Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations - with Poison Ivy

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Download   e3f5ef4fa17b4e08388ae4b0e2373728  100621.pdf  as a password protected archive (contact me if you need the password)

-----Original Message-----
From: 大川　正人 [mailto:maseto.okawa@cas.go.jp]
Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxx
Subject: 最近の日米経済関係について
Importance: High
......
�i‘ã•\�j03-5453-2111�i“à�ü�j82657
�i’¼’Ê�j03-3581-4445
�iFAX�j03-3581-5601
masato.okawa@cas.go.jp
=====================================
----- Original Message -----From: Ookawa Masato [mailto: maseto.okawa @ cas.go.jp]Sent: Monday, June 21, 2010 12:29 AM
To: xxxxxxxSubject: About the recent US-Japan Economic RelationsImportance: High

 Headers

Received: from unknown (HELO cas.go.jp) (60.26.142.253)

Received: from SSSSSS-2F0F04F3[192.168.1.211] by cas.go.jp
  with SMTP id 4C7BCC96; Mon, 21 Jun 2010 12:28:56 +0800
From: =?ISO-2022-JP?B?GyRCQmdAbiEhQDU/TRsoQg==?=
Subject: =?ISO-2022-JP?B?GyRCOkc2YSRORnxKRjdQOlE0WDc4JEskRCQkJEYbKEI=?=
To: xxxxxxxxxxxxxxxxx
Content-Type: multipart/mixed;
    boundary="=_NextPart_2rfkindysadvnqw3nerasdf"; charset="iso-2022-jp"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Reply-To: maseto.okawa@cas.go.jp
Date: Mon, 21 Jun 2010 12:29:29 +0800
X-Priority: 2
X-Mailer: Foxmail 4.1 [cn]
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             
 60.26.142.253
ISP:    China Unicom Tianjin province network
Organization:    China Unicom Tianjin province network
Type:    Broadband
Assignment:    Static IP
Country:    China cn flag
State/Region:    Tianjin       

     File 100621.pdf received on 2010.06.22 00:33:39 (UTC)

http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1277166819
Result: 9/41 (21.95%)
a-squared     5.0.0.30     2010.06.21     Exploit.JS.Pdfka!IK
AntiVir     8.2.2.6     2010.06.21     HTML/Malicious.PDF.Gen
BitDefender     7.2     2010.06.22     Exploit.PDF-JS.Gen
GData     21     2010.06.22     Exploit.PDF-JS.Gen
Ikarus     T3.1.1.84.0     2010.06.21     Exploit.JS.Pdfka
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.21     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.21     JS.Pdfka.Gen.11
Additional information
File size: 969411 bytes
MD5   : e3f5ef4fa17b4e08388ae4b0e2373728      

Many thanks to JM for sharing the following information
Dropped files
100621.PDF (95210e66bc040ee0f6b5601390658007 – benign decoy, notice the size difference 105 kb
SUCHOST.EXE (abf8e40d7c99e9b3f515ec0872fe099e – 45k)  - appears to be Poison Ivy RAT

VT Result: 19/41 (46.34%)
SUCHOST.EXE
http://www.virustotal.com/analisis/8264a96a954c9a3f661bd21b9493377a710aaac1e96fe276d8d9095ea286c84a-1277147963
AhnLab-V3   2010.06.21.02     2010.06.21  Win-Trojan/Agent.45056.AMQ
Antiy-AVL   2.0.3.7     2010.06.18  Trojan/Win32.Agent.gen
Authentium  5.2.0.5     2010.06.21  W32/Trojan2.MIBZ
Avast 4.8.1351.0  2010.06.21  Win32:Malware-gen
Avast5      5.0.332.0   2010.06.21  Win32:Malware-gen
AVG   9.0.0.787   2010.06.21  Agent2.ALLE
BitDefender 7.2   2010.06.21  Trojan.Inject.XI
CAT-QuickHeal     10.00 2010.06.18  Trojan.Agent.dgqy
DrWeb 5.0.2.03300 2010.06.21  Trojan.Siggen1.43943
F-Prot      4.6.1.107   2010.06.20  W32/Trojan2.MIBZ
F-Secure    9.0.15370.0 2010.06.21  Trojan.Inject.XI
GData 21    2010.06.21  Trojan.Inject.XI
Jiangmin    13.0.900    2010.06.15  Trojan/Agent.cule
McAfee-GW-Edition 2010.1      2010.06.21  Heuristic.LooksLike.Trojan.Backdoor.Poison.I
Microsoft   1.5902      2010.06.21  Backdoor:Win32/Poison.AP
NOD32 5216  2010.06.21  a variant of Win32/Poison.NDQ
nProtect    2010-06-21.01     2010.06.21  Trojan/W32.Agent.45056.TM
Panda 10.0.2.7    2010.06.21  Suspicious file
ViRobot     2010.6.21.3896    2010.06.21  Trojan.Win32.Agent.45056.HO

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              

Jun 20 CVE-2010-1297 PDF Adobe 0-Day Meeting agenda from alexis.mo88@gmail.com

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Download  fb2523d17b3fa3b19a914bf23a61827c Agenda.pdf as a password protected archive (contact me if you need the password)

 

 From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: xxxxxx
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents!  With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting.  I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis

The PDF file is very similar to the one described in this Symantec blog post

http://www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader 

VT

 http://www.virustotal.com/analisis/5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3-1277184081

 File Agenda.PDF received on 2010.06.21 05:05:57 (UTC)
Result: 5/41 (12.20%)
AntiVir     8.2.2.6     2010.06.20     HTML/Malicious.PDF.Gen
Kaspersky     7.0.0.125     2010.06.21     Exploit.JS.Pdfka.clv
McAfee-GW-Edition     2010.1     2010.06.20     Heuristic.BehavesLike.PDF.Suspicious.O
Sophos     4.54.0     2010.06.21     Troj/PDFJs-KY
VirusBuster     5.0.27.0     2010.06.20     JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5   : fb2523d17b3fa3b19a914bf23a61827c

Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download  e3f5ef4fa17b4e08388ae4b0e2373728 100621.pdf  as a password protected archive (contact me if you need the password)
 

 File 100621.pdf received on 2010.07.04 06:06:32 (UTC)
http://www.virustotal.com/analisis/5e77d181d45156a17423a7a9d8be59635c3425003a35957f3ccf973bf4a1240b-1278223592
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.04    Exploit.JS.Pdfka!IK
AntiVir    8.2.4.2    2010.07.02    HTML/Malicious.PDF.Gen
Comodo    5309    2010.07.04    UnclassifiedMalware
eSafe    7.0.17.0    2010.06.30    Win32.Pidief.J
eTrust-Vet    36.1.7684    2010.07.03    PDF/Pidief.RU
Ikarus    T3.1.1.84.0    2010.07.04    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.clv
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.ca
McAfee-GW-Edition    2010.1    2010.07.02    Exploit-PDF.ca
Microsoft    1.5902    2010.07.03    Exploit:SWF/CVE-2010-1297.E
NOD32    5249    2010.07.04    JS/Exploit.Pdfka.CLV
Norman    6.05.10    2010.07.03    JS/Shellcode.IT
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.04    Troj/PDFJs-KY
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PIDIEF.WL
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PIDIEF.WL
VirusBuster    5.0.27.0    2010.07.03    JS.Pdfka.Gen.11
File size: 969411 bytes
MD5...: e3f5ef4fa17b4e08388ae4b0e2373728

Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com

CVE-2010-1297 Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64, Adobe AIR before 2.0.2.12610, and authplay.dll in Adobe Reader and Acrobat 9.x through 9.3.2 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, as exploited in the wild in June 2010.

Download   fb2523d17b3fa3b19a914bf23a61827c Agenda.PDF as a password protected archive (contact me if you need the password)

From: Alexis Moore [mailto:alexis.mo88@gmail.com]
Sent: Sunday, June 20, 2010 9:21 AM
To: XXXXXXXXXXXXXX
Subject: Meeting agenda

Hi everyone!
I hope everyone has been as busy as I have reviewing our set of reference documents!  With the meeting quickly approaching, we can maximize our productivity with everyone familiar with the various projects & activities related to our work effort.
here is an agenda outline for the upcoming meeting.  I look forward to seeing everyone there, and hope your travel is uneventful.
-Alexis

 File Agenda.PDF received on 2010.07.04 16:55:23 (UTC)
http://www.virustotal.com/analisis/5d312ec870b42302798324e88e49ff82ab607ca93bbf1300335d03c6bd71c7b3-1278262523
Result: 18/41 (43.91%)
a-squared    5.0.0.31    2010.07.04    Exploit.JS.Pdfka!IK
AhnLab-V3    2010.07.03.00    2010.07.03    PDF/Exploit
AntiVir    8.2.4.2    2010.07.02    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.07.04    PDF/Pidief.BY
eSafe    7.0.17.0    2010.07.04    Win32.Pidief.J
Ikarus    T3.1.1.84.0    2010.07.04    Exploit.JS.Pdfka
Kaspersky    7.0.0.125    2010.07.04    Exploit.JS.Pdfka.clv
McAfee    5.400.0.1158    2010.07.04    Exploit-PDF.q.gen!stream
McAfee-GW-Edition    2010.1    2010.07.02    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.07.03    Exploit:SWF/CVE-2010-1297.E
NOD32    5250    2010.07.04    JS/Exploit.Pdfka.CLV
Norman    6.05.10    2010.07.04    JS/Shellcode.IT
PCTools    7.0.3.5    2010.07.02    Trojan.Pidief
Sophos    4.54.0    2010.07.04    Troj/PDFJs-KY
Symantec    20101.1.0.89    2010.07.04    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
TrendMicro-HouseCall    9.120.0.1004    2010.07.04    TROJ_PIDIEF.VX
VirusBuster    5.0.27.0    2010.07.04    JS.Pdfka.Gen.11
Additional information
File size: 969401 bytes
MD5...: fb2523d17b3fa3b19a914bf23a61827c

Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com

CVE-2010-1297. The vulnerability (CVE-2010-1297) causes the application to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system. 

Adobe will fix this vulnerability on June 29

Security Risks in Asynchronous Patch Release Schedules by by Haifei Li Fortinet

Many thanks To Scott D, JM, AK1010, Villy  for their information, relevant discussions and ideas and Binjo for his shellcode analysis

Download 81f31e17d97342c8f3700fdd56019972 WEO.pdf + dropped files + shellcode (by Binjo)





Tested on  Flash 10.1, Acrobat Reader 9.3.2, Windows XP sp3. It does not work on SP SP2 and Vista, Windows 7.


Message:

 VT SCAN JUNE 21
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1277107857

  File WEO.pdf received on 2010.06.22 04:18:27 (UTC)
Result:13/41 (31.71%)
a-squared    5.0.0.30    2010.06.22    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.21    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.18    Exploit/SWF.Agent
BitDefender    7.2    2010.06.22    Exploit.SWF.J
Comodo    5178    2010.06.22    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.21    JS/Pdfka.V
F-Secure    9.0.15370.0    2010.06.22    Exploit.SWF.J
GData    21    2010.06.22    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.22    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.22    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.22    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.22    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972


Javascript code snapshot

On Windows XP SP3 there is a slight delay/flicker before the PDF opens the clean decoy file shown below.

The dropped files are the following:

• 9ED35F49FA4DAF6CAC55E09719C58823 a.pdf - clean decoy file you see on the left

•  D87246D9E33C121C7F2615AE9B64FC9C ProdMgr.exe
•  TEMXX.tmp (Where XX is a random number) 380 kb, which is cmd.exe

  File naProdMgr.exe received on 2010.06.22 05:01:15 (UTC)
http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1277182875
Result: 19/41 (46.35%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.30    2010.06.22    Backdoor.Win32.Ixeshe!IK
AhnLab-V3    2010.06.22.00    2010.06.22    Backdoor/Win32.Small
AntiVir    8.2.2.6    2010.06.21    BDS/Small.jjf
Avast    4.8.1351.0    2010.06.21    Win32:Malware-gen
Avast5    5.0.332.0    2010.06.21    Win32:Malware-gen
AVG    9.0.0.787    2010.06.21    Small.CCX
BitDefender    7.2    2010.06.22    Trojan.Generic.4211739
Comodo    5178    2010.06.22    Backdoor.Win32.Small.jjf
eSafe    7.0.17.0    2010.06.20    Win32.Small.Nem
F-Secure    9.0.15370.0    2010.06.22    Trojan.Generic.4211739
GData    21    2010.06.22    Trojan.Generic.4211739
Ikarus    T3.1.1.84.0    2010.06.22    Backdoor.Win32.Ixeshe
Kaspersky    7.0.0.125    2010.06.22    Backdoor.Win32.Small.jjf
McAfee-GW-Edition    2010.1    2010.06.21    Heuristic.BehavesLike.Win32.PasswordStealer.H
NOD32    5216    2010.06.21    probably a variant of Win32/Small.NEM
nProtect    2010-06-21.01    2010.06.21    Trojan.Generic.4211739
Panda    10.0.2.7    2010.06.21    Suspicious file
Sunbelt    6483    2010.06.21    Trojan.Win32.Generic!BT
ViRobot    2010.6.21.3896    2010.06.22    Backdoor.Win32.S.Small.30720.E
VirusBuster    5.0.27.0    2010.06.21    -
Additional information
File size: 30720 bytes
MD5...: d87246d9e33c121c7f2615ae9b64fc9c

older scan

http://www.virustotal.com/analisis/e2252eda0fdee991ecf2448d35ef33555de06f25c48827beb46bbebc2bf96bb6-1276575253

http://anubis.iseclab.org/?action=result&task_id=103e66936121161044dbaae530a892283&format=html

=============================================

Traffic information

DNS Queries
ftp.jlesher.xxuz.com       DNS_TYPE_A       21.216.185.67       YES       udp
www.jlesher.xxuz.com      DNS_TYPE_A      110.4.3.2      YES      udp
TCP Connections
216.185.67.21:443

Intersesting traffic, really.  Looks like they configured their Changeip.com domain name ftp.jlesher.xxuz.com  to point to 21.216.185.67.
216.185.67.21, which you can see also being used by this malware is very similar.
 I think they just made a typo and directed it to DoD instead of their machine.
Or they temporarily set that domain to 21.216.185.67 (DoD traffic is not suspicious) and will turn it back to the real address when time is right)..

Unconfirmed theory here is that malware receives DNS replies 21.216.185.67 and 110.4.3.2 and transforms them into 216.185.67.21:443 by transposing 21 for the IP address and  by using the following forumula to turn 110.4.3.2 into the port number a.b.c.d - 110.4.3.2, (a*b)+c =443
(Many thanks To Scott D. for clueing me in about such possibility and Jack M for the relevant discussions and ideas).
I think the the benefits of such arrangement would be diversion for the admins (blocking 110.4.3.2 and 21.216.185.67 achieves nothing) and ability to change IP ports by just changing IP address on their domain in Changeip.com.

Your thoughts or othes theories are welcome. If we confirm anything, we will post the code or additional info.

 Traffic. Malware IPs are marked - see picture below

DNS query for ftp.jlesher.xxuz.com returns 21.216.185.67
 21.216.185.67 is http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=21.216.185.67

DoD Network Information Center is Department of Defense http://www.nic.mil/

DoD Network Information Center Mission Statement:To provide information and services that are mission critical to the operation of the worldwide IP router Defense Information Systems Network (DISN) and other DoD sponsored networks.

OrgName: DoD Network Information Center 
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: US
NetRange: 21.0.0.0 - 21.255.255.255
CIDR: 21.0.0.0/8
NetName: DNIC-SNET-021
NetHandle: NET-21-0-0-0-1
**********@nic.milOrgTechHandle: REGIS10-ARINOrgTechName: Registration OrgTechPhone: +1-800-365-3642





 General IP Information
Hostname: 61.177.42.5
ISP: Data Communication Division
Organization: CHINANET jiangsu province network
Proxy: None detected
Type: Broadband
Assignment: Dynamic IP
Country: China 
State/Region: Beijing

OLDER SCANS

VT SCAN JUNE 17 (with minor improvement)
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276774425
 File WEO.pdf received on 2010.06.17 11:33:45 (UTC)
Result: 9/41 (21.96%)
a-squared    5.0.0.26    2010.06.17    Exploit.SWF.Agent!IK
AntiVir    8.2.2.6    2010.06.17    EXP/CVE-2010-1297
Antiy-AVL    2.0.3.7    2010.06.17    Exploit/SWF.Agent
F-Prot    4.6.0.103    2010.06.16    JS/Pdfka.V
Ikarus    T3.1.1.84.0    2010.06.17    Exploit.SWF.Agent
Kaspersky    7.0.0.125    2010.06.17    Exploit.SWF.Agent.dp
McAfee-GW-Edition    2010.1    2010.06.16    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.17    Exploit:SWF/CVE-2010-1297.A
Sophos    4.54.0    2010.06.17    Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5...: 81f31e17d97342c8f3700fdd56019972

VT SCAN  JUNE 16
http://www.virustotal.com/analisis/380c784d6d561cac16942d6b9933d9f7277eae05cee16cc9e30fdc73915d8447-1276571931
BitDefender     7.2     2010.06.15     Exploit.SWF.J
F-Prot     4.6.0.103     2010.06.14     JS/Pdfka.V
F-Secure     9.0.15370.0     2010.06.15     Exploit.SWF.J
GData     21     2010.06.15     Exploit.SWF.J
Kaspersky     7.0.0.125     2010.06.15     Exploit.SWF.Agent.dp
Microsoft     1.5802     2010.06.14     Exploit:SWF/CVE-2010-1297.A
Sophos     4.54.0     2010.06.15     Troj/SWFDlr-S
Additional information
File size: 121898 bytes
MD5   : 81f31e17d97342c8f3700fdd56019972

A Collection of Web Backdoors & Shells – from DK (http://michaeldaw.org) and ARTeam (http://www.accessroot.com)

"I have collected some WEB backdoors in the past to exploit vulnerable file upload facilities
and others. I think a library like this may be useful in a variety of situations.
Understanding how these backdoors work can help security administrators
implement firewalling and security policies to mitigate obvious attacks."   - DK

cmd-asp-5.1.asp      8baa99666bf3734cbdfdd10088e0cd9f
cmdasp.asp             57b51418a799d2d016be546f399c2e9b
cmdasp.aspx           5e83b6ed422399de04408b80f3e5470e
cmdjsp.jsp               815611cc39f17f05a73444d699341d4
jsp-reverse.jsp         8b0e6779f25a17f0ffb3df14122ba594
php-backdoor.php z0mbie 2b5cb105c4ea9b5ebc64705b4bd86bf7
simple-backdoor.php f091d1b9274c881f8e41b2f96e6b9936
perlcmd.cgi              97ae7222d7f13e908c6d7f563cb1e72b
cfexec.cfm              bd04f47283c53ca0ce6436a79ccd600f

Original Post  http://michaeldaw.org/projects/web-backdoor-compilation

Index of /ARTeam/webshell

• antichat.rar
• c99.rar
• cihshell_fix.rar
• mysqlwebsh.rar
• r57.1.4.0.rar
• r57142.rar
• redcod.rar
• remview_fix.rar
• sql.rar
• wso2.rar

Download link 1 http://michaeldaw.org/projects/wbc-v1b.tar.gz
Download link 2 Webshells from ARTeam http://xchg.info/ARTeam/webshell/

Many thanks to Michael and Gunther for sharing.

Jun 8 CVE-2009-4324 Korean Peninsula Situation from iirj@nccu.edu.tw

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009. 

Nothing new or exciting here except that they used  a computer located at the National Chengchi University (Taiwan) and that many AV still fail at the detection of this particular CVE.

 
 Download ATT77316.pdf  100cf902ac31766f7d8a521eeb6f8d68 as a password protected archive (let me know if you need the password)



-----Original Message-----
From: iirj [mailto:iirj@nccu.edu.tw]
Sent: Tuesday, June 08, 2010 10:05 PM
To: XXXXX
Subject: 天安艦後的朝鮮半島新局勢

您好
附上天安艦後的朝鮮半島新局勢

請參照附件
政治大學國際關係研究中心
蔡增家

Machine translation

----- Original Message -----From: iirj [mailto: iirj@nccu.edu.tw]Sent: Tuesday, June 08, 2010 10:05 PMTo: XXXXXSubject: Tian ship the new situation after the Korean PeninsulaHelloAn enclosed vessel days after the new situation on the Korean PeninsulaPlease refer to AppendixUniversity of International Relations and PoliticalZheng-Jia Tsai

 File ATT77316.pdf received on 2010.06.28 02:04:43 (UTC)

http://www.virustotal.com/analisis/6b182f64a8b04b3f0c287e29ccb8bacf66cc59b8be5756cf7fb968455fc78d6f-1277690683
Result: 12/40 (30%)
Antivirus     Version     Last Update     Result
a-squared    5.0.0.30    2010.06.28    Exploit.JS.Mult!IK
Avast    4.8.1351.0    2010.06.27    JS:Pdfka-AEE
Avast5    5.0.332.0    2010.06.27    JS:Pdfka-AEE
BitDefender    7.2    2010.06.28    Exploit.PDF-JS.Gen
Comodo    5238    2010.06.27    UnclassifiedMalware
F-Prot    4.6.1.107    2010.06.27    JS/ShellCode.BF.gen
F-Secure    9.0.15370.0    2010.06.28    Exploit.PDF-JS.Gen
GData    21    2010.06.28    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.06.28    Exploit.JS.Mult
McAfee-GW-Edition    2010.1    2010.06.27    Heuristic.BehavesLike.PDF.Suspicious.O
Microsoft    1.5902    2010.06.27    Exploit:JS/Mult.CV
nProtect    2010-06-27.02    2010.06.27    Exploit.PDF-JS.Gen
Additional information
File size: 221345 bytes
MD5...: 100cf902ac31766f7d8a521eeb6f8d68

 Headers

Received: from faculty.nccu.edu.tw (HELO faculty.nccu.edu.tw) (140.119.166.66)
  by xxxxxxxxx
Received: By OpenMail Mailer;Wed, 09 Jun 2010 10:04:41 +0800 (CST)
From: "iirj"
Reply-To: iirj@nccu.edu.tw
Subject: =?big5?B?pNGmd8Slq+GqurTCwkGlYq5xt3OnvbbV?=
Message-ID: <1276049080.14398.iirj@nccu.edu.tw>
To: xxxxx
Date: Wed, 9 Jun 2010 10:04:40 +0800
MIME-Version: 1.0
Return-Path: iirj@nccu.edu.tw
Content-Type: multipart/mixed; boundary="---DBgb4Rh?+gBMpNxwZd2aL(DYw/="
 140.119.166.66

General IP Information
Hostname:    faculty.nccu.edu.tw
ISP:    MOEC
Organization:    National Chengchi University
Proxy:    None detected
Type:    Broadband
Assignment:    Static IP
Country:    Taiwan tw flag
State/Region:    T'ai-pei

Jun 8 Adobe 0 Day CVE-2010-1297 Analysis

Analysis of a Zero-day Exploit for Adobe Flash and Reader by Andrea Lelli (Symantec)

Trojan.Pidief.J

 

 

A brief analysis of a malicious PDF file which exploits this week’s Flash 0-day by Sebastian Porst (Zynamics)

Jun 8 Adobe 0 Day CVE-2010-1297 POC by Joshua J. Drake.

CVE-2010-1297. The vulnerability (CVE-2010-1297) causes the application to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

CVE-2010-1297 POC by Joshua J. Drake.

http://qoop.org

http://twitter.com/jduck1337/

 POC here (will crash your browser) http://qoop.org/security/poc/cve-2010-1297  

The POC is based on the same sample as here   Jun 7 Adobe 0 day CVE-2010-1297 11d2f8d754f3e52893c631f0.pdf

 Download  POC files (password infected)

Jun 7 Adobe 0 day CVE-2010-1297 11d2f8d754f3e52893c631f0.pdf

CVE-2010-1297. The vulnerability (CVE-2010-1297) causes the application to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

 Download  original_11d2f8d754f3e52893c631f0 plus other files from jsunpack (no password this time)


I hear it worked ok on Adobe 9.3.0 with Win XP Sp3, creates C:\-.exe  (thanks, TaPion)


File original_11d2f8d754f3e52893c631f0  received on 2010.06.07 20:55:29 (UTC)Result: 23/41 (56.1%)
http://www.virustotal.com/analisis/bd2776e507cf0284a9cfb7deb9a241d6699243a221c125f9911fa753ca8f01d1-1275928154
Antivirus     Version     Last Update     Result
a-squared    5.0.0.26    2010.06.07    HTML.Malicious!IK
AntiVir    8.2.2.6    2010.06.07    HTML/Malicious.PDF.Gen
Authentium    5.2.0.5    2010.06.07    PDF/Expl.HW
Avast    4.8.1351.0    2010.06.07    JS:Pdfka-gen
Avast5    5.0.332.0    2010.06.07    JS:Pdfka-gen
AVG    9.0.0.787    2010.06.07    Exploit_c.GGK
BitDefender    7.2    2010.06.07    Exploit.SWF.J
ClamAV    0.96.0.3-git    2010.06.07    Exploit.PDF-28487
eTrust-Vet    36.1.7617    2010.06.07    PDF/Pidief.RP
F-Prot    4.6.0.103    2010.06.07    PDF/Expl.HW
F-Secure    9.0.15370.0    2010.06.07    Exploit:W32/Pidief.CPT
GData    21    2010.06.07    Exploit.SWF.J
Ikarus    T3.1.1.84.0    2010.06.07    HTML.Malicious
Kaspersky    7.0.0.125    2010.06.07    Exploit.JS.Pdfka.ckq
Microsoft    1.5802    2010.06.07    Exploit:Win32/Pdfjsc.gen!A
Norman    6.04.12    2010.06.07    JS/Shellcode.IK
nProtect    2010-06-07.01    2010.06.07    Trojan-Exploit/W32.Pidief.268333.EY
PCTools    7.0.3.5    2010.06.07    Trojan.Pidief
Sophos    4.53.0    2010.06.07    Troj/SWFDlr-S
Symantec    20101.1.0.89    2010.06.07    Trojan.Pidief.J
TrendMicro    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
TrendMicro-HouseCall    9.120.0.1004    2010.06.07    TROJ_PIDIEF.WX
ViRobot    2010.6.7.2341    2010.06.07    JS.S.EX-Pdfka.268333

Additional information
File size: 268333 bytes
MD5...: 721601bdbec57cb103a9717eeef0bfca
SHA1..: 11d2f8d754f3e52893c631f0201b72c909d52cd8


References  - thanks to Ratsoul for the tip
(you can download it from there too)
http://jsunpack.jeek.org/dec/go?report=7fca0277b807433a437553113bf702160ccb365e 

Exploit that cannot be named - I don't have it, it is a Google glitch

Update Jun 8 - see later posts

If you came here looking for the recent Flash exploit you see on the picture below, I don't have it. Not yet.
I don't have any links or words on my site that would make Google send everyone here and I am not engaged in any SEO experiements :)  But if you came from the search, like many others, I thought I would save you time searching though the blog.
Please help yourself to any other samples, read other posts and come again - I will post that sample as soon as I have it.
Regards,
Mila

CVE-2010-0188 + CVE-2009-4324 PDF The information you want from tibetstudent@gmail.com

CVE-2009-4324 Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.

CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

Download 46bd79357c01e68715adf4f63d6a0c6d address book.pdf and 1d539bba6ef0a7c02a40f6bd5a2d5590 data.pdf as a password protected archive (contact me if you need the password)

From: Mr.Wong [mailto:tibetstudent@gmail.com]
Sent: Monday, June 07, 2010 4:52 AM
To: XXXXXXXXXXXXXXXX
Subject: The information you want

Sorry after a long time to think of it.  This is the analysis of last outstanding issues and their contacts  that  you want. Why  your mailbox always  bounce ? Please check if the mailbox is  full .

CVE-2009-4324

 File Address_Book.pdf received on 2010.06.28 04:29:57 (UTC)
http://www.virustotal.com/analisis/21ebe23b16213eb37575c90a9e07e35792d3707c007e7c8236a44b7723da9e60-1277699397
Result: 12/40 (30%)
a-squared    5.0.0.30    2010.06.28    Exploit.PDF-JS!IK
Avast    4.8.1351.0    2010.06.27    JS:Pdfka-gen
Avast5    5.0.332.0    2010.06.27    JS:Pdfka-gen
BitDefender    7.2    2010.06.28    Exploit.PDF-JS.Gen
eSafe    7.0.17.0    2010.06.27    Win32.Pidief.H
F-Secure    9.0.15370.0    2010.06.28    Exploit.PDF-JS.Gen
GData    21    2010.06.28    Exploit.PDF-JS.Gen
Ikarus    T3.1.1.84.0    2010.06.28    Exploit.PDF-JS
McAfee-GW-Edition    2010.1    2010.06.27    Heuristic.BehavesLike.Exploit.PDF.CodeExec.EBEO
nProtect    2010-06-27.02    2010.06.27    Exploit.PDF-JS.Gen
PCTools    7.0.3.5    2010.06.28    Trojan.Pidief
Symantec    20101.1.0.89    2010.06.28    Trojan.Pidief.H
Additional information
File size: 327857 bytes
MD5...: 46bd79357c01e68715adf4f63d6a0c6d

CVE-2010-0188 (PDF Exploit base64 shellcode in TIFF - generated with metasploit)
http://www.virustotal.com/analisis/88b6a2bb9d866f12ff5a5c56cacd2bd1add406f4aa01f40ccefb715e134e71ff-1277699645
File Data.pdf received on 2010.06.28 04:34:05 (UTC)
Result: 17/41 (41.47%)
a-squared    5.0.0.30    2010.06.28    Trojan.Script!IK
AhnLab-V3    2010.06.27.01    2010.06.27    PDF/Exploit
Antiy-AVL    2.0.3.7    2010.06.25    Exploit/Win32.Pidief
Authentium    5.2.0.5    2010.06.27    PDF/Expl.HS
Avast    4.8.1351.0    2010.06.27    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.06.27    PDF:CVE-2010-0188
BitDefender    7.2    2010.06.28    Trojan.Script.435196
eSafe    7.0.17.0    2010.06.27    Win32.Pidief.H
eTrust-Vet    36.1.7668    2010.06.25    PDF/Pidief.QS
F-Prot    4.6.1.107    2010.06.27    JS/Crypted.DT
F-Secure    9.0.15370.0    2010.06.28    Trojan.Script.435196
GData    21    2010.06.28    Trojan.Script.435196
Ikarus    T3.1.1.84.0    2010.06.28    Trojan.Script

PCTools    7.0.3.5    2010.06.28    Trojan.Pidief
Sophos    4.54.0    2010.06.28    Troj/PDFJs-JI
Symantec    20101.1.0.89    2010.06.28    Trojan.Pidief.H
VirusBuster    5.0.27.0    2010.06.27    Exploit.PDFDrop.A
Additional information
File size: 926302 bytes
MD5...: 1d539bba6ef0a7c02a40f6bd5a2d5590

June 5 Twitter Bifrost spreader h1.ripway.com and some others

 This is a very prolific twitter malware generator using approximately 70-100 twitter accounts (as of 5pm June 5, 2010 and their number is growing fast) and one domain h1.ripway.com. The malware appears to be Bifrost, many binaries are different MD5, different detection rate, and callback IPs. The subjects and languages of the twitter posts are different too.

  Download 6 samples (some are listed below, all are versions of the same trojan)  as a password protected archive (contact me if you need the password) 



https://twitter.com/#search?q=ripway - twitter search

Other malware spreaders you may find interesting are (I did not check every link for malware presence so please correct me if any of the links/searches are false positives). They look bad to me though.

https://twitter.com/#search?q=shup.com
https://twitter.com/#search?q=localhostr.com 
https://twitter.com/#search?q=freewebtown.com
https://twitter.com/#search?q=su1%20exe
http://twitter.com/#search?q=upload2009
http://twitter.com/#search?q=up-00 
http://twitter.com/#search?q=arabsh 
http://twitter.com/#search?q=Download%20Accelerator%20Plus 
http://twitter.com/#search?q=fileave 
http://twitter.com/#search?q=anilaali.com 

Domain  h1.ripway.com

http://www.robtex.com/ip/64.62.181.46.html
64.62.128.0/18
Hurricane Electric 55 South Market St San Jose, CA AS6939
HURRICANE Electric


Malware (a few samples used )
 video.xnxx.comvideo61715petite_babe_big_faci.exe
http://virscan.org/report/d7615d0c0d4a6cc91245617662095b62.html    

a-squared 5.0.0.11 20100605043517 2010-06-05 Backdoor.Win32.Bifrose!IK 12.027
AVAST! 4.7.4 100605-0 2010-06-05 Win32:VB-OUL [Trj] 0.008
GData 21.297/21.98 20100605 2010-06-05 Win32:VB-OUL [Trj] [Engine:B] 15.672
Ikarus T3.1.01.84 2010.06.05.76004 2010-06-05 Backdoor.Win32.Bifrose 6.630
JiangMin 13.0.900 2010.06.05 2010-06-05 Trojan/Buzus.hlp 2.267
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 17.766
Microsoft 1.5802 2010.06.05 2010-06-05 VirTool:Win32/VBInject.gen!CI 6.919
Norman 6.04.12 6.04.00 2010-06-04 W32/VBInject.AS 6.028
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      5.889
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.765


File Name :   video.exe
http://virscan.org/report/02e932f4725a22c9301b3db9e8e102c0.html
File Size :   193125 byte
File Type :   PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 :   2f4f4c151ed20283443e79f5c35f8d45
AntiVir 8.2.2.6 7.10.7.251 2010-06-04 TR/Spy.218394 0.257
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 16.025
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      1.708
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.528
VirusBuster 4.5.11.10 10.126.67/2027645 2010-06-06


File Name :   mahaaa.exe
http://virscan.org/report/b3835cdc5c45685c1c9350fc1318ef11.html   mahaaa.exe 
File Size :   230604 byte
MD5 :   079b2752644e75609ef0ba8329fcabb9
SHA1 :   917139aab4bbc51af958a3e03c00dd19c57b7846
a-squared 5.0.0.11 20100605043517 2010-06-05 Backdoor.Win32.Bifrose!IK 0.888
AntiVir 8.2.2.6 7.10.7.251 2010-06-04 TR/Spy.205381.1 0.264
AVAST! 4.7.4 100605-0 2010-06-05 Win32:Spyware-gen [Spy] 0.014
BitDefender 7.90123.6157321 7.32048 2010-06-06 Gen:Trojan.Heur.om2@rT8DpFoaQ 3.957
GData 21.298/21.99 20100605 2010-06-05 Win32:Spyware-gen [Spy] [Engine:B] 7.262
Ikarus T3.1.01.84 2010.06.05.76004 2010-06-05 Backdoor.Win32.Bifrose 6.541
JiangMin 13.0.900 2010.06.05 2010-06-05 Trojan/Buzus.gvi 1.195
McAfee 5400.1158 6004 2010-06-05 BackDoor-CEP.gen.cb 15.966
Panda 9.05.01 2010.06.05 2010-06-05 Bck/Bifrost.gen      1.721
Quick Heal 10.00 2010.06.05 2010-06-05 Suspicious - DNAScan 1.624


Anubis Report 1  Captain.ex.exe
http://anubis.iseclab.org/?action=result&task_id=182f301d06a8b2c74ed26c9817f6a8c48&format=html
Malware TCP traffic to
 -    82.137.245.67
Syrian Arab Republic (none)  82.137.192.0/18
STE Public Data Network Backbone and LIR AS29386
STE-AS2 Syrian Telecommunications Establishment

 Anubis Report 2 viurgn.com.exe
http://anubis.iseclab.org/?action=result&task_id=1354dfeb3e9278c44a95390c4d036902d&format=html
Malware TCP Traffic to 94.98.220.37:963
http://www.robtex.com/ip/94.98.220.37.html#ip
Hostname:    94.98.220.37.dynamic.saudi.net.sa
ISP:    SaudiNet, Saudi Telecom Company
Organization:    SaudiNet, Saudi Telecom Company
Country:    Saudi Arabia sa flag
State/Region:    Ar Riyad


These are some of the accounts as of June 5 and examples of links/posts

xsyria
hxxp://h1.ripway.com/xboldx/Captain.zip قصائد نزار قباني والشاعر عماد السيد لن تروها الا هنا
hxxp://h1.ripway.com/xboldx/Captain.exe لعبة السكس الشهيرة عالميا اصبحت مجانا جربوها ولن تخسروا بل ستربح اللذة 
hxxp://h1.ripway.com/xboldx/Captain.exe Game Captain now famous celebrity free Ejreboha will Tkhosro Stervhawwa pleasure, but the truth

w3elly
hxxp://h1.ripway.com/hamadh6200/NasSim_x721x .exe Tool speed up the work of Computer

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar

dofus159
hxxp://h1.ripway.com/ftp/video.xnxx.comvideo61715petite_babe_big_faci.exe

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar

ishq7man
hxxp://h1.ripway.com/ishq7man/Chat%20With%20Girls.exe This programm is easy to use you can chat with any one specially (Girls) With Cam

hamodhay
Be free ardoghan Gazah need you'r help .. setub ardoghan tollbar for help us hxxp://h1.ripway.com/hamodhay/ordo.exe
تحريرا لشعوب غزة ونصر رجب اوردوغان لنوحد شعارنا غزة و اردوغان.. حمل برنامج دعم اردوغان .. hxxp://h1.ripway.com/hamodhay/ordo.rar

bda7
hxxp://h1.ripway.com/abda7/ghost_dz.exe Another version of the solution and the problems of windows XP Abe, Vista program ghost_dz

g0od_b0y
(hxxp://h1.ripway.com/fs0l/Difference.bat } The difference between men and women ...... scientifically

fucksoso
hi am sara and i love sex so much is u wanna know more about me come here hxxp://h1.ripway.com/reem0979/reeeeem.rar we will chatting

fsol_sam
{ hxxp://h1.ripway.com/fs0l/sexy.bat } Games +18

nasser1001
Hello guys Allehaa Turkkm with the download Tvdilo hxxp://h1.ripway.com/vxx9/y1g.com

xxhotgirlxx20
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar hi
hxxp://h1.ripway.com/sexanal/I%20need%20a%20friend.rar 
hxxp://h1.ripway.com/ababneh11/flash%20pic%20for%20mee%20!!.pif