Attackers Pounce on Zero-Day Java Exploit

[siljaline]

As cited in this article, ESET's Virus signature database updates detect the Java exploit

[FanJ]

Blog by Dutch security company Fox-IT from a few days ago:
"Observations on the recent Java 0-day exploits in the wild"
http://blog.fox-it.com/2012/08/30/ob...s-in-the-wild/

May I quote just only one interesting part because it links to Dorifel :

Quote:

The executables that were dropped by the exploit code consisted of a new sample of the Hermes Trojan, and various versions of ZeuS including Citadel, Ice-IX, Gameover-ZeuS and other customized versions. Analysis of the Hermes sample, as well as the command and control servers that it was configured to connect to, has shown that the perpetrator of this attack was previously responsible for the large scale infections by Dorifel using a Citadel botnet, as described previously on our blog.

[mick92z]

I have java on my computers. I have no idea how much, or if its used at all. There are other users that constantly play games/videos, that's why i keep it. I guess Sandboxie would protect me anyway, however I have removed it, and will see if I actually need it at all

[iammike]

I am the same, I have been installing Java on every computer when it still was called Microsoft Java Virtual Machine and I always thought it was necessary, but just since a couple of days ago (discovering the first Zero Day Exploit) I have uninstalled Java and I am surprised to have learned that not that many Websites (in my case that is) use Java. My personal guess is that the problem will be a lot greater when a Zero Day exploit is to be found in Flash. But then again Java and Flash are the first things people install on their PC

[noone_particular]

For users of FireFox, SeaMonkey, PaleMoon, and other Mozilla browsers, the PrefBar extension provides an easy way to enable java, flash, javascript, and other options. This is one of the simplest ways to mitigate the risk from vulnerable extensions like java. You can leave java, flash, etc disabled by default and allow it only when needed on sites that you trust.

[CloneRanger]

Java Exploit info

Quote:

What a Busy Week!

In the Windows case, it overwrites a file in the Windows/system32 directory where all the components of Windows are kept. And this is the portable media serial number service that gets overwritten. It's an awkwardly named file, mspmsnsv.dll, that gets replaced. And at the moment what it does is it downloads and installs the Poison Ivy RAT. RAT is an acronym for Remote Access Trojan. So that's what people are being afflicted by who click on links in their browsers who have Java enabled and running.

https://www.grc.com/sn/sn-367.htm

So as usual, those of us with AntiExe etc software, and/or default/deny policies, have Nothing to fear

[wat0114]

Java 0day analysis (CVE-2012-4681)

Quote:

Basically the exploit is creating an java.security.AccessControlContext instance with a java.security.ProtectionDomain that has full permissions and then replace the actual AccessControlContext of a java.beans.Statement instance to be able to execute code with full privileges.

Quote:

Putting all together
So this exploit is performing the following steps:

• Creates a Statement instance that will call System.setSecurityManager(null) method using reflection.
• Creates a custom AccessControlContext with full permissions.
• With one bug it gets a reference to the sun.awt.SunToolkit class that is restricted to applets.
• With the other bug it invokes the getField public static method on sun.awt.SunToolkit using reflection with a trusted immediate caller that bypasses the security checks.
• With the getField method it is getting a reference to Statement.acc private field and setting its value to the custom AccessControlContext instance previously created.
• Finally it executes the Statement that will disable the Security Manager bypassing all security checks because it has full permissions set in its AccessControlContext.

-http://immunityproducts.blogspot.ca/2012/08/java-0day-analysis-cve-2012-4681.html-

I don't understand most of the technicalities, but in short: the exploit is able to execute with full permissions!

[lotuseclat79]

Critical bug in newest Java gives attackers complete control of PCs.

Quote:

Discovery is the latest black eye for the security of the widely used Java.

Note: Article contains a nice JavaScript Interpreter/Java Plugin to/from Java Applet interaction diagram.

-- Tom

[Longboard]

From The Reg:
Sounds lovely..
http://www.theregister.co.uk/2012/09/03/java_cleanup/

[Dundertaker]

In addition to disabling Java in browsers, are there any firewall settings that can be set for additional protection..?

[wat0114]

Quote:

Originally Posted by Dundertaker

In addition to disabling Java in browsers, are there any firewall settings that can be set for additional protection..?

If you are using an application outbound control firewall, the trojan should not be able to download other malicious payloads. See Rmus' post #37 this thread:

-http://www.wilderssecurity.com/showpost.php?p=2107470&postcount=37-

[Rmus]

Quote:

Originally Posted by Dundertaker

In addition to disabling Java in browsers, are there any firewall settings that can be set for additional protection..?

With Java disabled, then the Java exploit code cannot execute, and the firewall would not come into the picture.

Now, if Java is enabled, one possibility to have the firewall protect is if the exploit uses the Java engine to connect out.
If the user doesn't have the Java.exe application white listed in the Firewall list, then the Firewall will alert:



NOTE: This site hosts the Blackhole Exploit Kit which has an "updated" version of the exploit which does run against my Java v. 6

If I deny the outbound connection, then an error message appears:




So, the Java exploit fails to run.

But the user may not be out of danger just yet! The Blackhole Exploit Kit will serve up another exploit if the Java exploit fails.

The post that wat0114 links to shows the scenario on a site that hosted the Blackhole Kit, where the Zero-Day Java Exploit code did not execute against Java 6 on my computer (the plugin was enabled).

Then, the exploit code on the site served up another exploit, the one that targets the Microsoft Help Center.

That application (helphost.exe) attempting to connect out causes the Firewall to alert (that application is not authorized by me -- non-white listed).

For testing, I permitted the connection out to snag the executable payload.

regards,

-rich

[lotuseclat79]

Java Still Not Safe, Security Experts Say.

Quote:

Oracle needs to fix holes faster, say some security experts. Leave Java disabled for now, because Oracle's emergency patch is insufficient.

-- Tom

[chronomatic]

Quote:

Originally Posted by Longboard

From The Reg:
Sounds lovely..
http://www.theregister.co.uk/2012/09/03/java_cleanup/

LOL @ that guy going through all those steps. The best solution is to nuke the hard drive and reinstall fresh (after backing up of course). This should be the one and only step you take when faced with a rootkit.

[sandals]

Does anyone know if ESET protects against this exploit? Or, is this the same threat that Microsoft issued an update for at http://support.microsoft.com/kb/2736233
? Any information appreciated!

[SweX]

Quote:

Originally Posted by sandals

Does anyone know if ESET protects against this exploit?

Yes it does

[boombastik]

If we have installed java on our computer and we disable from our browser (from example mozilla) , we are safe?

[Hungry Man]

Yes. You are safe if you disable the plugin.

[PJC]

This JAVA= Just Another Vulnerability Added...
Where is it going to stop?
Unfortunately, many sites and Apps require this necessary "evil"...

[CyberMan969]

Quote:

Originally Posted by Mr.PC

This JAVA= Just Another Vulnerability Added...
Where is it going to stop?
Unfortunately, many sites and Apps require this necessary "evil"...

Damn right... Java (and Adobe Flash) should be simply called ...SecurityHoleware! Thank god for Sandboxie/Shadow Defender keeping the real system safe from such crap, even when antiexecution is not present or active for some reason.