Tuesday, June 14, 2011

Jun 13 CVE-2009-4324 PDF navy procurement.pdf from compromised w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-4324 Use-after-free vulnerability in the method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

  General File Information

File  navy procurement.pdf
File Size  222903
MD5  DF0DE9AD9E5BF00A60F8DE3D37683C5B
Distribution  Email attachment


 The trojaned documents were sent via (, which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.


Original Message

------Original Message-----
From: Jessica Morrell []
Sent: Monday, June 13, 2011 11:58 AM
To: xxxxxx
Subject: House panel recommends Navy procurement cuts

House panel recommends Navy procurement cuts

House appropriators have recommended lopping $1.7 billion off the Navy's
2012 procurement request of $45 billion, according to budget documents obtained by Navy Times.

The mark-up, prepared by the House Appropriations Committee Subcommittee on Defense, would fund the Navy with $43.5 billion for procurement in fiscal 2012, a 3.7 percent drop from the Navy Department's request. These figures include the Marine Corps. The panel's proposed cuts to the Navy request were larger than those for the Army and Air Force combined.

While cuts were proposed across the board, the appropriator's red pen fell heavily on buying new airplanes, missiles and drones, and frequently cited growth in costs as the rationale for the cuts. The proposal will head to the full committee for a vote, one of a number of steps before passage.

The deepest cuts proposed were for naval aviation procurement. The panel recommended aviation procurement fall by $782 million, for a total of $17.8 billion. The Navy had requested $191 million for the Fire Scout drone program. That figure was more than halved by the subcommittee, who noted in the mark-up that the Navy's inventory of these unmanned helicopters was already "excess to requirement." The Navy had planned to procure 12 Fire Scouts in 2012. The committee recommended only $76 million for the program in 2012.

The carrier-based joint strike fighter saw a proposed drop of $55 million due to an engineering change carryover and growth in logistics support and ground support equipment.

The rest of the text is from (thanks to Lotta for the find)

Message Headers

Received: (qmail 23006 invoked from network); 13 Jun 2011 15:57:32 -0000
Received: from (HELO (
  byxxxxxxxxxxxxxx; 13 Jun 2011 15:57:32 -0000
Received: from UCSADC1 ([]) by with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 13 Jun 2011 11:57:31 -0400
Subject: House panel recommends Navy procurement cuts
Date: Mon, 13 Jun 2011 11:57:31 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Jessica Morrell"
To: xxxxxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-OriginalArrivalTime: 13 Jun 2011 15:57:31.0280 (UTC) FILETIME=[9A2BA100:01CC29E2]


IP numbers of host (1)
PTRs of IP numbers (1)
Host names sharing IP with A records (1)
A of PTR of A (1)


Automated Scans

File name: navy procurement.pdf
Submission date: 2011-06-14 03:49:42 (UTC)
Result: 6 /42 (14.3%)
AVG 2011.06.13 JS/Obfuscated
ClamAV 2011.06.14 PUA.Script.PDF.EmbeddedJS-1
Commtouch 2011.06.14 PDF/Obfusc.J!Camelot
eTrust-Vet 36.1.8384 2011.06.13 PDF/Pidief!generic
Ikarus T3. 2011.06.14 Virus.JS.Obfuscated
Kaspersky 2011.06.14 Exploit.JS.Pdfka.dgd
MD5   : df0de9ad9e5bf00a60f8de3d37683c5b

Created files

 This trojan is characterized by the traffic it generates  -
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

Local Settings\Netlogon.exe
File: Netlogon.exe
Size: 91136
MD5:  FD184057AB056595B3857CB5BF193094

The name of the dropped file can be different, for example
Local Settings\cisvc.exe
Size: 91136
MD5:  FD184057AB056595B3857CB5BF193094
Local Settings\Temp\8630950  - network recon file (created and deleted) - random digit name. If it was 
deleted, it probably means it was deleted after transferring the data to the attackers.
Local Settings\Temp\~dfds3.reg  - registry file to add to Run to ensure persistence in the system
Local Settings\Temp\ navy procurement.pdf  - clean decoy file
File: navy procurement.pdf
Size: 127126
MD5:  D376B24C74EEB19FCB18B5E5627DE7E0

navy procurement.pdf  - decoy clean file

this is to achieve persistence in the system upon reboot
contents of the file:
Windows Registry Editor Version 5.00

"Netlogon"="C:\\Documents and Settings\\mila\\Local Settings\\Netlogon.exe"
File: 8630950
Size: 1232
MD5:  E974CD8F1200D8C0A7ECECDD8D94A3D0
network recon
Netlogon.exe fd184057ab056595b3857cb5bf193094 
Submission date: 2011-06-14 05:56:20 (UTC)
Result: 12/ 42 (28.6%)
AntiVir 2011.06.14 TR/Hijacker.Gen
AVG 2011.06.13 Generic22.BYNK
BitDefender 7.2 2011.06.14 Gen:Trojan.Heur.TP.fq3@bW8edmab
Emsisoft 2011.06.14 Trojan.SuspectCRC!IK
GData 22 2011.06.14 Gen:Trojan.Heur.TP.fq3@bW8edmab
Ikarus T3. 2011.06.14 Trojan.SuspectCRC
Kaspersky 2011.06.14 Trojan.Win32.Inject.bdfx
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6205 2011.06.14 a variant of Win32/Injector.GUH
Norman 6.07.10 2011.06.13 W32/Obfuscated.JA
Panda 2011.06.13 Suspicious file
VBA32 2011.06.13 TrojanDownloader.Rubinurd.f
MD5   : fd184057ab056595b3857cb5bf193094

Strings excerpt

host.exe "
vices.exe "

Unicode Strings:
Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)


CnC server  -  same  as in
SSL to / from  and
GET /rttlm.php?id=0125031911380616G0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache

GET /rttlm.php?id=0110531911380616G0 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache

Other examples from other posts

From threatexpert

Other examples from the previous post are

GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache

GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
Cache-Control: no-cache 

GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive appears to be a compromised IIS server used as CnC , which belongs to  Sun Country Medical Equipment -
Private Address
Plano, TX 75075 United States 
IPAdmin ATT Internet Services
IPAdmin ATT Internet Services

Created: 2008-08-27
Updated: 2011-03-19
Source:  - appears to be a compromised server used as CnC  - hosting webserver from, hosting and small business outsource company
ISP:    Synergy Networks
Organization:    Synergy Networks
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Geolocation Information
Country:    United States us flag
State/Region:    Florida
City:    Naples,,,, and at least 63 other hosts point to

 From Threat expert report

  • Analysis of the file resources indicate the following possible country of origin:
  • There were registered attempts to establish connection with the remote hosts. The connection details are:
Remote HostPort Number
  • The data identified by the following URLs was then requested from the remote web server:
There was an outbound traffic produced on port 443:

No comments:

Post a Comment