Oracle Java CVE-2013-2465 attacks spotted in the wild (Nov 1, 2013)

Dell SonicWALL threat team has observed live malware exploiting CVE-2013-2465 in the wild. The vulnerability referred by CVE-2013-2465 is related to Incorrect image channel verification in Java Runtime Environment (JRE)’s 2D component in Oracle Java SE, and the vulnerable versions include Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. By exploiting the issue, an attacker can inject and execute arbitrary code remotely.

By exploiting this vulnerability, the observed malware executes the following steps:

a. Create a “mspaints.exe” file with the following codes:

b. Execute mspaints.exe

c. mspaints copies itself in system directory and deletes the first copy

d. connects to malicious webpage:

Dell SonicWALL has created the following IPS signatures to prevent attacks addressing this vulnerability:

• 4539 Malformed Java Class File 8
• 4547 Malformed Java Class File 9
• 4662 Malformed Java Class File 11

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.