Internet Anthropologist Think Tank: Chinese caught red handed HACKING

  • Search our BLOG

  • HOME
    Terrorist Names SEARCH:

    Sunday, June 01, 2008

    Chinese caught red handed HACKING

    Take an example of this PDF file we got a sample of via VirusTotal. The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May.

    When you open this document, this is what you'll see:

    Department of Homeland Security G-325A

    Looks like a Department of Homeland Security form G-325A.

    Look again.

    What's the filename?

    It's not f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf.

    This is not the document we opened.

    So what happens here?

    Apparently this PDF has been used in a targeted attack against an unknown target.

    When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files.

    Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf.

    Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right.

    D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:


    The SYS component is a rootkit that tries to hide all this activity on the infected machine.

    nbsstt.3322.orgThe backdoor tries to connect to port 80 of a host called Anybody operating this machine would have full access to the infected machine.

    Well, is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attaks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as

    Where does point to?

    IP address is in Zhejiang, China.

    And it's live right now, answering requests at port 80.

    sHEESH I'm turning my computer off, cutting the cable and locking it in the attic..
    Lets see them attack it now.

    Call ahh umm somebody...yes somebody should take that PC down and the server.
    Burn them up.



    Labels: , , , , , , , ,


    Post a Comment

    Subscribe to Post Comments [Atom]

    << Home