New Drive By Download exploits Latest Java Vulnerabilities (June 7, 2013)

The Dell Sonicwall Threats Research team has found multiple drive-by-download attempts that leverage the underlying Java vulnerabilities and push corresponding malicious Java Applets. These Applets on successful exploitation download a malicious executable that dupes the user into believing that it is an AntiVirus. Specifically, the malware uses a couple of latest Java Vulnerabilities CVE-2013-0422, CVE-2013-2423 and exploits either one of them to get onto the user’s system. Oracle has already patched these vulnerabilities which are described below.

• CVE-2013-0422 : By constructing a malformed Applet that uses getMBeanInstantiator Method of JmxMBeanServer class, an attacker can achieve arbitrary code execution. The MBeanInstantiator allows the attacker to instantiate restricted classes which eventually converts the applet into a trusted one.
• CVE-2013-2423 : An attacker can create a malformed Applet using MethodHandles Method and type confusion to switch off Java’s security mechanism. Once a MethodHandle is obtained using findStaticSetter method, a static final field is allowed to be overwritten thereby causing type confusion.

Following are the sequence of events that lead to a drive-by-download :

User visits an infected webpage containing a malicious obfuscated JavaScript

The script tries to determine the vulnerable Java version.

Malicious applet exploiting CVE-2013-0422 is downloaded as per the first conditional check. Following are some excerpts from decompiled java class files that show the vulnerable Method, getMBeanInstantiator provided by Class, JmxMBeanServer.

Above, “ctrpq” function de-obfuscates the string to getMBeanInstantiator which is the vulnerable Method.

Same, “ctrpq” function gets the Class, com.sun.jmx.mbeanserver.JmxMBeanServer which provides the vulnerable Method.

Malicious applet exploiting CVE-2013-2423 is downloaded as per the second conditional check. Following are some of the decompiled Java instructions that employ vulnerable Method, MethodHandles which again is obfuscated.

We can see “eklaqkjz” function gets the string java.lang.invoke.MethodHandles.

A malicious exe is downloaded and executed after the exploit runs successfully.

The threat team has added following signatures to stop these attacks,

• IPS: 9925 “Malformed Java Class File 2” covers CVE-2013-0422
• IPS: 9926 “Malformed Java Class File 3” covers CVE-2013-2423
• GAV: Kryptik.BCHO

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.