Thursday, July 14, 2011

Jul 5 CVE-2010-2883 PDF invitation.pdf with Poison Ivy from |

Update Jul 13. Considering that this pdf is very low detection, I decided to post some of the target domains here in case it helps them to prevent or identify infections.
The non-gmail domains included:,,,,
If you work at one of those places and must know the actual recipient, you can contact me. ~ Mila

The message, targeting experts on Japan, China, Taiwan / USA relationship was sent on July 5. The attached pdf exploits CVE-2010-2883 (2/43 VT, encrypted) with poison ivy (keylogging) payload, connecting to This domain has been CnC for poison ivy for a while, consider these posts
Contagio | More flowers with some poison ivy - Feb. 10, 2010

F-secure | Watch Out for - Feb.10, 2010
ISC | Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324 - Jan 4, 2010 

Other PI domains noted are: - 2011 - 2010 - 2009

File Information

File name: invtation.pdf
File size : 190514 bytes
MD5   : 7c0eaf8906d631c77066e3ce17a82b73
SHA1  : 94b3114dcc8a6dae15db0bef71f5e81d494171d9
Distribution: email attachment 

Common Vulnerabilities and Exposures (CVE)number

Stack-based buffer overflow in CoolType.dll in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a PDF document with a long field in a Smart INdependent Glyphlets (SING) table in a TTF font, as exploited in the wild in September 2010. NOTE: some of these details are obtained from third party information.


Download the pdf and the dropped files + pcap as a password protected archive (email me if you need the password)

Automated scans

2011-07-08 05:11:25 (UTC)
2 /43 (4.7%)
ClamAV     2011.07.08     PUA.Script.PDF.EmbeddedJavaScript
Commtouch     2011.07.08     PDF/Obfusc.J!Camelot
MD5   : 7c0eaf8906d631c77066e3ce17a82b73

Original message

From: Muhamad Fakhruddin bin Fauzi []
Sent: Tuesday, July 05, 2011 3:16 AM
Subject: Invitation Letter

Dear Sir/Madam,
I'm greatly honored to invite you to the seminar about technology,which will be held on 28th,July.We would appreciate it if you would take your spare time to share the occasion with us.  The detail information is in the attachment. Please confirm your participation at your earlist convenience. Looking forward to your reply.Thanks very much.

Best Regards,

Message headers

Received: (qmail 28436 invoked from network); 5 Jul 2011 07:16:31 -0000
Received: from (HELO (
  by xxxxxxxxxxxxxxx
Received: from [] by with NNFMP; 05 Jul 2011 07:16:30 -0000
Received: from [] by with NNFMP; 05 Jul 2011 07:16:30 -0000
Received: from [] by with NNFMP; 05 Jul 2011 07:16:30 -0000
X-Yahoo-Newman-Property: ymail-3
Received: (qmail 22207 invoked by uid 60001); 5 Jul 2011 07:16:29 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024; t=1309850189; bh=qpkMppxIcWPis1zYmHKjLK3vzcRE0UFTnnasOFfbkoY=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Subject:To:MIME-Version:Content-Type; b=fEUZOMnSPlt6w7mAzcRadAZn9133FwvOQa1TQVnaiRmRK9mWScOpG8P3T26P4FkFRwyahRAylVuBKj2T7gyv/i8EKKKRQEYSBztYMBu0dGgXNAoVyjEd3+8gXUFca4v4Qu6Cpy6qGKjdh/xzVqcM1dBBBVf1lm6BEi2APHDJ/9k=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
X-YMail-OSG: cWRGZYUVM1kGJ_efqS03n0uZHWDeW7F3ssL8PI8l6Dvqjd5
Received: from [] by via HTTP; Tue, 05 Jul 2011 00:16:29 PDT
X-Mailer: YahooMailClassic/14.0.3 YahooMailWebService/
Message-ID: <>
Date: Tue, 5 Jul 2011 00:16:29 -0700
From: Muhamad Fakhruddin bin Fauzi
Subject: Invitation Letter
To: xxxxxxxxxxxxxxxx
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1586270552-1309850189=:20843"
Host reachable, 558 ms. average -
Simcentric Solutions, Internet Service Provider
Hong Kong
Simcentric Solutions IP Administrator
15th Floor, CRE Building, Wan Chai
phone: +852 29976646



 The malicious binary is injected in EXPLORER.EXE

Clean decoy PDF is a W4 form

%Temp%\Adobe.pdf  - W4 form

%Temp%\Winword.exe (same md5 as messanger.exe)

    *  C:\WINDOWS\system32\messanger
     key log text

    * C:\WINDOWS\system32\messanger.exe
File: messanger.exe
Size: 8192
MD5:  F0EE1F777D1C6A009C37CBCBF81F3A5A
Submission date:
23 /43 (53.5%)
AhnLab-V3     2011.07.13.00     2011.07.12     Backdoor/Win32.Hupigon
AntiVir     2011.07.12     SPR/RAdmin.Poison.B
Avast     4.8.1351.0     2011.07.12     Win32:Malware-gen
Avast5     5.0.677.0     2011.07.12     Win32:Malware-gen
BitDefender     7.2     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
CAT-QuickHeal     11.00     2011.07.11     Backdoor.Poison.a
ClamAV     2011.07.13     Trojan.PoisonIvy-1
Comodo     9364     2011.07.13     ApplicUnsaf.Win32.RemoteAdmin.Poisonivy.ui01
DrWeb     2011.07.13     Trojan.DownLoader.10622
Emsisoft     2011.07.13     Backdoor.Win32.Poison!IK
F-Secure     9.0.16440.0     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
GData     22     2011.07.13     Gen:Win32.ExplorerHijack.aiW@aq6YC6
Ikarus     T3.     2011.07.13     Backdoor.Win32.Poison
Jiangmin     13.0.900     2011.07.12     Backdoor/Hupigon.xjq
Kaspersky     2011.07.13     HEUR:Trojan.Win32.Invader
McAfee-GW-Edition     2010.1D     2011.07.12     Heuristic.LooksLike.Win32.Poison.I
Microsoft     1.7000     2011.07.12     Backdoor:Win32/Poison.gen!A
NOD32     6289     2011.07.13     a variant of Win32/Poison.NEL
Norman     6.07.10     2011.07.12     W32/PoisonIvy.gen1
nProtect     2011-07-12.03     2011.07.12     Backdoor/W32.Hupigon.8192.I
Rising     2011.07.11     Backdoor.Poison.ixq

some strings from messanger.exe

SoftwARe\Microsoft\Active Setup\Installed ComPonents\


Download pcap file here

CnC IP is the same as the sender IP
Host reachable, 558 ms. average -
Simcentric Solutions, Internet Service Provider
Hong Kong
Simcentric Solutions IP Administrator
15th Floor, CRE Building, Wan Chai
phone: +852 29976646 

No comments:

Post a Comment