Discussion in 'malware problems & news' started by CloneRanger, Jun 16, 2012.
Not exactly straightforward to do, but still as a PC =
I wonder if this post (and link) is allowed here.
He does actually do it. The exploit against Java works and Kaspersky doesn't see it. Whether it's "real" or not is besides the point.
I see nothing about EMET on there though, not that it really matters.
The script kiddies can't reproduce the ****. I think it's fake lol
Download the toolkit yourself.
Nothing I saw there is surprising. A Java exploit being used and an antivirus bypassed.
I'm talking about the comments below the article. Script kiddies are commenting that the procedures don't work.
I won't download this crap lol
BTW, did you test it?
Nope. I would but I'm lazy. I bet brandicandi will though.
If they can't recreate it it's likely because they're running a patched java or they can't figure out how to use the toolkit lol
Windows 7 gets hacked all the time. This isn't really new or exciting.
edit: Yeah, the people commenting don't know hwo to use metasploit lol
Hmm. This toolkit might be using what's described here:
It was patched months ago:
Yeah, because Java 0days are in such short supply lol
This won't work against updated AVs from main companies.
At the time the article was written, dunno.
Of course it will. It's only a matter of crypter.
You're adding additional steps to the described procedures.
So this thing doesn't work anymore.
To work it would require different things from what the attacker describes:
- a very outdated AV in the victim's PC or decent obfuscation skills from the attacker
- months old JRE in the victim's PC
Not even talking about the huge (IMO) social engineering effort that is unlikely to easily succeed.
And testing a new malware against virustotal, jotti and similar services isn't reliable. The detection rate of a locally installed AV tend to be superior to what those services show.
So the attacker also has to have appropriately configured VMs with running updated AVs or a similar setup that allows him to test against the real AV.
lol since when does it take an outdated AV for a hacker to bypass it? Heuristics get at bset 70% detection rate and usually with a large amount of false positives when they're that high.
And JAva 0 days happen often too and the time to patch is ages. Besides, the updater is crap and most users are running out of date versions anyways.
The attack is trivial and nothing new but it's entirely valid.
Note the "or decent obfuscation skills from the attacker" in my previous post.
The Oracle updater is even removing the old version now!!!! It's improving!! rofl
I think it's unlikely to succeed against a relevant percentage of users.
Also, Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms.
Microsoft calls that the "Killbit" update.
So I bet this attack would also need an outdated version of IE or Firefox.
Pretty sure Java 7 doesn't remove JAva 6 and crypter is all it takes to bypass an AV without heuritics.
And this attack would be very successful consider how many users run out of date Java and how often we see 0days for it.
But Java 6 is being actively patched.
Java 7 is still in "kind of beta" (not exactly beta, but not exactly ready for the masses too).
As I said before: Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms. Microsoft calls that the "Killbit" update. So I bet this attack would also need an outdated version of IE or Firefox.
Any decent criminal avoids VT et al because the sample will be distributed among vendors if detected.
Dedicated malware AV scanners are used like f.i. in RedKit; link
Lots of companies are 'forced' to use/keep using older versions and many consumers are unaware that certain software can/will install an (old) java version.
Besides 'the unaware' who know zilch about stuff like "updating".
The percentage seems big enough for gangs to sell a rehash of known exploits in a gentle GUI, making money on the ones who make money targeting the exploits.
Java offers all kinds of business models.
These are usually restricted in other ways.
True. But as I said before: Microsoft and Mozilla tend to automatically disable known vulnerable plugins in their browsers (including vulnerable versions of JRE) with their own automatic patching mechanisms. Microsoft calls that the "Killbit" update. So I bet this attack would also need an outdated version of IE or Firefox.
Windows/Microsoft Update is set to automatic install for more than 92% of the userbase according to Microsoft stats.
Anyone notice the list of trackers on that site, including the DMCA?