Need a PoC to Test Your Security Setup?

I havn't tried it, but i don't expect it to work on my comp

 

Thanks for the tip. It worked only with admin rights, so UAC protection in place did not allow it.

 

So, it's what I like to call PoF, if perfect conditions are met. In this case, UAC.

 

Besides the fact that to even get to the download, Avira blocks all attempts, when you disable Avira and get the zip file (full of trojan demos which I have no intention of trying ), there's an interesting bpmtk.pdf document describing process manipulations.

Something is fishy with the document itself. I use Foxit v4.3.1 - all internet functions are disabled. No ask toolbar, no internet searching, no java script, no updates, nothing. Yet my firewall (Sunbelt) had to block outgoing connections to China. Remote address was 218.240.24.199 http port. There's just one hyperlink in the document. I tried the link in Opera just to see where it would go, but Opera blocked it on certificates.

No other .pdf files have ever caused this kind of thing for me in Foxit.

 

I searched that IP and this is what I got.

https://secure.dshield.org/ipinfo.html?ip=218.240.24.199

http://www.ipvoid.com/scan/218.240.24.199

From the IPVoid report (all green) I clicked WOT's result. I pasted the chinese stuff below the image in translate.google.com and this is what I got:

Then, I checked Robtex:

http://www.robtex.com/ip/218.240.24.199.html

 

DomainTools:
IP Location: China Beijing Beijing Neteon Tech Co Ltd
ASN: AS23724
IP Address: 218.240.24.199
Reverse IP: 1 website uses this address. (example: fuxinsoftware.com.cn)
inetnum: 218.240.0.0 - 218.240.63.255
netname: NETEON
descr: Beijing Neteon Tech Co, Ltd.
descr: Room203-204,No.1,#737,CaoXi Road North,Shanghai,China
country: CN
admin-c: MX436-AP
tech-c: MX436-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: 20100330
source: APNIC

DNSstuff:
IP Information - 218.240.24.199
IP address: 218.240.24.199
Reverse DNS: [No reverse DNS entry per win-aluor99sxx7.]
Reverse DNS authenticity: [Unknown]
ASN: 23724
ASN Name: CHINANET-IDC-BJ-AP (IDC, China Telecommunications Corporation)
IP range connectivity: 8
Registrar (per ASN): APNIC
Country (per IP registrar): CN [China]
Country Currency: CNY [China Yuan Renminbi]
Country IP Range: 218.240.0.0 to 218.247.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): -- []
Private (internal) IP? No
IP address registrar: whois.apnic.net
Known Proxy? No
Link for WHOIS: 218.240.24.199

WHOIS
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 218.240.0.0 - 218.240.63.255
netname: NETEON
descr: Beijing Neteon Tech Co, Ltd.
descr: Room203-204,No.1,#737,CaoXi Road North,Shanghai,China
country: CN
admin-c: MX436-AP
tech-c: MX436-AP
status: ALLOCATED PORTABLE
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: ****@cnnic.cn 20100330
source: APNIC
person: Miao Xin
address: lixiang building, No.111 zhichun road,haidian district,beijing
country: CN
phone: +86-010-5199450
fax-no: +86-010-5199450
e-mail: ****@163.com
nic-hdl: MX436-AP
mnt-by: MAINT-CNNIC-AP
changed: ****@cnnic.net.cn 20100330
source: APNIC

Oh, well, I'm not going to loose any sleep over this so long as packet filters do their job. Besides, it's kind of off topic here anyway.

 

Re - the Chinese IP/www



English version



I expect Didier Stevens must have included the www for a reason

 

Thanks for the screen shots. Interesting.

If so, it must be well hidden, and I doubt it. DS has good reputation!
Perhaps my Foxit got hijacked
There is no reason for it to go internet at all. I don't even use foxit plugins and anyway I was opening the file from explorer not from the browser.

 

There's nothing special in bpmtk.pdf, I produced it with OpenOffice.

Did you know Foxit Reader is developed in China? I've been in touch before with the developers.

When I take a look at an older copy of Foxit Reader.exe with the strings command, I find several URLs.
One of them is http://www.fuxinsoftware.com.cn. This is the Chinese Foxit company. According to network-tools.com, www.fuxinsoftware.com.cn resolves to 218.240.24.199, which is exactly the IP address you noticed. From this, I conclude that it is Foxit Reader itself that is contacting this IP address, but I don't know why.

 

Interesting, thanks. I got permission denied after whitelisting from SRP, as expected. Comodo auto-sandboxed it.

 

@ act8192

Looks like DS has pointed to the "probable" cause !

@ Didier Stevens

Thanks for the info I didn't know that Foxit was coded in China, but i do now

 

I didn't know either, but the Robtex report I linked to gave some hints about it. At least, that they were related, somehow.