New Java Zero Day exploit attacks in the wild (Aug 27, 2012)

Update – 08/28/2012

Dell SonicWALL UTM Research team discovered spam campaigns involving Blackhole exploit kit URLs already utilizing the new Java Zero Day exploit that we analyzed yesterday.

A sample e-mail message from the Intuit Spam campaign:

Structure of the exploit file that gets executed on the victim machine if the user clicks on the URL:

The malicious executable contacts.exe that gets downloaded on the target machine as a result of a successful exploit run in this case is a Cridex banking Trojan variant

Original Alert: Published – 08/27/2012

Dell SonicWALL UTM Research team found reports of a new zero-day vulnerability in the wild targeting Java that allows an attacker to download and execute a malicious executable on the victim machine.

We were able to confirm this exploit on the latest version 7 of Java in our research lab:

java version “1.7.0_06”
Java(TM) SE Runtime Environment (build 1.7.0_06-b24)

It is interesting to note that this exploit does not work on Java version 6. There is no information available on Oracle’s security advisory page at the time of writing this alert about this issue.

Infection Cycle

• An unsuspecting user visits a malicious or compromised site that leads to the download of the Java exploit JAR file.
• The Java exploit performs local privilege escalation, downloads and executes a malicious binary which in this case is Poison Ivy variant [Detected as GAV: Poison.NHM (Trojan)].
  • GET /meeting/hi.exe HTTP/1.1
    User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.7.0_03
• The initial landing page contained highly obfuscated JavaScript code encrypted using a module named Dadong’s JSXX 0.44 VIP as seen below:

  

• The malicious JAR exploit file that gets downloaded contains two classes Gondvv.class and Gondzz.class. Gondvv.class contains the init function and the first thing it does is disables protection against local file execution. It then checks if the Operating System is Windows and calls xrun() function in Gondzz.classs which downloads a remote file into the temp directory and runs it:

  

• The server hosting the Java zero-day exploit is still active at the time of writing this Alert and serving Poison Ivy binary upon successful exploit runs.

  

Dell SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Poison.NHM (Trojan)
• GAV: JavaDZ.A (Exploit)
• GAV: Malformed.class.MT.1 (Exploit)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.