PDF and Java malware target unpatched PCs - Part 2

Filed Under: Java, Malware, Oracle, Vulnerability

Virtual image of a sandbox

Last week I posted about some new malware targeting Adobe vulnerabilities and I included Java in the title... Shame on me, I forgot to include the part about Java! I will call this blog part 2 and detail the Java bits this time around.

Looking further into URLs hosted on the same server as the malicious PDFs we discovered another attack that focused specifically on unpatched JVM flaws. It would appear this is an alternative method to infect a workstation were you to have kept your Acrobat/Reader versions up to date.

The first sample was located at hxxp://CENSORED.com/kt/ck_fuh/###wbn.jar. This Java sample is a call home agent. It contains three classes - Email.class, ExecServer.class, and SendServer.class. Email.class does not actually contain email software but does contain a list of obfuscated URLs. ExecServer.class contacts and retrieves data from the URLs decoded from Email.class. The SendService.class files is used for the URL encoding/decoding.

Considering that the data downloaded from the URLs is discarded it would appear that this applet is used to communicate with a command and control infrastructure and is awaiting commands from the encoded URLs.

The other Java applet was retrieved from hxxp://CENSORED.com/kt/ck_fuh/##beb.jar. This sample was a downloader Trojan used to retrieve the same Fake AV samples that were retrieved using the PDF exploit detailed in my previous blog post.

This applet consisted of 3 classes named Server1.class, Server2.class and AServers.class. Server1.class was simply used to load Server2.class. Server2.class contained the actual exploits that allow it to break out from the Java sandbox and load AServers.class. AServers.class is the actual downloader which downloads the Fake AV and saves it to %TEMP% as ..exe.

This is a fine example that keeping Adobe products patched, but perhaps ignoring other plugins and applications will still lead you to a world of hurt. Many systems are running out of date versions of Oracle's Java Virtual Machine as most administrators are focused on keeping Windows and Acrobat/Flash up to date.

Keeping everything patched and using up to date anti-virus defends against most threats, and like many other threats I blog about these vulnerabilities were fixed some time ago. Zero day threats are definitely a concern, but most garden variety attacks rely on you being out of date. Now check your Java installs and be sure you are running Java 6 update 20, or go to http://www.java.com.

Creative Commons image courtesy of Torley's Flickr photostream.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.