New Java 0day exploited in the wild

August 27, 2012 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A few hours ago, FireEye published some information related to a new Java 0day exploited in the wild.

The malicious JAR file was served from ok.aa24.net / meeting / index.html

The html loads the Java applet passing some parameters that are used later to build the URL to download the payload. The HTML is encrypted using “Dadong’s JSXX 0.44 VIP”.

The Java applet contains the following two .class files:

- cve2012xxxx/Gondzz.class

- cve2012xxxx/Gondvv.class

The applet check if the system is running Windows and gets the parameters passed from the HTML that contains the URL to download the payload. If the system is vulnerable, the payload is downloaded and executed in the system.

On the analyzed sample the payload is downloaded from ok.aa24.net / meeting / hi.exe

https://www.virustotal.com/file/09d10ae0f763e91982e1c276aad0b26a575840ad986b8f53553a4ea0a948200f/analysis/1346055031/

The payload drops C:\WINDOWS\system32\mspmsnsv.dll (replace the file if present) and starts the Portable Media Serial Number Service.

The malware connects to hello.icon.pk port 80. It seems to be a Poison Ivy variant.

hello.icon.pk resolvs to:

223.25.233.244

223.25.233.0 - 223.25.233.255

8 to Infinity Pte Ltd

You can use the following generic Yara rule to detect a malicious .class file exploiting this vulnerability:

rule Java0daycve2012xxxx_generic
{
  meta:
     weight=100
     author = "Jaime Blasco"
     source = "alienvault"
     date = "2012-08"
  strings:
        $ =  "java/security/ProtectionDomain"
        $ = "java/security/Permissions"
        $ = "java/security/cert/Certificate"
        $ = "setSecurityManager"
        $ = "file:///"
        $ = "sun.awt.SunToolkit"
        $ = "getField"
  condition:
    all of them
}

A module has just been published for Metasploit so it is time to disable Java in all your systems

And remember to search your logs for connections to the Domains/IPs related to this attack.

Have a great day!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

TAGS: zeroday, java

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL