PDF and Java malware target unpatched PCs – Part 2

Virtual image of a sandbox

Virtual image of a sandbox

Last week I posted about some new malware targeting Adobe vulnerabilities and I included Java in the title… Shame on me, I forgot to include the part about Java! I will call this blog part 2 and detail the Java bits this time around.

Looking further into URLs hosted on the same server as the malicious PDFs we discovered another attack that focused specifically on unpatched JVM flaws. It would appear this is an alternative method to infect a workstation were you to have kept your Acrobat/Reader versions up to date.

The first sample was located at hxxp://CENSORED.com/kt/ck_fuh/###wbn.jar. This Java sample is a call home agent. It contains three classes – Email.class, ExecServer.class, and SendServer.class. Email.class does not actually contain email software but does contain a list of obfuscated URLs. ExecServer.class contacts and retrieves data from the URLs decoded from Email.class. The SendService.class files is used for the URL encoding/decoding.

Considering that the data downloaded from the URLs is discarded it would appear that this applet is used to communicate with a command and control infrastructure and is awaiting commands from the encoded URLs.

The other Java applet was retrieved from hxxp://CENSORED.com/kt/ck_fuh/##beb.jar. This sample was a downloader Trojan used to retrieve the same Fake AV samples that were retrieved using the PDF exploit detailed in my previous blog post.

This applet consisted of 3 classes named Server1.class, Server2.class and AServers.class. Server1.class was simply used to load Server2.class. Server2.class contained the actual exploits that allow it to break out from the Java sandbox and load AServers.class. AServers.class is the actual downloader which downloads the Fake AV and saves it to %TEMP% as ..exe.

This is a fine example that keeping Adobe products patched, but perhaps ignoring other plugins and applications will still lead you to a world of hurt. Many systems are running out of date versions of Oracle’s Java Virtual Machine as most administrators are focused on keeping Windows and Acrobat/Flash up to date.

Keeping everything patched and using up to date anti-virus defends against most threats, and like many other threats I blog about these vulnerabilities were fixed some time ago. Zero day threats are definitely a concern, but most garden variety attacks rely on you being out of date. Now check your Java installs and be sure you are running Java 6 update 20, or go to http://www.java.com.

Creative Commons image courtesy of Torley’s Flickr photostream.