Java Trojan in the Wild

Discussion in 'malware problems & news' started by Kernelwars, May 10, 2011.

Thread Status:
Not open for further replies.
  1. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Java Trojan in the Wild
    Here
     
  2. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Thanks!
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Beginning last year, java exploits have been seen in almost all of the exploit kits that appear in the malware domain lists. I found this recently:

    ie8_javaExpl.jpg

    See:

    Java: A Gift to Exploit Pack Makers
    http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/
    Microsoft Sees Huge Increase In Java Exploit Attempts, Surpassing Adobe
    http://www.ghacks.net/2010/10/19/mi...se-in-java-exploit-attempts-surpassing-adobe/
    For those who need it, you can simply whitelist it for the particular sites:

    javaSitePref.gif

    regards,

    -rich
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware:
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    From the article:
    The jar (Java Archive) file does the dirty work, so for all of the sophistication of what malware launched by a Java exploit can do, the malware executable first has to get onto the computer.

    Here is a good analysis of what a jar file does in sneaking in a malware executable:

    JaZeus: when Zeus meets Java
    http://www.inreverse.net/?p=1551

    Summarizing:

    The last diagram in the inreverse.net article shows how the zeus.exe trojan emerges as the final output of this exploit:

    http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg

    ___________________________________________________________________________________​

    Regarding the current exploit CVE-2010-00840, from the article MrBrian cited, here is a sample of how code can download a jar file from a malicious server to start the exploit working.

    Threat Spotlight
    For the week of 29 Sep 2011
    http://www.sophos.com/en-us/securit...otlight/threat-spotlight-archive/2011/38.aspx

    regards,

    -rich
     
    Last edited: Oct 28, 2011
  6. wat0114

    wat0114 Guest

    It seems there are at least three ways to prevent this?

    1. Don't click on the message links.

    2. Use anti-executable software/SRP/AppLocker

    3. Disable or don't use Java.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    Agreed!

    But avoiding #1 is problematical in a business environment, where targeted messages contain links that appear to be legitimate, and legitimate links occur frequently in business correspondence.

    See the messages in the section "Threat 2: HP Officejet spam links to Java malware" in the above cited sophos.com link in Post #5.

    regards,

    -rich
     
  8. wat0114

    wat0114 Guest

    True, and this is where the office spam filtering needs to be effective at filtering the fake messages in the first place, although I understand it can't catch everything. Where I work the spam filtering is extraordinarily effective.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AppLocker/SRP do not stop Java .jar execution.
     
  10. wat0114

    wat0114 Guest

    Agreed,but what about the executable payload?

    -http://www.inreverse.net/wp-content/uploads/2010/11/recap.jpg
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Sure, if there are any executables involved.

    For a demonstration that AppLocker doesn't stop execution of Java .jar, download PortMapper-1.9.4.jar from http://sourceforge.net/projects/upnp-portmapper/files/ and double-click it in Windows Explorer. (This is assuming you have Java installed.)
     
    Last edited: Oct 29, 2011
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    In the web-based exploits that I've seen, they use the java executable to connect out to a server.
    So, a firewall that monitors outbound connections will alert:

    java_kerioalert.gif

    With no connection, the page just sits there and the exploit never starts.

    If there is a connection, something in place to intercept the payload will nullify the exploit
    when the java executable attempts to download the trojan executable:

    java_ae-block.gif


    regards,

    -rich
     
    Last edited: Oct 29, 2011
  13. wat0114

    wat0114 Guest


    Thank you for this, MrBrian!

    Of course, as Rmus points out, the trusty firewall can intercept and put a stop to this kind of nonsense as well :) It is blocking inbound attempts in this case.
     

    Attached Files:

    Last edited by a moderator: Oct 29, 2011
  14. wat0114

    wat0114 Guest

    In fact, because I restrict common java processes to only remote TCP ports 80 & 443, as well as UDP DNS servers, javaw.exe is even blocked on the outbound attempts because it's trying on port 1900 (UPnP) ;)
     

    Attached Files:

Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.