Lets look at CVE-2010-2883 Adobe 0-Day David Leadbetter's One Point Lesson pdf file from Mila.
One of the files that was dropped was hcp.dll signed with certificate.
File Header
File compiled with visual studio 6.0 at 30/08/2010 23:49:52.
and it was captured by Mila on 07/09/2010. Looks like it was undetected and unknown 0-day only for one week.
In resource system lang
Child Type: VarFileInfo
Translation: 1042/1200
VarFileInfo
Language is Korean Unicode.
File Write on C++ with MFC.
Exported functions are:
and from shellcode called function StartUp.
Decompiled hcp.dll
http://pastebin.com/vEzKptHN
An my opinion :
1. The file loader hcp.dll and the exploit were written by different people because of the difference in the quality of programming. Loader hcp.dll was written by a programmer with much lower skills, 'cos its writen on C++ with MFC and does not use any Firewall bypass Technique.
2. Looks like hcp.dll had digital signature only to bypass AV.
3. If the loader file made on a system with default Korean language (Korean Windows), then it was not from China but from Korea.
Friday, September 17, 2010
Subscribe to:
Post Comments (Atom)
Nice analysis =)
ReplyDelete