Jun 13 CVE-2009-4324 PDF navy procurement.pdf from compromised louisvilleheartsurgery.com w Trojan Taidoor

Common Vulnerabilities and Exposures (CVE)number

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

  General File Information

File  navy procurement.pdf
File Size  222903
MD5  DF0DE9AD9E5BF00A60F8DE3D37683C5B
Distribution  Email attachment

CLICK HERE SEE ALL OTHER PHISHING MESSAGES SENT VIA THAT SERVER


 The trojaned documents were sent via mail.louisvilleheartsurgery.com (66.147.51.202), which appears to be a legitimate mail server of University of Louisville surgery program, which is outsourced to/hosted at Nuvox / Windstream Email hosting. The server must be misconfigured or compromised and is being actively used as a relay for phishing.

Download

Download the original document, all the dropped files and pcap as a password protected archive (contact me if you need the password)

Original Message

------Original Message-----
From: Jessica Morrell [mailto:jmatyascik@gmail.com]
Sent: Monday, June 13, 2011 11:58 AM
To: xxxxxx
Subject: House panel recommends Navy procurement cuts

House panel recommends Navy procurement cuts

House appropriators have recommended lopping $1.7 billion off the Navy's
2012 procurement request of $45 billion, according to budget documents obtained by Navy Times.

The mark-up, prepared by the House Appropriations Committee Subcommittee on Defense, would fund the Navy with $43.5 billion for procurement in fiscal 2012, a 3.7 percent drop from the Navy Department's request. These figures include the Marine Corps. The panel's proposed cuts to the Navy request were larger than those for the Army and Air Force combined.

While cuts were proposed across the board, the appropriator's red pen fell heavily on buying new airplanes, missiles and drones, and frequently cited growth in costs as the rationale for the cuts. The proposal will head to the full committee for a vote, one of a number of steps before passage.

The deepest cuts proposed were for naval aviation procurement. The panel recommended aviation procurement fall by $782 million, for a total of $17.8 billion. The Navy had requested $191 million for the Fire Scout drone program. That figure was more than halved by the subcommittee, who noted in the mark-up that the Navy's inventory of these unmanned helicopters was already "excess to requirement." The Navy had planned to procure 12 Fire Scouts in 2012. The committee recommended only $76 million for the program in 2012.

The carrier-based joint strike fighter saw a proposed drop of $55 million due to an engineering change carryover and growth in logistics support and ground support equipment.

The rest of the text is from http://www.navytimes.com/news/2011/06/navy-house-defense-appropriations-subcommittee-budget-061011w/ (thanks to Lotta for the find)

Message Headers

Received: (qmail 23006 invoked from network); 13 Jun 2011 15:57:32 -0000
Received: from mail.louisvilleheartsurgery.com (HELO ucsamd.com) (66.147.51.202)
  byxxxxxxxxxxxxxx; 13 Jun 2011 15:57:32 -0000
Received: from UCSADC1 ([192.168.20.2]) by ucsamd.com with Microsoft SMTPSVC(6.0.3790.4675);
     Mon, 13 Jun 2011 11:57:31 -0400
Subject: House panel recommends Navy procurement cuts
Date: Mon, 13 Jun 2011 11:57:31 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0009_01CC29BA.37C5FD80"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4721
From: "Jessica Morrell"
To: xxxxxxxxxxxxxxxxxxxxxxxxxx
X-Mailer: Microsoft Outlook, Build 10.0.2627
Return-Path: jmatyascik@gmail.com
Message-ID:
X-OriginalArrivalTime: 13 Jun 2011 15:57:31.0280 (UTC) FILETIME=[9A2BA100:01CC29E2]

Sender

IP numbers of host (1) 66.147.51.202

PTRs of IP numbers (1) mail.louisvilleheartsurgery.com

Host names sharing IP with A records (1) mail.louisvilleheartsurgery.com

A of PTR of A (1) 66.147.51.202

  

Automated Scans

File name: navy procurement.pdf
Submission date: 2011-06-14 03:49:42 (UTC)
http://www.virustotal.com/file-scan/report.html?id=d930a86412a5e41a74d3914e87328452dae5b765ffcde9e4845eebcf348899ca-1308023382
Result: 6 /42 (14.3%)
AVG 10.0.0.1190 2011.06.13 JS/Obfuscated
ClamAV 0.97.0.0 2011.06.14 PUA.Script.PDF.EmbeddedJS-1
Commtouch 5.3.2.6 2011.06.14 PDF/Obfusc.J!Camelot
eTrust-Vet 36.1.8384 2011.06.13 PDF/Pidief!generic
Ikarus T3.1.1.104.0 2011.06.14 Virus.JS.Obfuscated
Kaspersky 9.0.0.837 2011.06.14 Exploit.JS.Pdfka.dgd
MD5   : df0de9ad9e5bf00a60f8de3d37683c5b

Created files

 This trojan is characterized by the traffic it generates  -


http://99.1.23.71/qfgkt.php?id=030696111D308D0E8D
http://aaaaa/bbbbb.php?id=xxxxxxyyyyyyyyyyyy where
aaaaa is a host or domain
bbbbb is a 5 char string
xxxxxx is a 6 char changing string
yyyyyyyyyyyy - 12 char more or less constant string

Local Settings\Netlogon.exe

File: Netlogon.exe
Size: 91136
MD5:  FD184057AB056595B3857CB5BF193094

The name of the dropped file can be different, for example
Local Settings\cisvc.exe
Size: 91136
MD5:  FD184057AB056595B3857CB5BF193094

 
Local Settings\Temp\8630950  - network recon file (created and deleted) - random digit name. If it was 

deleted, it probably means it was deleted after transferring the data to the attackers.
Local Settings\Temp\~dfds3.reg  - registry file to add to Run to ensure persistence in the system

Local Settings\Temp\ navy procurement.pdf  - clean decoy file

File: navy procurement.pdf
Size: 127126
MD5:  D376B24C74EEB19FCB18B5E5627DE7E0

navy procurement.pdf  - decoy clean file

~dfds3.reg

this is to achieve persistence in the system upon reboot
contents of the file:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Netlogon"="C:\\Documents and Settings\\mila\\Local Settings\\Netlogon.exe"

8630950

   

File: 8630950
Size: 1232
MD5:  E974CD8F1200D8C0A7ECECDD8D94A3D0

network recon

  

Netlogon.exe fd184057ab056595b3857cb5bf193094 

Netlogon.exe
Submission date: 2011-06-14 05:56:20 (UTC)
Result: 12/ 42 (28.6%)
http://www.virustotal.com/file-scan/report.html?id=5bfad00d3eebd693d51d77cac3c2007dbc110100c2731a76a3f869db68077b66-1308030980
AntiVir 7.11.9.170 2011.06.14 TR/Hijacker.Gen
AVG 10.0.0.1190 2011.06.13 Generic22.BYNK
BitDefender 7.2 2011.06.14 Gen:Trojan.Heur.TP.fq3@bW8edmab
Emsisoft 5.1.0.8 2011.06.14 Trojan.SuspectCRC!IK
GData 22 2011.06.14 Gen:Trojan.Heur.TP.fq3@bW8edmab
Ikarus T3.1.1.104.0 2011.06.14 Trojan.SuspectCRC
Kaspersky 9.0.0.837 2011.06.14 Trojan.Win32.Inject.bdfx
Microsoft 1.6903 2011.06.13 VirTool:Win32/Injector.gen!BJ
NOD32 6205 2011.06.14 a variant of Win32/Injector.GUH
Norman 6.07.10 2011.06.13 W32/Obfuscated.JA
Panda 10.0.3.5 2011.06.13 Suspicious file
VBA32 3.12.16.1 2011.06.13 TrojanDownloader.Rubinurd.f
MD5   : fd184057ab056595b3857cb5bf193094


Strings excerpt

?T
 f4V
/ntdll.dll
NtUnmapViewOfSection
host.exe "
vices.exe "
%ProgramFiles%\Mcafee
abcde

Unicode Strings:
----------------------------------------

Language code of the file is displayed as English - United States en-us 1033 but the language ID is actually Chinese Simplified     (The language ID is a word integer value made up of a primary language and its sublanguage which is defined by Windows. If the resource item is “language neutral” then this value is zero.)

Traffic

CnC server  -  same  as in

• Jun 1 CVE-2010-3333 DOC 2011 Insider's Guide to Military Benefits from compromised louisvilleheartsurgery.com w Trojan Taidoor  
• May 31 CVE-2010-3333 DOC Q and A.doc compromised louisvilleheartsurgery.com w Trojan Taidoor 
• May 31 CVE-2010-3333 DOC President Obama's Speech.doc from compromised louisvilleheartsurgery.com w Trojan Taidoor 
• Jun 1 CVE-2010-3333 DOC You are my King from compromised louisvilleheartsurgery.com w Trojan Taidoor

CLICK HERE SEE ALL OTHERS SENT VIA THAT SERVER

SSL to / from 99.1.23.71:443  and 65.87.199.102:443

examples 
GET /rttlm.php?id=0125031911380616G0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 65.87.199.102
Connection: Keep-Alive
Cache-Control: no-cache

GET /rttlm.php?id=0110531911380616G0 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache



Other examples from other posts

From threatexpert

http://99.1.23.71:443/epzkq.php?id=018399121212121212
http://99.1.23.71:443/vkreb.php?id=017322121212121212
http://65.87.199.102:443/vkreb.php?id=020437121212121212

Other examples from the previous post are

GET /fvlbk.php?id=012943191138FEBC54 HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache


GET /wmssk.php?id=016180191138FEBC54 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71
Connection: Keep-Alive
Cache-Control: no-cache 

GET /ldtxh.php?id=011340111D30541B71 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 99.1.23.71

Connection: Keep-Alive

   
99.1.23.71 appears to be a compromised IIS server used as CnC , which belongs to  Sun Country Medical Equipment

99.1.23.64 - 99.1.23.71
SUN COUNTRY MEDICAL EQUIPMENT-080827115120
Private Address
Plano, TX 75075 United States 

IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com
IPAdmin ATT Internet Services
+1-800-648-1626
ipadmin@att.com

SBC-99-1-23-64-29-0808275145
Created: 2008-08-27
Updated: 2011-03-19
Source: whois.arin.net

65.87.199.102  - appears to be a compromised server used as CnC  - hosting webserver from Gatortech.com, hosting and small business outsource company

vortex.gatortech.com
ISP:    Synergy Networks
Organization:    Synergy Networks
Proxy:    None detected
Type:    Corporate
Assignment:    Static IP
Blacklist:   
Geolocation Information
Country:    United States us flag
State/Region:    Florida
City:    Naples

 http://www.robtex.com/ip/65.87.199.102.html

65.87.199.102 Dudleycarson.com, sarasota-gulfcoast.com, yourhometownsweethearts.com, allstarrealtytony.com, rightwaysales.com and at least 63 other hosts point to 65.87.199.102.

 From Threat expert report

• Analysis of the file resources indicate the following possible country of origin:

	China

• There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
65.87.199.102	443
99.1.23.71	443

• The data identified by the following URLs was then requested from the remote web server:
• http://65.87.199.102/nlmhi.php?id=023293111D308D0E8D
• http://99.1.23.71/nlmhi.php?id=015948111D308D0E8D
• http://99.1.23.71/nlmhi.php?id=000083111D308D0E8D
• http://99.1.23.71/nlmhi.php?id=000041111D308D0E8D

There was an outbound traffic produced on port 443:

00000000 | 4193 7170 A528 1497 5037 E980 7EDE AEF7 | A.qp.(..P7..~... 00000010 | AFC1 B229 D55E 016F 7990 7849 F589 4B36 | ...).^.oy.xI..K6 00000020 | 0397 3479 2D6E 71D3 D10F E866 FE9B AB3E | ..4y-nq....f...> 00000030 | 4F5A 307D 3778 25CE 36F6 6A19 18F6 B11B | OZ0}7x%.6.j..... 00000040 | 35B5 46A1 6257 2485 9C54 0092 66E4 95E2 | 5.F.bW$..T..f... 00000050 | AEB4 AEA5 154A A454 1CCD 2C1C E72E 35F8 | .....J.T..,...5. 00000060 | 861D 37E5 F983 5635 76DE C932 73BE C405 | ..7...V5v..2s... 00000070 | EDB0 D0E8 1BF2 56A3 59E7 3DB9 5972 1778 | ......V.Y.=.Yr.x 00000080 | 017C 1041 DB18 725A 1B27 B7AB 1C09 29B7 | .|.A..rZ.'....). 00000090 | 312B 6EE6 13AB 37BE 8132 D8B5 64CD 0A2D | 1+n...7..2..d..- 000000A0 | 5CB7 BBDF 35A3 BB5F B85D 951D 6835 7083 | \...5.._.]..h5p. 000000B0 | 8F1D 523D 029C C1DD AF10 B830 1E05 2616 | ..R=.......0..&. 000000C0 | 5423 1C89 67B2 5C43 125D 8570 FD31 8EDF | T#..g.\C.].p.1.. 000000D0 | 6B42 2B40 A1BF B40B 3C1C B8A0 F9D9 209B | kB+@....<..... . 000000E0 | 2DDC 4D7C 6F44 3314 D6E8 DCFD 050E A5E3 | -.M|oD3......... 000000F0 | B4D1 7679 0F11 7049 10A7 5F94 6DD2 4FB5 | ..vy..pI.._.m.O. 00000100 | CEA8 0EA8 C4B7 1A00 0A94 1239 B6E5 2920 | ...........9..) 00000110 | 3EA1 43CE 826B D3D8 089F BAF5 95EC 63D0 | >.C..k........c. 00000120 | 85F2 7FD7 B520 4F6E 38D5 1821 C7F0 2144 | ..... On8..!..!D 00000130 | C257 01AB 0574 9595 E780 2224 11E1 48A6 | .W...t...."$..H. 00000140 | 7CA1 AF53 3A59 C0E2 99A6 8CCD 3BBC 50EB | |..S:Y......;.P. 00000150 | C182 8EDF D7CE 4DD2 634C B60B A6FE D060 | ......M.cL.....` 00000160 | 173B 20E3 BEAD 37DF 3FA0 8A8D CDD2 6588 | .; ...7.?.....e. 00000170 | DE6F 4713 3C0F 9546 A463 5BA9 6EAE 5454 | .oG.<..F.c[.n.TT 00000180 | D0CA 4E71 9E62 AE73 D492 E8A4 D836 5DF9 | ..Nq.b.s.....6]. 00000190 | 4643 3AE1 51F2 146B A1D4 A5FF 4E3D 7EB1 | FC:.Q..k....N=~. 000001A0 | 79A9 C32F 93B8 0B70 E9F9 25DA B083 0522 | y../...p..%...." 000001B0 | B651 B760 4EBB 886D B38D 2183 EF63 8766 | .Q.`N..m..!..c.f 000001C0 | CD01 8B18 C267 FCB8 B9BD A9B1 3476 A969 | .....g......4v.i 000001D0 | CFE0 AF59 7496 CA52 8B6E 05AE CAAB 263D | ...Yt..R.n....&= 000001E0 | 6316 8569 8929 3128 3156 3680 2A2C 8E3E | c..i.)1(1V6.*,.> 000001F0 | 5745 903D CE9B 9FB6 8A9F ECD2 A13D D7D8 | WE.=.........=.. 00000200 | E254 773B D27F 825E E828 5D2C 2D03 5F4A | .Tw;...^.(],-._J 00000210 | AA22 6F88 EA7C EC1B 7A1B 86CB 5DF2 D00C | ."o..|..z...]... 00000220 | 3A4D A3C2 43C5 B8F4 BB2B ADF7 8989 79D5 | :M..C....+....y. 00000230 | DFC1 81D1 7869 C8A2 AA50 A75B 7E14 A288 | ....xi...P.[~... 00000240 | E36F C6DE D6B0 7A71 5B9B 497B F8A7 EB9B | .o....zq[.I{.... 00000250 | 49B5 DEFC 7E5F 528B A6D7 C6EA B967 1EF6 | I...~_R......g.. 00000260 | B245 D1D7 F36D DFB1 CF72 C493 1EDF 79A4 | .E...m...r....y. 00000270 | D5C1 A778 0A77 3826 1330 66FF 0199 CF94 | ...x.w8&.0f..... 00000280 | 73F3 02D0 0F89 3DF5 A758 5129 751D AFBF | s.....=..XQ)u... 00000290 | 8BFE 4577 CB18 8E9A 6BD1 21C9 B163 5AF2 | ..Ew....k.!..cZ. 000002A0 | 893F 8BB5 EA62 A777 6576 85DF 9E14 5F7E | .?...b.wev...._~ 000002B0 | F198 A397 E66A 06E6 B2C0 7DA1 A788 67B7 | .....j....}...g. 000002C0 | 47BB 233D 8C92 956F 5415 A8CA 2DF0 5E5C | G.#=...oT...-.^\ 000002D0 | FB99 8045 9D86 27B5 B533 5771 41D9 6A8B | ...E..'..3WqA.j. 000002E0 | 1A77 5166 F30F FE9D 7275 C84F 02F0 20A9 | .wQf....ru.O.. . 000002F0 | FDF1 C069 0EB6 6519 7024 789F 6625 31B2 | ...i..e.p$x.f%1. 00000300 | 10B6 8873 C5B7 1CED D92E 8ED1 BB2C 4911 | ...s.........,I. 00000310 | 9792 8BC9 99CD 6B7F 320A 2671 853F B3E7 | ......k.2.&q.?.. 00000320 | DC22 6E45 F6A5 1168 2634 BD45 697F 5E17 | ."nE...h&4.Ei.^. 00000330 | A912 9167 ADD8 37F4 B810 3B48 7495 4819 | ...g..7...;Ht.H. 00000340 | F766 A04B AFD4 49D5 7D18 3DC1 D20B F953 | .f.K..I.}.=....S 00000350 | E9C1 96E2 DFD5 013B 1016 1304 2292 3568 | .......;....".5h 00000360 | 5F67 8834 E991 5B65 18E1 C345 7649 CF6F | _g.4..[e...EvI.o 00000370 | 2699 2A28 0B1B BCFC 355D C916 5EED 4A52 | &.*(....5]..^.JR 00000380 | 21BE A937 D553 A1DF D27E 60A7 9088 FD6F | !..7.S...~`....o 00000390 | AD93 75F8 1AA7 DC8F D9FD 2757 F0DF EC22 | ..u.......'W..." 000003A0 | 87F7 43D4 4402 444D 8944 B8B2 392D 04A7 | ..C.D.DM.D..9-.. 000003B0 | 445F 7E99 DC04 8F27 3587 1844 33AD 0A44 | D_~....'5..D3..D 000003C0 | C592 A4DB B3FD A85E EB1A B25C C85C F683 | .......^...\.\.. 000003D0 | 8271 2A8A 80A0 87D5 4E9A 0F2E E5D7 1BD1 | .q*.....N....... 000003E0 | 5A9B 99A2 5825 FB46 21EC DF97 11DC 0387 | Z...X%.F!....... 000003F0 | 50E4 441F E94D 14BC AB15 B873 3F00 C580 | P.D..M.....s?... 00000400 | DB7A F64E 1185 207D F680 2A07 35E5 188D | .z.N.. }..*.5... 00000410 | 4F50 734A 8B5E C47A 9C48 F84D 6911 F667 | OPsJ.^.z.H.Mi..g 00000420 | D40E D9B3 144E 913A 6E09 CAA7 F26B E54A | .....N.:n....k.J 00000430 | 782E 18B8 1C0D B8DC D6B8 1476 D594 F868 | x..........v...h 00000440 | 81C2 F8EC AE12 8CB0 AFEB 167D 0690 5D60 | ...........}..]` 00000450 | C930 1CCE CE08 4A24 8FA7 CEBF C857 5544 | .0....J$.....WUD 00000460 | D312 348C E77F 474E AC42 8F56 5321 1F7E | ..4...GN.B.VS!.~ 00000470 | C67C E15A 3083 BF9C 90C8 C587 8B55 9F4E | .|.Z0........U.N 00000480 | 1103 949B D546 3890 AF91 AA71 D307 72D9 | .....F8....q..r. 00000490 | 67FE 9039 1574 A28D FC5E CE52 5E95 0416 | g..9.t...^.R^... 000004A0 | 7C7B AE40 A485 A54C 3EE9 D028 78F1 5274 | |{.@...L>..(x.Rt 000004B0 | 7486 59CB 7C2D D261 B836 1424 BF41 5D8C | t.Y.|-.a.6.$.A]. 000004C0 | E4F0 B617 | ....