Java Trojan in the Wild

Java Trojan in the Wild
Here

 

Thanks!

 

Beginning last year, java exploits have been seen in almost all of the exploit kits that appear in the malware domain lists. I found this recently:



See:

Java: A Gift to Exploit Pack Makers
http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/

Microsoft Sees Huge Increase In Java Exploit Attempts, Surpassing Adobe
http://www.ghacks.net/2010/10/19/mi...se-in-java-exploit-attempts-surpassing-adobe/

For those who need it, you can simply whitelist it for the particular sites:



regards,

-rich

 

From Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware:

 

From the article:

The jar (Java Archive) file does the dirty work, so for all of the sophistication of what malware launched by a Java exploit can do, the malware executable first has to get onto the computer.

Here is a good analysis of what a jar file does in sneaking in a malware executable:

JaZeus: when Zeus meets Java
http://www.inreverse.net/?p=1551

Summarizing:

The last diagram in the inreverse.net article shows how the zeus.exe trojan emerges as the final output of this exploit:

http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg

___________________________________________________________________________________​

Regarding the current exploit CVE-2010-00840, from the article MrBrian cited, here is a sample of how code can download a jar file from a malicious server to start the exploit working.

Threat Spotlight
For the week of 29 Sep 2011
http://www.sophos.com/en-us/securit...otlight/threat-spotlight-archive/2011/38.aspx

regards,

-rich

 

It seems there are at least three ways to prevent this?

1. Don't click on the message links.

2. Use anti-executable software/SRP/AppLocker

3. Disable or don't use Java.

 

Agreed!

But avoiding #1 is problematical in a business environment, where targeted messages contain links that appear to be legitimate, and legitimate links occur frequently in business correspondence.

See the messages in the section "Threat 2: HP Officejet spam links to Java malware" in the above cited sophos.com link in Post #5.

regards,

-rich

 

True, and this is where the office spam filtering needs to be effective at filtering the fake messages in the first place, although I understand it can't catch everything. Where I work the spam filtering is extraordinarily effective.

 

AppLocker/SRP do not stop Java .jar execution.

 

Agreed,but what about the executable payload?

-http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg

 

Sure, if there are any executables involved.

For a demonstration that AppLocker doesn't stop execution of Java .jar, download PortMapper-1.9.4.jar from http://sourceforge.net/projects/upnp-portmapper/files/ and double-click it in Windows Explorer. (This is assuming you have Java installed.)

 

In the web-based exploits that I've seen, they use the java executable to connect out to a server.
So, a firewall that monitors outbound connections will alert:



With no connection, the page just sits there and the exploit never starts.

If there is a connection, something in place to intercept the payload will nullify the exploit
when the java executable attempts to download the trojan executable:




regards,

-rich

 

Thank you for this, MrBrian!

Of course, as Rmus points out, the trusty firewall can intercept and put a stop to this kind of nonsense as well It is blocking inbound attempts in this case.

 

In fact, because I restrict common java processes to only remote TCP ports 80 & 443, as well as UDP DNS servers, javaw.exe is even blocked on the outbound attempts because it's trying on port 1900 (UPnP)