Adobe 0-day 추가 악성코드 샘플을 구했습니다.
그리고 지난번 글에서 다운로드되지 않았던 ab.exe 파일도 확보를 했습니다.
E:\04.analysis\binary\20091216_adobe reader\malware> md5sum *.*
686738eb5bb8027c524303751117e8a9 *ab.exe
8950bbedf4a7f1d518e859f9800f9347 *crazyphoto.pdf
955bade419a9ba9e5650ccb3dda88844 *merry_christmas.pdf
61baabd6fc12e01ff73ceacc07c84f9a *note200911.pdf
61baabd6fc12e01ff73ceacc07c84f9a *note_20091210.pdf
35e8eeee2b94cbe87e3d3f843ec857f6 *outline of interview.pdf
0ab2fd3b6c385049f9eb4a559dbdc8a6 *海基會協商代表團預備性磋商名單.pdf
E:\04.analysis\binary\20091216_adobe reader\malware> ssdeep *.*
ssdeep,1.0--blocksize:hash:hash,filename
6144:53Gcbn2gnsuwtasAlbkdIiXb8K/hYcZVnHIbNwJBBp5:JbwtasAV+xffZ5X5,"E:\04.analysis\binary\20091216_adobe reader\malware\ab.exe"
768:bsg8fN3eX7k3GHsF90azVWqaYXCqntyhovHhv/MVsMepOF:bTYN3z3UscazpXM25EZepG,"E:\04.analysis\binary\20091216_adobe reader\malware\crazyphoto.pdf"
24576:hX+rECBhOc3cZUJe3xcxzV78/g4b3PlD4A8C0u2IcwrjefQM8rkAC:hOrHOcaye3x+V8Y4zH8C1XaoMIc,"E:\04.analysis\binary\20091216_adobe reader\malware\merry_christmas.pdf"
1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8VE9sT6BpfneilR/8k,"E:\04.analysis\binary\20091216_adobe reader\malware\note200911.pdf"
1536:p0AAH2KthGBjcdBj8VETeePxsT65ZZ3pdx/ves/aQR/875+:prahGV6Bj8VE9sT6BpfneilR/8k,"E:\04.analysis\binary\20091216_adobe reader\malware\note_20091210.pdf"
3072:prahGV6Bj8VE9sT6BpfneiL0jbupQ1S8ZTW5RxSDeF87OiE53a0WYtjdMJokl:pYBj8V7yaRSQTWX8Deu36SmxMJ3,"E:\04.analysis\binary\20091216_adobe reader\malware\outline of interview.pdf"
3072:k36u5/nLzdqJdVmK6pM8qffaRlOxpKs3i1AE:iLzdqJdMfphqfCRlOxpK2i1D,"E:\04.analysis\binary\20091216_adobe reader\malware\???????????????.pdf"
Virustal 검사 결과는 아래를 참조하시기 바랍니다.
note200911.pdf - 11월 30일
http://www.virustotal.com/ko/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1261453238
note_20091210.pdf - 12월 11일
http://www.virustotal.com/ko/analisis/27cced58a0fcbb0bbe3894f74d3014611039fefdf3bd2b0ba7ad85b18194cffa-1261453573
ab.exe - note_20091210.pdf를 통해 다운로드하는 파일(foruminspace.com)
http://www.virustotal.com/ko/analisis/d6afb2a2e7f2afe6ca150c1fade0ea87d9b18a8e77edd7784986df55a93db985-1261453471
outline of interview.pdf - 12월 13일
http://www.virustotal.com/ko/analisis/cd508c488bb3b0234ff480cc455761f8003ea584c4ddcc6901f2f5eea66cd25a-1261453917
merry_christmas.pdf - 12월 18일
http://www.virustotal.com/ko/analisis/8ccc882c18d927b57a33f8c6bae4d0eec3290ac7ab1d1157725918feab76ec01-1261453597
crazyphoto.pdf - 12월 18일
http://www.virustotal.com/ko/analisis/55227b229a113d8a93d823466ebdd7a94c77fa37126b330818b41d49bd9a73de-1261453598
海基會協商代表團預備性磋商名單.pdf - 12월 21일
http://www.virustotal.com/ko/analisis/0c148cfceccea8f0988021d266cfb0668b577bf77a9271bc47cfa7c93305ccc5-1261453673
국산 엔진들은 12월 18일 이후에 발견된 악성코드에 대해서 탐지를 못하고 있었습니다. 단, 21일 발견된 파일을 nProtect만 Exploit.PDF-JS.Gen.C02으로 탐지하고 있었습니다.
