Message is signed by a certificate "Issued by COMODO Client Authentication and Secure Email CA" and the certificate is revoked.
The sender address is a spoofed Gmail
address of SEF News sef1941@gmail.com but it was sent from a HINET
server in Taiwan, not from Gmail. The exploit used is CVE-2011-0611,
with the same malicious SWF as described in the previous post Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor.
The payload is the same too Trojan Taidoor / Rubinurd (see more with Taidoor here) with CC server 213.42.74.85- Dubai, UAE
Update June 29
As screenshots of the certificate show, it was not expired. The Comodo
Certificate Revocation List showed that the certificate was revoked less
than 12 hours before it was sent, which means it was stolen and ready
to be used while it was still valid. Perhaps it was used while still
valid for a while before I got it.
Revocation doesn't work (18 Mar 2011) Imperial Violet
Update June 29
As screenshots of the certificate show, it was not expired. The Comodo
Certificate Revocation List showed that the certificate was revoked less
than 12 hours before it was sent, which means it was stolen and ready
to be used while it was still valid. Perhaps it was used while still
valid for a while before I got it.
Digitally signed messages are used to gain trust of the recipient. Contagio has examples of stolen valid and invalid certificates used
to signed malicious binaries in order to bypass white-listing
applications and other filters. Speaking of CRL, here are two articles
related to web certificates.
Revocation doesn't work (18 Mar 2011) Imperial Violet
Detecting Certificate Authority compromises and web browser collusion (22 Mar 2011) Tor Blog by ioerror
Common Vulnerabilities and Exposures (CVE)number
CVE-2011-0611
Adobe
Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and
Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before
2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x
before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x
before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x
before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote
attackers to execute arbitrary code or cause a denial of service
(application crash) via crafted Flash content; as demonstrated by a
Microsoft Office document with an embedded .swf file that has a size
inconsistency in a "group of included constants," object type confusion,
ActionScript that adds custom functions to prototypes, and Date
objects; and as exploited in the wild in April 2011.
General File Information
File Name: ____________.pdf
MD5: 8E3D7FCFA89307C0D3B7951BD36B3513
File Size: 249913 bytes
Distribution: Email attachment
File Download
Download the original document as a password protected archive (contact me if you need the password)
Original Message
From: SEF News [mailto:sef1941@gmail.com]
Sent: Wednesday, June 22, 2011 4:15 AM
To: leticia@trade.gov.tw
Subject: 與全民分享經濟成長的果實
與全民分享經濟成長的果實 (Google translate: All the people sharing the fruits of economic growth)
Invalid Comodo certificate: Certificate Issued by COMODO Client Authentication and Secure Email CA
Error:
The message contents may have been altered.
The certificate used to create this signature is on a valid Certificate Revocation List.
Signed by sef1941@gmail.com using RSA/SHA1 at 4:15:25 AM 6/22/2011.
CN = COMODO Client Authentication and Secure Email CA
O = COMODO CA Limited
L = Salford
S = Greater Manchester
C = GB
KeyID=7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b
RFC822 Name=sef1941@gmail.com
Update June 29
Revocation List showed that the certificate was revoked less that 12 hours before it was sent, which means it was stolen and ready to be used while it was still valid. Perhaps it was used while still valid for a while before I got it.
Wed, 22 Jun 2011 16:15:25 +0800 - Message sent
Tue, 21, Jun 2011 20:55:16 - Certificate revoked (I assume it is UTC +0000 )
Here is all the info about the certificate (For Windows, download Server 2003 Admin pack and run certutil.exe to dump all the info including Certificate Revocation List URL)
current list is here http://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl
or you can download it from here, as it will change later.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
X509 Certificate:
Version: 3
Serial Number: 23df4e20dc85b984c58a6bde280db1ac
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Issuer:
CN=COMODO Client Authentication and Secure Email CA
O=COMODO CA Limited
L=Salford
S=Greater Manchester
C=GB
NotBefore: 6/21/2011 8:00 PM
NotAfter: 6/21/2012 7:59 PM
Subject:
E=sef1941@gmail.com
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 2048 bits
Public Key: UnusedBits = 0
0000 30 82 01 0a 02 82 01 01 00 c9 06 5f 5a ee 49 39
0010 0a c9 87 12 31 1c 7e 97 ae 01 38 36 48 9f fa 7d
0020 e1 6d 3e 2f 88 aa af d7 5b 61 51 b2 69 21 a0 b4
0030 31 55 07 cb a9 c7 cc 82 ca 32 7b af 44 98 be a4
0040 20 3b 3f bc de 41 b7 c1 3b dd fd 03 2f 26 9d f3
0050 e3 a7 3c d8 f9 68 0c 08 4e c2 ea 36 fe b4 96 c5
0060 22 ce 2a d9 8f f5 d0 6f f8 f6 68 f0 b7 74 d2 87
0070 41 54 9a cf 58 2c 16 91 8f 14 84 e5 c0 0a 74 1a
0080 d2 28 c2 95 69 db 0d 63 ea 3c d1 35 01 01 29 8e
0090 d0 59 40 fc fb c5 b0 4d 4d 81 28 b9 f6 07 4c cd
00a0 74 13 7d 3d dd 58 b6 df 71 af 14 19 57 7a 94 ae
00b0 07 69 48 81 87 ea 8c 45 ea 8b 63 81 ed b9 46 e9
00c0 10 e6 12 0b fc 42 13 ea b5 1f c1 5e 17 fd 42 eb
00d0 4d 6a 8b 8a b9 3f 9e 5e 7c 43 93 d5 70 d4 5a d9
00e0 8a ed af 3c 78 53 eb 23 93 78 ac 94 e1 bb 1a 00
00f0 53 64 9c eb 1b 9c 0d 00 0a f0 ee 74 59 f4 d1 c6
0100 e2 35 be 84 2d ed ca 98 41 02 03 01 00 01
Certificate Extensions: 10
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=7a 13 4e 00 74 5b c6 78 63 64 27 c1 2f e2 a0 5b bc 79 c5 7b
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
33 88 c6 12 dc 39 35 0b 37 b7 56 c2 0e 16 26 42 80 dd 81 c5
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
2.5.29.19: Flags = 1(Critical), Length = 2
Basic Constraints
Subject Type=End Entity
Path Length Constraint=None
2.5.29.37: Flags = 0, Length = 19
Enhanced Key Usage
Secure Email (1.3.6.1.5.5.7.3.4)
Unknown Key Usage (1.3.6.1.4.1.6449.1.3.5.2)
2.16.840.1.113730.1.1: Flags = 0, Length = 4
Netscape Cert Type
SMIME (20)
2.5.29.32: Flags = 0, Length = 3f
Certificate Policies
[1]Certificate Policy:
Policy Identifier=1.3.6.1.4.1.6449.1.2.1.1.1
[1,1]Policy Qualifier Info:
Policy Qualifier Id=CPS
Qualifier:
https://secure.comodo.net/CPS
2.5.29.31: Flags = 0, Length = 50
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=http://crl.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crl
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 7c
Authority Information Access
[1]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=http://crt.comodoca.com/COMODOClientAuthenticationandSecureEmailCA.crt
[2]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=http://ocsp.comodoca.com
2.5.29.17: Flags = 0, Length = 15
Subject Alternative Name
RFC822 Name=sef1941@gmail.com
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 b5 fe 79 a5 df 8b 3f 51 0d 0a 19 af 6b 76 c5 87
0010 6a b9 ce 2d e0 df c9 05 09 ec 8b e7 f6 f1 12 0f
0020 6e 98 b8 31 69 b8 d0 e2 ac 56 24 d2 a3 b0 90 b8
0030 06 18 4d d1 66 2f 4c 7e 60 27 ae c4 22 a9 a1 f0
0040 94 bb ce ee 2a bd 5b 76 85 96 0b de 79 e9 4e f1
0050 32 f6 34 32 05 1e e8 47 1e cf 0c a0 5d d3 e4 93
0060 1f 69 56 44 a5 44 9d 0e 0d 7b 87 b5 72 20 01 be
0070 a5 ec 22 de 6b 66 d8 f4 66 00 72 3d d7 a7 07 98
0080 19 c3 5a 6e aa df c3 44 bb bb 30 a3 ca d0 09 45
0090 47 97 a5 e7 90 b2 41 19 be 1f 3f 74 c4 b4 80 b9
00a0 aa 81 6c b9 4f a0 7c 59 df f8 b3 35 02 51 2b df
00b0 fc 35 bf 0b 79 d8 9a 77 fb 9f 56 2b 7c b6 b8 96
00c0 14 20 89 0d f7 b2 b6 9c 01 d8 cd d8 7d 49 d8 02
00d0 18 d9 ee d4 e1 c9 6c 0a cb e1 3e 81 69 3d 2f d4
00e0 eb e8 5c e9 7b e2 19 d8 0b cc fd a4 af c4 55 fc
00f0 80 68 d7 79 c1 6a 7d 63 42 95 bf 9f a2 23 04 36
Non-root Certificate
Key Id Hash(sha1): 03 f7 f2 3b 11 92 32 e2 8b 05 55 6d 33 ed f1 0d 8a 91 8d e2
Subject Key Id (precomputed): 33 88 c6 12 dc 39 35 0b 37 b7 56 c2 0e 16 26 42 80 dd 81 c5
Cert Hash(md5): c8 a7 aa 7f 6e 5f fd be 40 36 45 4c fe f3 3a f0
Cert Hash(sha1): 42 2d e1 6d 46 b0 d6 e8 9c 62 7d e8 a2 28 4f de 2a 89 15 e1
CertUtil: -dump command completed successfully.
Headers
Received: (qmail 1844 invoked from network); 22 Jun 2011 08:15:30 -0000
Received: from msr6.hinet.net (HELO msr6.hinet.net) (168.95.4.106)
by XXXXXXXXXXXXX with SMTP; 22 Jun 2011 08:15:30 -0000
Received: from FuckYouMan (61-221-34-242.HINET-IP.hinet.net [61.221.34.242])
by msr6.hinet.net (8.14.2/8.14.2) with SMTP id p5M8F0St022693; Wed, 22 Jun 2011 16:15:01 +0800 (CST)
Message-ID: <010601cc30b4$90aaa210$5c00a8c0@FuckYouMan>
From: "SEF News"
To: xxxxxxxxxxxxxxxxxxxxx
Subject: =?big5?B?u1Cl/qXBpMCoybhnwNmmqKr4qrqqR7nq?=
Date: Wed, 22 Jun 2011 16:15:25 +0800
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_00FF_01CC30F7.9854C750"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
Sender
61.221.34.242
61-221-34-242.hinet-ip.hinet.net
Host reachable, 283 ms. average
61.221.34.240 - 61.221.34.247
O Lien Co., Ltd.
Taipei Taiwan
TW
PDF Information
Exploit used is CVE-2011-0611. The malicious SWF action script is identical to the one found in the previous message I posted. See analysis here: Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor
Just like in the file discussed in the post above, the file checks for Reader versions and offers to upgrade if it is below version 9
Payload and Traffic
As expected, the payload is also identical to the message described above - see more details here
- Jun 27 PDF - SWF CVE-2011-0611 Two Views On The South China Sea from compromised Pikes Peak BOCES account w Taidoor
- May-June 2011 Trojan Taidoor "Louisvilleheartsurgery.com" phishing campaign
- Feb 25 CVE-2010-3333 DOC China's Military Build-up from a compromised IBEW-NECA Joint Trust Funds account
%userprofile%\Local Settings\%Name from the list below%
List of possible names:
Alerter.exe
AppMgmt.exe
CiSvc.exe
ClipSrv.exe
COMSysApp.exe
dmadmin.exe
Dot3svc.exe
EapHost.exe
HidServ.exe
hkmsvc.exe
ImapiService.exe
Messenger.exe
mnmsrvc.exe
MSDTC.exe
MSIServer.exe
napagent.exe
NetDDE.exe
NetDDEdsdm.exe
Netlogon.exe
NtLmSsp.exe
NtmsSvc.exe
ose.exe
RasAuto.exe
RDSessMgr.exe
RemoteAccess.exe
rpcapd.exe
RpcLocator.exe
RSVP.exe
SwPrv.exe
SysmonLog.exe
TlntSvr.exe
upnphost.exe
UPS.exe
VSS.exe
WmdmPmSN.exe
Wmi.exe
WmiApSrv.exe
wuauserv.exe
xmlprov.exe
23/42 - Virustotal on June 29, 2011 http://www.virustotal.com/file-scan/report.html?id=54003bd1025a8cadce96dea30fda16dac75e898beac10c13794204200dc3f153-1309203930 12/ 42 Virustotal on June 24, 2011 http://www.virustotal.com/file-scan/report.html?id=54003bd1025a8cadce96dea30fda16dac75e898beac10c13794204200dc3f153-1308889375
o http://213.42.74.85/ywjfr.php?id=007164111D3048C607
o http://213.42.74.85/cipaa.php?id=006655111D3048C607
o http://213.42.74.85/zeits.php?id=012376111D3048C607
o http://213.42.74.85/qqjnl.php?id=030576111D3048C607
213.42.74.85
Host reachable, 318 ms. average
213.42.74.80 - 213.42.74.95
Complease Trading LLC
P.O. Box 23351, Dubai, UAE
Wolfgang Vondracek
Complease Trading LLC
wvondrac@emirates.net.ae
phone: +971 4 3511616
fax: +971 4 3525720
COMPLEASE-EMIRNET
Updated: 12-Jun-2002
Source: whois.ripe.net
Clean PDF contents
%temp%\11.pdf
與全民分享經濟成長的果實
根據行政院主計處統計資料顯示,去(2010)年台灣經濟成長達
兩位數 10.88%,創下 24 年來的新高。另根據瑞士洛桑國際管理學院
see the rest here Yahoo News http://tw.news.yahoo.com/article/url/d/a/110629/53/2u5bp.html or with Google Translation.
No comments:
Post a Comment