AlienVault Labs - Tag Archive

New year, new Java zeroday!

January 10th, 2013 | Posted by jaime.blasco in Advisory | Attacks | Exploits - (Comments Off)

Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.

The Java file is highly obfuscated but based on the quick analysis we did the exploit is probably bypassing certain security checks tricking the permissions of certain Java classes as we saw in CVE-2012-4681 .

Right now the only way to protect your machine against this exploit is disabling the Java browser plugin. Let’s see how long does it take for Oracle to release a patch.

On the other hand we expect a Metasploit module in the upcoming days as it has been happening during the last year as well as most of the exploit kits adopting this new zeroday sooner than later.

We will keep you updated as we obtain more information.

Be safe!

Update: It seems both Blackhole and Nuclear Pack exploit kits are using this vulnerability in the wild

jaime.blasco

At AlienVault Jaime manages the Lab and runs the Vulnerability Research Team. Prior to working in the AlienVault lab he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. His background stems from a number of years working in vulnerability management, malware analysis and security researching.

New Java 0day exploited in the wild

August 27th, 2012 | Posted by jaime.blasco in APT | Attacks | Exploits - (Comments Off)

A few hours ago, FireEye published some information related to a new Java 0day exploited in the wild.

The malicious JAR file was served from ok.aa24.net / meeting / index.html

The html loads the Java applet passing some parameters that are used later to build the URL to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44 VIP”.

The Java applet contains the following two .class files:

- cve2012xxxx/Gondzz.class

- cve2012xxxx/Gondvv.class

The applet check if the system is running Windows and gets the parameters passed from the HTML that contains the URL to download the payload. If the system is vulnerable, the payload is downloaded and executed in the system.

On the analyzed sample the payload is downloaded from ok.aa24.net / meeting / hi.exe

https://www.virustotal.com/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/analysis/1346055031/

The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service.

The malware connects to hello.icon.pk port 80. It seems to be a Poison Ivy variant.

hello.icon.pk resolvs to:

223.25.233.244

223.25.233.0 – 223.25.233.255
8 to Infinity Pte Ltd

You can use the following generic Yara rule to detect a malicious .class file exploiting this vulnerability:

rule Java0daycve2012xxxx_generic

{

meta:

weight=100

author = “Jaime Blasco”

source = “alienvault”

date = “2012-08″

strings:

$ = ”java/security/ProtectionDomain”

$ = “java/security/Permissions”

$ = “java/security/cert/Certificate”

$ = “setSecurityManager”

$ = “file:///”

$ = “sun.awt.SunToolkit”

$ = “getField”

condition:

all of them

}

A module has just been published for Metasploit so it is time to disable Java in all your systems

And remember to search your logs for connections to the Domains/IPs related to this attack.

Have a great day!

New year, new Java zeroday!

jaime.blasco

New Java 0day exploited in the wild

jaime.blasco

Navigation

Search IP in reputation database

Labs on twitter

Tags

Recent Discussions

People Online