A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16530  by kalptarunet
 Fri Nov 09, 2012 11:18 pm
I got this one today morning from one of my infected host and none of AV able to detect and clean it.

https://www.virustotal.com/file/5b22fff ... /analysis/

SHA256: 5b22fff48905b8d30aa0d15e398c451876802c6ccbb76df9e3d516f46e07349e
SHA1: 50df283751254151faa1fcaa7306b7a1bc60e1b3
MD5: c9e0cf1bcdb9271790d5a1e443e27557
File size: 13.3 KB ( 13621 bytes )
File name: 25532-1.pdf
Attachments
Pass: infected
(7.32 KiB) Downloaded 74 times
 #16532  by EP_X0FF
 Sat Nov 10, 2012 2:41 am
kalptarunet wrote:I got this one today morning from one of my infected host and none of AV able to detect and clean it.

https://www.virustotal.com/file/5b22fff ... /analysis/

SHA256: 5b22fff48905b8d30aa0d15e398c451876802c6ccbb76df9e3d516f46e07349e
SHA1: 50df283751254151faa1fcaa7306b7a1bc60e1b3
MD5: c9e0cf1bcdb9271790d5a1e443e27557
File size: 13.3 KB ( 13621 bytes )
File name: 25532-1.pdf
Check stuff before doing post.
This is CVE-2010-0188. What OP ask is new exploit for Adobe Reader X/XI presumable - use-after-free bug in main <--> sandboxed processes communication of adobe reader.
 #16624  by rinn
 Thu Nov 15, 2012 10:09 am
Hi.
I think you have mixed everything. This proof of concept created by Kris Kaspersky who is working in USA Group-IB. Issue with Acrobat Reader X was reported in early October.

https://twitter.com/kris_kaspersky/stat ... 5050357760

Released with Metasploit 'download-n-execute' payload running calc.exe in November.

https://twitter.com/kris_kaspersky/stat ... 2900064256

It is doubtful that something like that suddenly appeared in the BHE. Pretty obvious that Kris will not share the PoC with BHE developers. Additionally according to kaspersky this PoC only works on XP with FF/Opera/IE and not Chrome. Media-hyped overall.

-rin