Saturday, December 19, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ? :)

Again from contagiodump... (merry christmas pdf) the following screen shot shown a 955bade419a9ba9e5650ccb3dda88844 obfuscated javascript code extracted from once of the stream objects within the pdf

The PDF (
955bade419a9ba9e5650ccb3dda88844) generate (if the issue is triggered with success) a binary that became an .exe file named "temp.exe" with path "C:\Documents and Settings\Admin\Local Settings".
The following link is the Anubis response to the exe:

As shown in the anubis analysis the dropper create another binary named "msupdater.exe" located in
"C:\Documents and Settings\Admin\Local Settings\Application Data". The Anubis response for "msupdater.exe":

Once msupdater.exe it's executes is generated the following (really strange) traffic:

As shown in the screen shot (sorry for the copy on labs folder :) ) above, the ip of interest (used for strange HTTP "ping" traffic as well a sort of port knocking) it seem the following: From Robtex it's been obtained the following graph:


inetnum: -
netname: TANET
descr: Taiwan Academic Network
descr: Ministry of Education computer Center
descr: 12F, No 106, Sec. 2, Heping E. Rd., Taipei
country: TW
admin-c: TA61-AP
tech-c: TA61-AP
changed: 20030908
changed: 20040926
source: APNIC

Another interesting IP (observed during launch of msupdter.exe) shown in the WireShark cap above is: that stand for:

AS15169 stand for

so it's Google :)

Anyway yet another reverse engineering analysis about this issue you can be found at

No comments:

Post a Comment