Sophos Cloud Optix
Online scammers are using a recent email from Microsoft as bait in a widespread spam campaign that exploits vulnerabilities in Oracle’s Java software to install malicious programs on vulnerable systems.
Experts at The SANS Institute’s Internet Storm Center warned on Saturday that operators there received multiple reports of a spam campaign that uses a recent Microsoft email regarding changes to its Services Agreement for products such as Hotmail and Skydrive to fool users.
The attacks have prompted renewed calls for internet users to disable Java on their systems pending a new update from Oracle Corp. to fix critical, remotely exploitable vulnerabilities in the ubiquitous web technology.
According to SANS, the malicious email is based on an August 27 communication from Microsoft titled “Important Changes to Microsoft Services Agreement and Communication Preferences.”
The phishing email replaces links in the original messages with malicious links that send unwitting readers to websites that install a new variant of the Zeus malware, ISC handler Russ McRee warned in a post on September 1st.
The actual Microsoft message, dated August 27, can be viewed here.
It details changes in the terms of a services agreement for users of a wide range of products, including Hotmail, Windows Live Messenger, Microsoft Photo Gallery and SkyDrive, the company’s hosted storage offering.
The malicious websites in question are running the latest versions of the Blackhole Exploit Kit, a kind of Swiss Army Knife for compromising vulnerable computers.
The Blackhole Exploit Kit is capable of analyzing the configuration and software installed on machines visiting web sites on which the exploit kit is installed, and then serve up just exploits that are likely to work against the intended target.
The recent addition of exploit code for the Java vulnerability has more than doubled the success rate of Blackhole exploits, compromising tens of thousands of new systems, according to data from the security firm Seculert.
This isn’t the first phishing email that has been linked to attacks on the Java vulnerability. Last week, experts at SophosLabs discovered malicious emails purporting to including information on a tax rate increase that contained links to websites exploiting the Java hole.
Database giant Oracle acquired Java when it bought Sun Microsystems in 2009 and has faced criticism from security experts for failing to respond quickly to security vulnerabilities in the ubiquitous web technology before.
The latest security holes haven’t improved the company’s image. It was forced to rush out a patch for the Java security hole last week and received withering criticism after the polish security consultancy Security Explorations disclosed that it reported the critical security hole to Oracle in April, four months earlier.
The company’s image was further damaged when the patch Oracle released to fix the flaw failed to fully close the security hole. Security Explorations said that it informed Oracle on Friday that systems running the patched Java 7 Version 7 could be circumvented in a similar manner to earlier versions, allowing for “complete Java sandbox bypass.”
Oracle has confirmed receipt of that report and is investigating, Security Explorations said.
In the meantime, ISC and others are advising users to disable Java until the next update is ready.
For those who want to keep Java running, SANS ISC said that email recipients should scrutinize the hyperlinks in any email messages by hovering their mouse cursor over the link prior to clicking on it and by inspecting email headers for suspicious messages.
Sophos experts Paul Ducklin and Chet Wisniewski offer more easy-to-understand advice about Java in the latest Techknow podcast: “All about Java”.
I can see why malware authors target Java (large user base and its multi-platform and with a tendency for users not to patch it).
I am really glad that I un-installed Java many years ago, the recent security risks are of a serious concern. Of even more concern is that the most recent security patch, resolved some flaws but also created another one.
I applaud Sophos for keeping everyone informed as well as providing solid recommendations on protecting oneself from these new threats.
Thank you.
Does Blackhole Exploit Kit target machines running Apple OS and Linux as well?
Yes there is a private strain out in the black market i seen recently that is targeting Apple OS and Linux i am gethering some info and then forwarding on to the sophos team.
There is also a rat what sophos mentioned lastweek called netwire that is a multi-platform rat that is becoming really popular lately.
Keep definitions upto date and you should be safe.
I had received an email on September 1 concerning these changes but DID NOT click on the links. Thank you for keeping us up to date on these scams.
Thanks for keeping us up to date. Could it be possible for you to listr which Java version you are referring to as I have no idea if what I have was an updated version. I have just updated mine.
Victor
Some on-line banking services require the use of Java, it doesn't work without it or a 'transparent' alternative. So if Java is so open to being misused, what alternative(s) are there to allow continued use of services that require Java and check for its presence before loading?
I had noticed that email used an older version of the MS logo… They just recently changed it, and had this been real, would have used the new one.