Jul 13 CVE-2010-2883 PDF Meeting Agenda with more Poison Ivy www.adv138mail.com | 112.121.171.94

Here is one more for a full collection - same malware and sender as in the previous post.  This message, targeting experts on Japan, China, Taiwan / USA relationship, was sent on July 13,2011. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to www.adv138mail.com. The domains serving PI and listed below were registered by DNS.com.cn, which has a poor reputation. These domains/IP have been CnC for poison ivy for a while, consider the posts below.

Other PI domains noted are:
web.adv138mail.com; -2011
dns.adv138mail.com - 2011 (thank you, John)

www.adv138mail.com  - 2011 - 112.121.171.94  
pu.flower-show.org - 2011 - 112.121.171.94

cecon.flower-show.org - 2010   
posere.flower-show.org - 2009

112.121.171.94  Nov.adv138mail.com, ftp.adv138mail.com and asm.adv138mail.com point to 112.121.171.94.

• Contagio | Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
• Contagio | More flowers with some poison ivy - Feb. 10, 2010
• F-secure | Watch Out for flower-show.org - Feb.10, 2010
• ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

File Information

File name: Meeting Agenda.pdf
File size : 162094 bytes
MD5   : 8c09494be2a65d2c0e0b6ced44643bac
SHA1  : 27ec442992bd61990d8bb2011db9673cccd17639
Distribution: email attachment 

Common Vulnerabilities and Exposures (CVE)number

CVE-2010-2883
Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.

Download

Download the pdf password protected archive (email me if you need the password)

Automated scans

http://www.virustotal.com/file-scan/report.html?id=5bcf85637da07c1e08e2386f5bed676cb05f7fd9e2951ba020bc14f65369b5f4-1310652274
2011-07-08 05:11:25 (UTC)
2 /43 (4.7%)
Meeting Agenda.pdf
Submission date: 2011-07-14 14:04:34 (UTC)
2/ 43 (4.7%)
ClamAV    0.97.0.0    2011.07.14    PUA.Script.PDF.EmbeddedJavaScript
Commtouch    5.3.2.6    2011.07.14    PDF/Obfusc.J!Camelot
MD5   : 8c09494be2a65d2c0e0b6ced44643bac
 

Original message

-----Original Message-----
From: XXXXXXXXXX [mailto:spfpr.spf@gmail.com]
Sent: Wednesday, July 13, 2011 3:27 AM
To: XXXXXXXXXXXXX
Subject: From XXXXXXXXXX

Dear XXXXXXXXXX,

The Sasakawa Peace Foundation would like to extend to you an
invitation to be our guest speaker at the America's Strategic
Restraint and its Implications for the U.S.-Japan Alliance.
As you know, the Sasakawa Peace Foundation is interested in the
U.S.-Japan Alliance Since you are familiar with the field, we know
your views will be extremely interesting to us.
please find enclosed further details, we would appreciate having your
acceptance soon so we may complete our agenda.

Best wishes,
XXXXXXXX

Message headers

GMAIL
 
Received: (qmail 25096 invoked from network); 13 Jul 2011 07:26:34 -0000
Received: from mail-wy0-f175.google.com (HELO mail-wy0-f175.google.com) (74.125.82.175)
  by XXXXXXXXXXXX
Received: by wyg30 with SMTP id 30so370967wyg.6
        for XXXXXXXXXXX; Wed, 13 Jul 2011 00:26:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=jJjTkxXQpsQpQyJfsD5LDMatM16g5mwLUckjGSnFj+k=;
        b=bpP+HEKy2PSJGCfsHvKr5VAYyPsUF/zWXfBnTcXTR61XKcWz8tlX/Di5Doh6/KCwLL
         eJv1Vt5gQiT1g8r0+uIe8W/nu3OlnfA+hMfqrMFucO852UCgYKuAuTZXWdxUUx10/gxR
         ocwhRnVYEHiH3U6XSFjDKN8Jt2ljqM5Zb+AXo=
MIME-Version: 1.0
Received: by 10.216.185.19 with SMTP id t19mr707454wem.8.1310541992794; Wed,
 13 Jul 2011 00:26:32 -0700 (PDT)
Received: by 10.216.19.145 with HTTP; Wed, 13 Jul 2011 00:26:32 -0700 (PDT)
In-Reply-To:
References:
    
Date: Wed, 13 Jul 2011 16:26:32 +0900
Message-ID:
Subject: XXXXXXXX
From: XXXXXXX
To: XXXXXXXXX
Content-Type: multipart/mixed; boundary="0016e6498444f19a5d04a7ee556d"

Payload

Same malware as in  Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org

The malicious binary is injected in EXPLORER.EXE

Clean decoy PDF has a title HDCKiemtralaiSinhhoc10_20102011.doc and is some sort of school lesson document in Vietnamese.

"DEPARTMENT OF EDUCATION AND TRAINING
HO CHI MINH CITY
__________________
To test if ACADEMIC YEAR 2010 - 2011
LIST OF BIOLOGY - GRADE 10
Time: 45 minutes
(Excluding the period of development issues)
Question 1: (2.5 points)

%Temp%\Adobe.pdf 

deleted_files
%Temp%\Winword.exe (same md5 as messanger.exe)

    *  C:\WINDOWS\system32\messanger
     key log text example


    * File: messanger.exe
Size: 8192
MD5:  FE20E5BB2CF5108C19209B03FB08F259
Path: C:\WINDOWS\system32\messanger.exe


http://www.virustotal.com/file-scan/report.html?id=f30562afb6f887111f5546d754443c512ca9c9b7ef8ae8b3b2b8d672e730d578-1310656719
messanger.exe
Submission date:2011-07-14 15:18:39 (UTC)
Result:23/ 42 (54.8%)

AhnLab-V3    2011.07.14.06    2011.07.14    Backdoor/Win32.Hupigon
AntiVir    7.11.11.133    2011.07.14    SPR/RAdmin.Poison.B
Avast    4.8.1351.0    2011.07.14    Win32:Malware-gen
Avast5    5.0.677.0    2011.07.14    Win32:Malware-gen
AVG    10.0.0.1190    2011.07.14    BackDoor.Generic14.IFK
BitDefender    7.2    2011.07.14    Gen:Win32.ExplorerHijack.aiW@aq6YC6
CAT-QuickHeal    11.00    2011.07.13    Backdoor.Poison.a
ClamAV    0.97.0.0    2011.07.14    Trojan.PoisonIvy-1
Comodo    9379    2011.07.14    ApplicUnsaf.Win32.RemoteAdmin.Poisonivy.ui01
DrWeb    5.0.2.03300    2011.07.14    Trojan.DownLoader.10622
Emsisoft    5.1.0.8    2011.07.14    Backdoor.Win32.Poison!IK
F-Secure    9.0.16440.0    2011.07.14    Gen:Win32.ExplorerHijack.aiW@aq6YC6
GData    22    2011.07.14    Gen:Win32.ExplorerHijack.aiW@aq6YC6
Ikarus    T3.1.1.104.0    2011.07.14    Backdoor.Win32.Poison
Jiangmin    13.0.900    2011.07.14    Backdoor/Hupigon.xjq
Kaspersky    9.0.0.837    2011.07.14    HEUR:Trojan.Win32.Invader
McAfee-GW-Edition    2010.1D    2011.07.14    Heuristic.LooksLike.Win32.Poison.I
Microsoft    1.7000    2011.07.14    Backdoor:Win32/Poison.gen!A
NOD32    6293    2011.07.14    a variant of Win32/Poison.NEL
Rising    23.66.03.03    2011.07.14    Backdoor.Poison.ixq
VIPRE    9855    2011.07.14    BehavesLike.Win32.Malware.bsm (vs)
MD5   : fe20e5bb2cf5108c19209b03fb08f259
SHA1  : 5ebd867d339dccf68b564013d0cddcf602259e72


some strings from messanger.exe
5\4@
h_"@
=\4@
messanger.exe
synnia
{019DF9EB-D773-AD5D-0603-080608050105}
www.adv138mail.com
ws2_32
rdgSxQc12
nZi1cM,Aw
stubPath
SOFTWARE\Classes\http\shell\open\command
SoftwARe\Microsoft\Active Setup\Installed ComPonents\
Progman
ntdll
advpaCK
advapi32
user32
ExitProcess
kernel32.dll

Traffic

Domain Name.......... adv138mail.com
Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
Creation Date........ 2008-07-18 18:30:41
Registration Date.... 2008-07-18 18:30:41
Expiry Date.......... 2011-07-18 18:30:41
Organisation Name.... nihao
Organisation Address. paris
Organisation Address.
Organisation Address. Foreignness
Organisation Address. 450123
Organisation Address. WG
Organisation Address. US

Admin Name........... Hai he
Admin Address........ paris
Admin Address........
Admin Address........ Foreignness
Admin Address........ 450123
Admin Address........ WG
Admin Address........ US
Admin Email.......... mrskaren49@yahoo.com
Admin Phone.......... +0.00-000
Admin Fax............ +0.00


------------------------------------------
Domain ID:D144764639-LROR
Domain Name:FLOWER-SHOW.ORG  - from   Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org

Created On:28-Apr-2007 09:14:34 UTC
Last Updated On:26-Apr-2011 01:04:30 UTC
Expiration Date:28-Apr-2012 09:14:34 UTC
Sponsoring Registrar:Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN  (R1292-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:CTXLM4DV2WNJ8J0
Registrant Name:lin li
Registrant Organization:linli
Registrant Street1:Hongkongroad
Registrant Street2:
Registrant Street3:
Registrant City:Hongkong
Registrant State/Province:HK
Registrant Postal Code:632563
Registrant Country:CN
Registrant Phone:+852.53569636
Registrant Phone Ext.:2563
Registrant FAX:+852.56326324
Registrant FAX Ext.:
Registrant Email:edcf15@yahoo.com.tw
Admin ID:CT3RDQQIWR0RK51
Admin Name:lin li
Admin Organization:linli
Admin Street1:Hongkongroad
Admin Street2:
Admin Street3:
Admin City:Hongkong
Admin State/Province:HK
Admin Postal Code:632563
Admin Country:CN
Admin Phone:+852.53569636
Admin Phone Ext.:2563
Admin FAX:+852.56326324
Admin FAX Ext.:
Admin Email:@yahoo.com.tw
-------------------------------------------------------------------------

domain

www.adv138mail.com

  
CnC  112.121.171.94  - same as here   Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from 112.121.171.94 | pu.flower-show.org
Host reachable, 558 ms. average
112.121.160.0 - 112.121.191.255
Simcentric Solutions, Internet Service Provider
Hong Kong
Simcentric Solutions IP Administrator
15th Floor, CRE Building, Wan Chai
phone: +852 29976646
ipadmin@simcentric.com