The Latest in IT Security

Malware campaign uses direct injection of Java exploit code

21
Jun
2011

 

Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks. Recently, it has detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.

 

Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages:

 

 

The code shown attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera. The applet in this attack is used to locate and execute a .exe payload that is disguised in the foreground parameter of the applet-tag as a .jpg file. While the system gets attacked, the user would only see the Java icon popping up in the Windows taskbar:

 

 

The payload in this case is the nowadays ubiquitous Rogue Antivirus:

 

 

In case you haven't already done so, don't forget to update your Java version as soon as possible.

Leave a reply


Categories

MONDAY, NOVEMBER 11, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments