Need a PoC to Test Your Security Setup?

Discussion in 'other security issues & news' started by CloneRanger, Sep 7, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I havn't tried it, but i don't expect it to work on my comp ;)

     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Thanks for the tip. It worked only with admin rights, so UAC protection in place did not allow it.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    So, it's what I like to call PoF, if perfect conditions are met. In this case, UAC. :)
     
  4. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Besides the fact that to even get to the download, Avira blocks all attempts, when you disable Avira and get the zip file (full of trojan demos which I have no intention of trying :)), there's an interesting bpmtk.pdf document describing process manipulations.

    Something is fishy with the document itself. I use Foxit v4.3.1 - all internet functions are disabled. No ask toolbar, no internet searching, no java script, no updates, nothing. Yet my firewall (Sunbelt) had to block outgoing connections to China. Remote address was 218.240.24.199 http port. There's just one hyperlink in the document. I tried the link in Opera just to see where it would go, but Opera blocked it on certificates.

    No other .pdf files have ever caused this kind of thing for me in Foxit.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I searched that IP and this is what I got.

    https://secure.dshield.org/ipinfo.html?ip=218.240.24.199

    http://www.ipvoid.com/scan/218.240.24.199

    From the IPVoid report (all green) I clicked WOT's result. I pasted the chinese stuff below the image in translate.google.com and this is what I got:

    Then, I checked Robtex:

    http://www.robtex.com/ip/218.240.24.199.html
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    DomainTools:
    IP Location: China Beijing Beijing Neteon Tech Co Ltd
    ASN: AS23724
    IP Address: 218.240.24.199
    Reverse IP: 1 website uses this address. (example: fuxinsoftware.com.cn)
    inetnum: 218.240.0.0 - 218.240.63.255
    netname: NETEON
    descr: Beijing Neteon Tech Co, Ltd.
    descr: Room203-204,No.1,#737,CaoXi Road North,Shanghai,China
    country: CN
    admin-c: MX436-AP
    tech-c: MX436-AP
    status: ALLOCATED PORTABLE
    mnt-by: MAINT-CNNIC-AP
    mnt-lower: MAINT-CNNIC-AP
    mnt-routes: MAINT-CNNIC-AP
    changed: 20100330
    source: APNIC

    DNSstuff:
    IP Information - 218.240.24.199
    IP address: 218.240.24.199
    Reverse DNS: [No reverse DNS entry per win-aluor99sxx7.]
    Reverse DNS authenticity: [Unknown]
    ASN: 23724
    ASN Name: CHINANET-IDC-BJ-AP (IDC, China Telecommunications Corporation)
    IP range connectivity: 8
    Registrar (per ASN): APNIC
    Country (per IP registrar): CN [China]
    Country Currency: CNY [China Yuan Renminbi]
    Country IP Range: 218.240.0.0 to 218.247.255.255
    Country fraud profile: Normal
    City (per outside source): Unknown
    Country (per outside source): -- []
    Private (internal) IP? No
    IP address registrar: whois.apnic.net
    Known Proxy? No
    Link for WHOIS: 218.240.24.199

    WHOIS
    % [whois.apnic.net node-2]
    % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

    inetnum: 218.240.0.0 - 218.240.63.255
    netname: NETEON
    descr: Beijing Neteon Tech Co, Ltd.
    descr: Room203-204,No.1,#737,CaoXi Road North,Shanghai,China
    country: CN
    admin-c: MX436-AP
    tech-c: MX436-AP
    status: ALLOCATED PORTABLE
    mnt-by: MAINT-CNNIC-AP
    mnt-lower: MAINT-CNNIC-AP
    mnt-routes: MAINT-CNNIC-AP
    changed: ****@cnnic.cn 20100330
    source: APNIC
    person: Miao Xin
    address: lixiang building, No.111 zhichun road,haidian district,beijing
    country: CN
    phone: +86-010-5199450
    fax-no: +86-010-5199450
    e-mail: ****@163.com
    nic-hdl: MX436-AP
    mnt-by: MAINT-CNNIC-AP
    changed: ****@cnnic.net.cn 20100330
    source: APNIC

    Oh, well, I'm not going to loose any sleep over this so long as packet filters do their job. Besides, it's kind of off topic here anyway.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re - the Chinese IP/www

    f1.gif

    English version

    f2.gif

    I expect Didier Stevens must have included the www for a reason ;)
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    Thanks for the screen shots. Interesting.
    If so, it must be well hidden, and I doubt it. DS has good reputation!
    Perhaps my Foxit got hijacked :(
    There is no reason for it to go internet at all. I don't even use foxit plugins and anyway I was opening the file from explorer not from the browser.
     
  9. Didier Stevens

    Didier Stevens Security Researcher

    Joined:
    Nov 19, 2010
    Posts:
    66
    There's nothing special in bpmtk.pdf, I produced it with OpenOffice.

    Did you know Foxit Reader is developed in China? I've been in touch before with the developers.

    When I take a look at an older copy of Foxit Reader.exe with the strings command, I find several URLs.
    One of them is http://www.fuxinsoftware.com.cn. This is the Chinese Foxit company. According to network-tools.com, www.fuxinsoftware.com.cn resolves to 218.240.24.199, which is exactly the IP address you noticed. From this, I conclude that it is Foxit Reader itself that is contacting this IP address, but I don't know why.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting, thanks. I got permission denied after whitelisting from SRP, as expected. Comodo auto-sandboxed it.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ act8192

    Looks like DS has pointed to the "probable" cause !

    @ Didier Stevens

    Thanks for the info :thumb: I didn't know that Foxit was coded in China, but i do now ;)
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I didn't know either, but the Robtex report I linked to gave some hints about it. :D At least, that they were related, somehow.
     
Loading...
Thread Status:
Not open for further replies.