CSIS study lists the major programs and vulnerabilities targeted by web exploit kits

My first question had to with the fact that you mentioned you also disabled the JDT plugin in Firefox. I don't know why, but I always thought that any browser would disable both plugins at once.

Chromium/Google Chrome will disable both plugins, if the user disables Java "plugin". Only if the user switches to Developer mode is that he/she will be able to individually disable/enable the plugins.

Judging by what Rmus also mentioned, it seems when disabling Java in IE, "you're" only actually disabling Java plugin, but not JDT plugin.

 

In Firefox one has to disable each Java plugin separately.

 

Some interesting points raised in the discussion.

I just did my own testing to see how other browsers behave with Java plugins enabled/disabled when facing an exploit kit.

I used an older version of Java (JRE 6 update 21) just to make sure the Exploit Kit would seek to exploit Java, and tested against a Blackhole Exploit Kit.

For the purposes of the test, I assumed that if Java was asked to run - then it could be exploited (if vulnerable.) I didn't actually allow Java to execute, testing under Sandboxie with only whitelisted applications allowed to run.

Browsers tested:
Mozilla Firefox 6.0
Internet Explorer 9
Opera 11.51

Plugins:
Microsoft Office 2010 14.0.4761.1000 (IE/Firefox/Opera)
Adobe Shockwave 11.0.1.152 (Firefox/Opera only)
VLC 1.1.11.0 (Firefox/Opera)
Java Deployment Toolkit 6.0.210.6 [used to develop Java applets]
Java Platform SE 6 U21 (6.0.201.6) [used to run Java applets]

Overall result: Disabling both Java plugins in Firefox/Opera was enough to prevent Java exploits being successful. In IE9, disabling or removing the Java Platform SE BHO did not prevent Java exploits, and non-Java exploits were successful as well.

Further testing: I will try again later with an older version of the JDK, as the version I used might not have been vulnerable or targeted by the exploit kits.


Firefox
With all Java plugins disabled
When accessed with all plugins disabled, or all non-Java plugins enabled, no malicious files were downloaded. No Java exploits were attempted:


With Java Deployment Toolkit enabled, but Java Platform SE disabled
The exploit kit clearly detected the presence of Java, since JDK includes the Java VM. A series of Java applets appeared, but Java itself didn't execute and no malicious files were downloaded or executed


With Java Platform SE enabled
When JRE was enabled, Java exploits were attempted. It made no difference if JDK or other plugins were enabled or not. The browser either froze or crashed each time, and jp2launcher.exe was launched (in this case I restricted it from running). This occurred on every run, the exploit kit continued to attempt to exploit Java.



Internet Explorer 9
Internet Explorer was more interesting - the exploit kit was 'successful' with both Java and non-Java exploits. The test machine (Windows 7 SP1) hadn't had the latest Office service pack, otherwise was completely up to date. I ran IE9 on default with Recommended Security Settings, and all plugins disabled. As pointed out by Rmus, there was no option for a standard user to disable the Java Development Kit, just the Java Platform SE plugin.

First run - Java Platform disabled
Despite disabling Java plugin, jp2launcher.exe was launched by the exploit kit, in this case I did not allow it to execute. No malicious files were downloaded at this stage.


Second run - same setup
I returning to the page after the first run without changing anything, but this time non-Java exploits were successfully attempted. I'm not sure what was exploited. Multiple files were downloaded and executed, so possibly multiple exploits were succcessful.

Malwarebytes Anti-Malware Pro warned against two different DLLs being asked to be executed (identified as 'Fake Alerts'):
16:47:07 xxxx DETECTION C:\Sandbox\xxxx\user\current\AppData\Local\Temp\wpbt0.dll Trojan.FakeAlert QUARANTINE
16:47:20 xxxx DETECTION C:\Sandbox\xxxx\user\current\AppData\Local\Temp\wpbt1.dll Trojan.FakeMS ALLOW

I selected ALLOW for wpbt1.dll, but of course Sandboxie prevented it running as it was not whitelisted:


~Jotti or Virus Total results removed per Policy~


Third run - Java installed, but Java BHO removed
This time I wiped the sandbox, reinstalled Java, then removed the Java SE plugin using HijackThis. Once again, as long as the JDK was present then the Java exploit could run and the result was the same as the first run (again blocked due to Sandboxie whitelist):


Fourth run - Java not installed
As a final check, I ran the exploit kit without Java installed at all, and the same files as the second run were downloaded and attempted to execute. Afterwards I updated Microsoft Office to the latest service pack, but when I restarted the machine could not access the exploit kit.


Opera
Opera performed much the same as Firefox.

With both Java plugins disabled
Regardless of whether other plugins were enabled/disabled, having both Java plugins disabled lead to no Java exploits being made. No malicious files were downloaded.

With only JDK enabled
Much the same as with Firefox, the exploit kit detected Java and sent out the applets, but Java was not asked to execute and no malicious files downloaded.

With JRE enabled
Again this was the only way to get jp2launcher.exe to be asked to launch, and presumably would allow a Java exploit to be made.

 

RJK3, thanks for your test.

From what I gather, and from what I started to realize after what Rmus had shown us, there's no bloody way to completely disable Java from IE?

Considering that Java must run, at least, with medium rights (that means outside of IE's Protected Mode and Chrome's sandbox), then it would be safer for users (I'm generally speaking, so please everyone don't give me a hard time. lol) to use a browser that allows them to completely disable Java, such as Google Chrome (or some other Chromium based browser), Firefox and Opera.

 

Thank you for the tests RJK3 . I had "success" with v6 Update 12 x86.

Also, I'm not sure that jp2launcher.exe running is in itself indicative of compromise.

Java runs fine with low integrity in low integrity Firefox, with the exception that signed Java applets that need to access local resources will not work by default.

 

Are you sure?

The last time I tried with Chromium/Chrome, it wouldn't even start.

I'll have to retest it and see what happens.

 

Yes. I just tested at http://java.com/en/download/testjava.jsp.

 

For disabling Java Deployment Toolkit in Internet Explorer, Google gives http://www.kb.cert.org/vuls/id/886582.

 

I remember that was the link I tested back then. It was kind of disappointing, because it made me create a different browser profile just for Java.

I retested and it does work, though. And, as you said, digitally signed applets won't run.

Well, I suppose I can ditch the profile I had just for Java now.

 

Thanks for the feedback m00nbl00d & MrBrian.

I agree, but my intention was just to test the behaviour of the browsers with Java in different configurations, rather so much if in this one case it would lead to a successful exploit. I figured that if Java ran at all with the plugins disabled, then there's room for an exploit.

I wasn't particularly intending or expecting IE9 to be exploited by non Java exploits.

If anyone was curious, the MD5 for the two unique files downloaded:
wpbt0.dll
MD5: 73c452d5c58715fa743513f270320537
wpbt1.dll
MD5: 431e39dbc1548f559c6411bace558aff

 

Thanks for that.

 

The other thing to consider is that I'm admittedly inexperienced with IE

Just had it pointed out that in IE9 in the 'manage add-ons' section, the default view unhelpfully doesn't actually list all the plugins despite being called 'currently loaded add-ons'. For this reason when attempting to disable Java I'd missed three hidden Java components, including the JDK (identified through the CLSID).

I'll retest with IE when time permits.

 

I want to try to install Java outside of program files. I think if I can install it to a Low Integrity area and then set a few other folders (like my Temp) to LowIL I can probably get Java running at LowIL.

 

I thought Java didn't run at LowIL? Wasn't there a discussion about that before? I think m00n tried and Java cried quite a lot.

 

I also had under consideration the CERT's article. I'd expect they knew we can completely disable Java in IE.

Like you, I'm not an IE user, and therefore I took for granted the article. You only weren't aware that you had to choose to show all add-ons. But, that's not to blame on you. IE should display all currently loaded add-ons by default, IMHO.

I did test IE9 with Java, and nothing Java-related loads.

 

Yes, I did test it a few months back. It didn't run, at all. I don't know what changed...

I'm starting to wonder if it also had to do with the --safe-plugins switch? Maybe the combination low IL + safe-plugins crippled it? I could swear that I tried both individually, though. I know I tested Silverlight that way, and Silverlight wouldn't work with both low IL and safe-plugins. I'm not really sure if I tested Java with separate "settings".

--safe-plugins isn't supported anymore. At least, I don't think it has been reenabled. Maybe that's why it worked this time.

But, Java did not load for digitally signed applets. I tried with Secunia's online scanner, and it didn't work.

I'm not sure if there's anything one can do about it?

 

Maybe they improved it with Java 7?

 

I don't know about that, but I'm still on 6 (update 27).

 

Why not uninstall and update? I haven't personally witnessed anything that doesn't run on 7. (albeit in my limited tests)

 

Apparently, there's some issue with my IE9. Java won't work for some reason.

I'll have to reinstall it (Java) and see if it's working.

So, you should test IE9 to see if it still loads or not.

 

Well I just tried the exploit kit again under IE9 with all the Java add-ons disabled.

Not only did it try to exploit Java again, but twice it added new Java entries and enabled them without asking.

You can see the screenshots here:
https://www.wilderssecurity.com/showpost.php?p=1953213&postcount=97

Even with all Java components completely disabled under the add-ons, the exploit kit still attempts to exploit Java.

 

Try with Chrome. I know Java can't run without permission. What happens if you deny permission in Chrome with Java.

 

Java won't run without permission in IE9 either. IE9 alerted me when I ran Java test.

I finally made Java to work with IE9. There's still an error, but the applet loads, but only after I allowed it.

But, if an exploit could make it load on its own... that's another talk.

-edit-

WTF?!!

I just disabled Deployment Toolkit and the other plugins related to Java, and the Java applet in Java's website still loaded? lol I got a mixed message saying that Java couldn't be found on my system, but the applet loaded?

 

With the old Java version (6, update 21), Chrome said something like "disabled as out of date", with the option to "Run this time". When I did and left it awhile, no malicious files were downloaded or executed, which is interesting. If I deny permission (block all plugins), it just sits there doing nothing when I load the exploit kit.

I updated Java, and Chrome asked permission to start Java when accessing the exploit kit. Again no malicious files were downloaded or executed when I allowed it.

As a comparison, when I allowed the old Java to run from Firefox, two Sinowal files attempted to execute. No files were executed though with the current version of Java when enabled/allowed.

 

Right let's just keep it to this one thread. This is my situation before I ran the exploit, the mess of plugins it installs doesn't make sense, but oh well.



As you can see all the plugins were already showing so I disabled them all. If I try to load the Java test site, it loads... If I try to log onto the exploit site, it gets stuck on loading then the browser freezes, nothing executes so it failed.

But that's besides the point, I can't understand why it still loads with the plugins disabled. If you disable flash, it's gone, dead. If you disable Silverlight, it's gone, dead. If you disable office/media player plugins, they are dead.

So what's Java doing that's so special? Currently the only way to kill it is use ActiveX filtering.

I'm looking through the IE security settings and advanced settings and see a few mentions of Java, lots of mentions of "prompt me before running" or "disable". I'll try investigate further.