Monday, December 28, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.4 - yourenter.com

 
The following URL it's been reported by malwaredomainlist.com as a pdf exploiter:
 
hxxxxxxp://yourenter.com/pdf.php  (replace hxxxxxxp with http at your risk).

Trying   with wepawet the pdf appears like "benign" (http://bit.ly/7IZ9SH). So it's been started a minimal manual analysis. Following the usual steps with pdf_inflater were obtained the followings clear Javascript code:

1.tmp:

2.tmp:

3.tmp:

4.tmp:

In other words the pieces of code above stands for "search and replace" the string "kru pop 32" with "%".  This step generate a Javascript code encoded in the form of “%<value>” that it’s been decoded with Malzilla support obtaining this code:

As shown above the result is a PDF exploiter that try to trigger the following issues:

CVE-2009-4324 by function printd() - line 10
CVE-2008-2992 by function util_printf() - line 32
CVE-2007-5659 by function collab_email() - line 58
CVE-2009-0927 by function collab_geticon() - line 84
 
The shellcode is the same for each functions (lines 12,34,60,89 in the code above). With Malzilla it's obtained the following result:



So, once the issue is successfully triggered the shellcode try to drop and execute the binary from:
hxxxxxxp://yourenter.com//load.php?spl=pdf_pack  (as already reported by malwaredomainlist.com)
 
The threatexpert analysis it can be found at:  http://www.threatexpert.com/report.aspx?md5=1f5bf5bf2eb28ad8d5808e814f12ce02 

A few of network info related to the starting URL:
rob001
rob002
 
Whois:
inetnum: 217.23.10.0 - 217.23.10.255
netname: WORLDSTREAM
descr: WorldStream IPv4.17
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered

No comments:

Post a Comment