Tuesday, December 29, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.5 – yet another Elenore pack

From (thanks to malwaredomainlist ) the follwing URL:

hxxxxp://macaples.in/my_usa/pdf.php 

It’s been downloaded a PDF that looks like similar to those analyzed in the previous post. Again the Javascript code inflated from pdf it’s been contained in 4 files. One of them permit to obtain a clear javascript code. In this case the search is for “lka1” and replace with  “%”

shot001

The obfuscated exploit code appears like the following shots:

shot002

obtaining the following code:

s1 
s2 
s3 
s4 

As shown are exploited the following issues:

CVE-2009-4324
by function printd()
CVE-2008-2992 by function util_printf()
CVE-2007-5659 by function collab_email()
CVE-2009-0927 by function collab_geticon()

The shell code once executed contact the following URL:

shot003

hxxxxxxxxxxxp://macaples.in/my_usa/load.php?spl=pdf_pack

to drop and execute the following binary:

md5 bbaf68dc0071e0c7ff1f5fc6aa711279

As reported by Threatexpert there is network traffic to IP 115.100.250.114

s5

From Robtex http://www.robtex.com/dns/sport-lab.cn.html#shared, more info about this domain

No comments:

Post a Comment