New Java Zero Day exploit attacks in the wild (Aug 27, 2012)
Update – 08/28/2012
Dell SonicWALL UTM Research team discovered spam campaigns involving Blackhole exploit kit URLs already utilizing the new Java Zero Day exploit that we analyzed yesterday.
A sample e-mail message from the Intuit Spam campaign:
Structure of the exploit file that gets executed on the victim machine if the user clicks on the URL:
The malicious executable contacts.exe that gets downloaded on the target machine as a result of a successful exploit run in this case is a Cridex banking Trojan variant
Original Alert: Published – 08/27/2012
Dell SonicWALL UTM Research team found reports of a new zero-day vulnerability in the wild targeting Java that allows an attacker to download and execute a malicious executable on the victim machine.
We were able to confirm this exploit on the latest version 7 of Java in our research lab:
java version “1.7.0_06”
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)
It is interesting to note that this exploit does not work on Java version 6. There is no information available on Oracle’s security advisory page at the time of writing this alert about this issue.
Infection Cycle
- An unsuspecting user visits a malicious or compromised site that leads to the download of the Java exploit JAR file.
- The Java exploit performs local privilege escalation, downloads and executes a malicious binary which in this case is Poison Ivy variant [Detected as GAV: Poison.NHM (Trojan)].
- GET /meeting/hi.exe HTTP/1.1
User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_03
- GET /meeting/hi.exe HTTP/1.1
- The initial landing page contained highly obfuscated JavaScript code encrypted using a module named Dadong’s JSXX 0.44 VIP as seen below:
- The malicious JAR exploit file that gets downloaded contains two classes Gondvv.class and Gondzz.class. Gondvv.class contains the init function and the first thing it does is disables protection against local file execution. It then checks if the Operating System is Windows and calls xrun() function in Gondzz.classs which downloads a remote file into the temp directory and runs it:
- The server hosting the Java zero-day exploit is still active at the time of writing this Alert and serving Poison Ivy binary upon successful exploit runs.
Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:
- GAV: Poison.NHM (Trojan)
- GAV: JavaDZ.A (Exploit)
- GAV: Malformed.class.MT.1 (Exploit)