Saturday, December 19, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ? :)

Again from contagiodump... (merry christmas pdf) the following screen shot shown a 955bade419a9ba9e5650ccb3dda88844 obfuscated javascript code extracted from once of the stream objects within the pdf



The PDF (
955bade419a9ba9e5650ccb3dda88844) generate (if the issue is triggered with success) a binary that became an .exe file named "temp.exe" with path "C:\Documents and Settings\Admin\Local Settings".
The following link is the Anubis response to the exe:
http://anubis.iseclab.org/?action=result&task_id=18d9ed8740a9d94b469c492638799bb60&format=html

As shown in the anubis analysis the dropper create another binary named "msupdater.exe" located in
"C:\Documents and Settings\Admin\Local Settings\Application Data". The Anubis response for "msupdater.exe":
http://anubis.iseclab.org/?action=result&task_id=194fa0dfd87d1f9742d334f13b27666d3&format=html

Once msupdater.exe it's executes is generated the following (really strange) traffic:



As shown in the screen shot (sorry for the copy on labs folder :) ) above, the ip of interest (used for strange HTTP "ping" traffic as well a sort of port knocking) it seem the following: 140.112.40.7. From Robtex it's been obtained the following graph:




Whois 140.112.40.7:

inetnum: 140.112.0.0 - 140.112.255.255
netname: TANET
descr: Taiwan Academic Network
descr: Ministry of Education computer Center
descr: 12F, No 106, Sec. 2, Heping E. Rd., Taipei
country: TW
admin-c: TA61-AP
tech-c: TA61-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@twnic.net.tw 20030908
changed: hm-changed@apnic.net 20040926
status: ALLOCATED PORTABLE
source: APNIC

Another interesting IP (observed during launch of msupdter.exe) shown in the WireShark cap above is:
209.85.227.104 that stand for:
wy-in-f104.1e100.net


AS15169 stand for google.com

so 209.85.227.104 it's Google :)


Anyway yet another reverse engineering analysis about this issue you can be found at
http://whsbehind.blogspot.com

No comments:

Post a Comment