Java Trojan in the Wild

Discussion in 'malware problems & news' started by Kernelwars, May 10, 2011.

Thread Status:
Not open for further replies.
  1. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Java Trojan in the Wild
    Here
     
  2. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Thanks!
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Beginning last year, java exploits have been seen in almost all of the exploit kits that appear in the malware domain lists. I found this recently:

    ie8_javaExpl.jpg

    See:

    Java: A Gift to Exploit Pack Makers
    http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
    Microsoft Sees Huge Increase In Java Exploit Attempts, Surpassing Adobe
    http://www.ghacks.net/2010/10/19/mi...se-in-java-exploit-attempts-surpassing-adobe/
    For those who need it, you can simply whitelist it for the particular sites:

    javaSitePref.gif

    regards,

    -rich
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:
    The jar (Java Archive) file does the dirty work, so for all of the sophistication of what malware launched by a Java exploit can do, the malware executable first has to get onto the computer.

    Here is a good analysis of what a jar file does in sneaking in a malware executable:

    JaZeus: when Zeus meets Java
    http://www.inreverse.net/?p=1551

    Summarizing:

    The last diagram in the inreverse.net article shows how the zeus.exe trojan emerges as the final output of this exploit:

    http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg

    ___________________________________________________________________________________​

    Regarding the current exploit CVE-2010-00840, from the article MrBrian cited, here is a sample of how code can download a jar file from a malicious server to start the exploit working.

    Threat Spotlight
    For the week of 29 Sep 2011
    http://www.sophos.com/en-us/securit...otlight/threat-spotlight-archive/2011/38.aspx

    regards,

    -rich
     
    Last edited: Oct 28, 2011
  6. wat0114

    wat0114 Guest

    It seems there are at least three ways to prevent this?

    1. Don't click on the message links.

    2. Use anti-executable software/SRP/AppLocker

    3. Disable or don't use Java.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Agreed!

    But avoiding #1 is problematical in a business environment, where targeted messages contain links that appear to be legitimate, and legitimate links occur frequently in business correspondence.

    See the messages in the section "Threat 2: HP Officejet spam links to Java malware" in the above cited sophos.com link in Post #5.

    regards,

    -rich
     
  8. wat0114

    wat0114 Guest

    True, and this is where the office spam filtering needs to be effective at filtering the fake messages in the first place, although I understand it can't catch everything. Where I work the spam filtering is extraordinarily effective.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AppLocker/SRP do not stop Java .jar execution.
     
  10. wat0114

    wat0114 Guest

    Agreed,but what about the executable payload?

    -http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Sure, if there are any executables involved.

    For a demonstration that AppLocker doesn't stop execution of Java .jar, download PortMapper-1.9.4.jar from http://sourceforge.net/projects/upnp-portmapper/files/ and double-click it in Windows Explorer. (This is assuming you have Java installed.)
     
    Last edited: Oct 29, 2011
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In the web-based exploits that I've seen, they use the java executable to connect out to a server.
    So, a firewall that monitors outbound connections will alert:

    java_kerioalert.gif

    With no connection, the page just sits there and the exploit never starts.

    If there is a connection, something in place to intercept the payload will nullify the exploit
    when the java executable attempts to download the trojan executable:

    java_ae-block.gif


    regards,

    -rich
     
    Last edited: Oct 29, 2011
  13. wat0114

    wat0114 Guest


    Thank you for this, MrBrian!

    Of course, as Rmus points out, the trusty firewall can intercept and put a stop to this kind of nonsense as well :) It is blocking inbound attempts in this case.
     

    Attached Files:

    Last edited by a moderator: Oct 29, 2011
  14. wat0114

    wat0114 Guest

    In fact, because I restrict common java processes to only remote TCP ports 80 & 443, as well as UDP DNS servers, javaw.exe is even blocked on the outbound attempts because it's trying on port 1900 (UPnP) ;)
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.