 4.66.0 2011.06.13 Troj/Mdrop-DMI
Symantec 20111.1.0.186 2011.06.13 Suspicious.Cloud.5
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
MD5 : 5ea58c5f12405a4e959234134123380d
Strings excerpt
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)
V/_z
>d/R(
ntdll.dll
NtUnmapViewOfSection
%s "%s"
exe.secivres
abcde
Unicode Strings:
---------------------------------------------------------------------------
VS_VERSION_INFO
StringFileInfo
040904b0
CompanyName
Adobe Systems, Inc.
FileDescription
Adobe? Flash? Player Installer/Uninstaller 10.1 r53
FileVersion
10,1,53,64
InternalName
Adobe? Flash? Player Installer/Uninstaller 10.1
LegalCopyright
Copyright ? 1996-2010 Adobe, Inc.
LegalTrademarks
Adobe? Flash? Player
OriginalFilename
FlashUtil.exe
ProductName
Flash? Player Installer/Uninstaller
ProductVersion
10,1,53,64
VarFileInfo
Traffic
CnC server - same as in- Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor
- May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor
SSL to / from 99.1.23.71:443 and 65.87.199.102:443
examples
GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache
From threatexpert
http://99.1.23.71:443/epzkq.php?id=018399121212121212
http://99.1.23.71:443/vkreb.php?id=017322121212121212
http://65.87.199.102:443/vkreb.php?id=020437121212121212
Other examples from the previous post are
GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache
From threatexpert
http://99.1.23.71:443/epzkq.php?id=018399121212121212
http://99.1.23.71:443/vkreb.php?id=017322121212121212
http://65.87.199.102:443/vkreb.php?id=020437121212121212
Other examples from the previous post are
GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache
GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Host: 99.1.23.71
Connection: Keep-Alive
99.1.23.71 appears to be a compromised IIS server used as CnC , which belongs to Sun Country Medical Equipment
99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net
65.87.199.102 - appears to be a compromised server used as CnC - hosting webserver from Gatortech.com, hosting and small business outsource company
vortex.gatortech.com
ISP: Synergy Networks
Organization: Synergy Networks
Proxy: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: United States us flag
State/Region: Florida
City: Naples
ISP: Synergy Networks
Organization: Synergy Networks
Proxy: None detected
Type: Corporate
Assignment: Static IP
Blacklist:
Geolocation Information
Country: United States us flag
State/Region: Florida
City: Naples
http://www.robtex.com/ip/65.87.199.102.html
65.87.199.102 Dudleycarson.com, sarasota-gulfcoast.com, yourhometownsweethearts.com, allstarrealtytony.com, rightwaysales.com and at least 63 other hosts point to 65.87.199.102.
From Threat expert report http://www.threatexpert.com/report.aspx?md5=5ea58c5f12405a4e959234134123380d
File System Modifications
The following file was created in the system:
File System Modifications
The following file was created in the system:
# | Filename(s) | File Size | File Hash |
1 | [file and pathname of the sample #1] | 17,925 bytes | MD5: 0x5EA58C5F12405A4E959234134123380D SHA-1: 0xB5C466CB36FEA327DA8B3DAF13E3CAE5EBB05DF6 |
China | |
- The data identified by the following URLs was then requested from the remote web server:
- http://99.1.23.71:443/iiohf.php?id=029590121212121212
- http://65.87.199.102:443/iiohf.php?id=024326121212121212
- http://99.1.23.71:443/figuq.php?id=025431121212121212
- http://65.87.199.102:443/figuq.php?id=017975121212121212
- http://99.1.23.71:443/heisp.php?id=014218121212121212
- http://65.87.199.102:443/heisp.php?id=013836121212121212
- http://99.1.23.71:443/qtcbv.php?id=022665121212121212
- http://65.87.199.102:443/qtcbv.php?id=003529121212121212
- http://99.1.23.71:443/hlobe.php?id=004518121212121212
- http://65.87.199.102:443/hlobe.php?id=009835121212121212
- http://99.1.23.71:443/epzkq.php?id=018399121212121212
- http://65.87.199.102:443/epzkq.php?id=012316121212121212
- http://99.1.23.71:443/tlhdt.php?id=015598121212121212
- http://65.87.199.102:443/tlhdt.php?id=026804121212121212
- http://99.1.23.71:443/vyqld.php?id=024007121212121212
- http://65.87.199.102:443/vyqld.php?id=008414121212121212
- http://99.1.23.71:443/ttlvm.php?id=013126121212121212
- http://65.87.199.102:443/ttlvm.php?id=022955121212121212
- http://99.1.23.71:443/vocpb.php?id=011307121212121212
- http://65.87.199.102:443/vocpb.php?id=006291121212121212
- http://99.1.23.71:443/ixoga.php?id=008375121212121212
- http://65.87.199.102:443/ixoga.php?id=019758121212121212
- http://99.1.23.71:443/mrhfu.php?id=029330121212121212
- http://65.87.199.102:443/mrhfu.php?id=010690121212121212
- http://99.1.23.71:443/uklxd.php?id=002815121212121212
- http://65.87.199.102:443/uklxd.php?id=008982121212121212
- http://99.1.23.71:443/mwmco.php?id=031260121212121212
- http://65.87.199.102:443/mwmco.php?id=028267121212121212
- http://99.1.23.71:443/mnopi.php?id=028612121212121212
- http://65.87.199.102:443/mnopi.php?id=023566121212121212
- http://99.1.23.71:443/janim.php?id=006088121212121212
- http://65.87.199.102:443/janim.php?id=030408121212121212
- http://99.1.23.71:443/vkreb.php?id=017322121212121212
- http://65.87.199.102:443/vkreb.php?id=020437121212121212
- http://99.1.23.71:443/ashlg.php?id=002182121212121212
- http://65.87.199.102:443/ashlg.php?id=016018121212121212
- http://99.1.23.71:443/ygzad.php?id=011976121212121212
- http://65.87.199.102:443/ygzad.php?id=020329121212121212
- http://99.1.23.71:443/bpomm.php?id=020982121212121212
- http://65.87.199.102:443/bpomm.php?id=002109121212121212
- http://99.1.23.71:443/rjjoe.php?id=008994121212121212
- http://65.87.199.102:443/rjjoe.php?id=015622121212121212
- http://99.1.23.71:443/cslvv.php?id=028657121212121212
- http://65.87.199.102:443/cslvv.php?id=009700121212121212
- http://99.1.23.71:443/vghtg.php?id=002106121212121212
- http://65.87.199.102:443/vghtg.php?id=018698121212121212
- http://99.1.23.71:443/kbyny.php?id=010796121212121212
- http://65.87.199.102:443/kbyny.php?id=032222121212121212
- http://99.1.23.71:443/ypanf.php?id=017108121212121212
- http://65.87.199.102:443/ypanf.php?id=024083121212121212
- http://99.1.23.71:443/gmvrl.php?id=018065121212121212
- http://65.87.199.102:443/gmvrl.php?id=003381121212121212
- http://99.1.23.71:443/xtjan.php?id=027263121212121212
- http://65.87.199.102:443/xtjan.php?id=010227121212121212
- http://99.1.23.71:443/ofypv.php?id=015393121212121212
- http://65.87.199.102:443/ofypv.php?id=023673121212121212
- http://99.1.23.71:443/luiae.php?id=005768121212121212
- http://65.87.199.102:443/luiae.php?id=022611121212121212
- http://99.1.23.71:443/ksycs.php?id=024451121212121212
- http://65.87.199.102:443/ksycs.php?id=023453121212121212
- http://99.1.23.71:443/ydtff.php?id=025174121212121212
- http://65.87.199.102:443/ydtff.php?id=010519121212121212
- http://99.1.23.71:443/vskti.php?id=003464121212121212
- http://65.87.199.102:443/vskti.php?id=030690121212121212
- http://99.1.23.71:443/tzdhx.php?id=011630121212121212
- http://65.87.199.102:443/tzdhx.php?id=028644121212121212
- http://99.1.23.71:443/qgzrs.php?id=026953121212121212
- http://65.87.199.102:443/qgzrs.php?id=002819121212121212
- http://99.1.23.71:443/gjyxf.php?id=015749121212121212
- http://65.87.199.102:443/gjyxf.php?id=012118121212121212
- http://99.1.23.71:443/nhfwt.php?id=010929121212121212
- http://65.87.199.102:443/nhfwt.php?id=003353121212121212
- http://99.1.23.71:443/uokpr.php?id=022892121212121212
- http://65.87.199.102:443/uokpr.php?id=016839121212121212
- http://99.1.23.71:443/tfbop.php?id=001928121212121212
- http://65.87.199.102:443/tfbop.php?id=019181121212121212
- http://99.1.23.71:443/mctvb.php?id=016834121212121212
- http://65.87.199.102:443/mctvb.php?id=020153121212121212
- http://99.1.23.71:443/qkyqc.php?id=017507121212121212
- http://65.87.199.102:443/qkyqc.php?id=022713121212121212
- http://99.1.23.71:443/balzi.php?id=010407121212121212
- http://65.87.199.102:443/balzi.php?id=001853121212121212
- http://99.1.23.71:443/nacey.php?id=017409121212121212
- http://65.87.199.102:443/nacey.php?id=007558121212121212
- http://99.1.23.71:443/udgnd.php?id=000997121212121212
- http://65.87.199.102:443/udgnd.php?id=030448121212121212
- http://99.1.23.71:443/lwcnf.php?id=019193121212121212
- http://65.87.199.102:443/lwcnf.php?id=013732121212121212
- http://99.1.23.71:443/zlkqq.php?id=023888121212121212
- http://65.87.199.102:443/zlkqq.php?id=024162121212121212
- http://99.1.23.71:443/goydj.php?id=029390121212121212
- http://65.87.199.102:443/goydj.php?id=006897121212121212
- http://99.1.23.71:443/adljt.php?id=011083121212121212
- http://65.87.199.102:443/adljt.php?id=022793121212121212
- http://99.1.23.71:443/bzymc.php?id=017084121212121212
- http://65.87.199.102:443/bzymc.php?id=004077121212121212
- http://99.1.23.71:443/otcvx.php?id=020400121212121212
- http://65.87.199.102:443/otcvx.php?id=021512121212121212
- http://99.1.23.71:443/yjzbo.php?id=026078121212121212
- http://65.87.199.102:443/yjzbo.php?id=018125121212121212
No comments:
Post a Comment