Tuesday, December 15, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0

A quick analysis (This post is under update):


Something more from other site:

A detailed CVE-2009-4324 analysis
(many thanks vrt-sourcefire team :) ) :
VRT-Sourcefire
http://vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html

Other interesting analysis about from contagiodump.blogspot.com (many thanks contagio :)) :
http://contagiodump.blogspot.com/2009/12/adobe-cve-2009-4324-posts-with-infected.html
http://contagiodump.blogspot.com/2009/12/zero-day-pdf-attack-of-day-2-interview.html

Malwaredomainlist
http://www.malwaredomainlist.com/forums/

A bad news about CVE-2009-4324
New exploit in the wild capitalizes on flaw in JavaScript function, patch to come January 12 (Darkreading)
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=222002143

F-secure analysis
(probably after this initial post:) ) of binary above (sorry see below :) with some info about HTTP C&C
http://www.f-secure.com/weblog/archives/00001836.html

Adobe PSIRT Blog
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html


Metasploit module:
http://downloads.securityfocus.com/vulnerabilities/exploits/adobe_media_newplayer.rb


My not so linear analysis:

The malicious PDF is spreaded via email attachments. The following URLs it seemrelated to this issue (used by Trojan.Pidief.h as dropper. Low AV detection rate at the firs Virustotal submission.):
hzzzzzp://foruminspace.com/documents/dprk/ab.exe (replace hzzzzzp with http at your risk)

Virustotal analysis
https://www.virustotal.com/analisis/d6afb2a2e7f2afe6ca150c1fade0ea87d9b18a8e77edd7784986df55a93db985-1260858538

ThreatExpert analysis:
http://www.threatexpert.com/report.aspx?md5=686738eb5bb8027c524303751117e8a9


Robtex response for malicious domain above (
foruminspace.com):

A bit more:



Whois 124.217.238.101


inetnum: 124.217.224.0 - 124.217.255.255

netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC


Some piece of reversing related to "ab.exe":

the list of process "unfriendly" searched in memory:



An antidebugging technique discovered in the dropper (thank to 0xff for support) and other pieces of checking stage in the name of a "good local malware ecosystem":



An HTTP command from infected host for the C&C HTTP based:




The command that was send from "infected" host:




The commands are sent at two hostname: dailysummary.net and somus.net





A note of interest is the MX record that point at the C&C hostname. The following pictures (still generated by robtex) shown the impressive number of domains assiged to the ip 124.217.238.192 (
dailysummary.net)


(generated from http://www.robtex.com/ip/124.217.238.192.html#graph)

and to the ip 124.217.238.100 (somus.net)

(generated from http://www.robtex.com/ip/124.217.238.100.html#graph)



No comments:

Post a Comment