Blog

Zero-Day Season is Not Over Yet

New Java zero-day vulnerability has been spotted in the wild. We have seen this unpatched exploit being used in limited targeted attacks. Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable. In my lab environment, I was able to successfully exploit my test machine against latest version of FireFox with JRE version 1.7 update 6 installed.

 

Exploit

Initial exploit is hosted on a domain named ok.XXX4.net. Currently this domain is resolving to an IP address in Taiwan. Attacker web site is fully functional at the time of writing this article i.e., on August 26, 2012.

Jar

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.

http://ok.XXX4.net/meeting/hi.exe

Dropper.MsPMs further talks to its own CnC domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

 

Callback

It's just a matter of time that a POC will be released and other bad guys will get hold of this exploit as well. It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis.

UPDATE: On August 30, Oracle released a patch for its Java plugin. Read more here.

31 thoughts on “Zero-Day Season is Not Over Yet

  1. I’ve just blocked both domains ok.XXX4.net and hello.icon.pk on my router (on DD-WRT). Am I safe?

  2. @Rahim,
    Unfortunately the answer is no. Attackers are already moving to new exploit domains. The best way to prevent this attack at the moment is by removing or disabling Java plug-in from your browser settings. Once Oracle comes up with a patch you can re-enable this plug-in.

  3. does “java 6″ have the same vulnerability? there seems to be some debate about that.. if “java 6″ does not have the same vulnerability, it seems odd, to me, that all of the articles relating to this issue say to disable java, or uninstall it, rather than saying to switch to using “java 6″, to resolve the problem..

  4. @redwolf
    Doing a rollback to previous JAVA versions may expose you to older Java exploits..

  5. Rahim…no, you are not safe by blocking that site…the X’s are to hide the site from you and me. The real site name is not given.

  6. Java 6 is still being maintained; I think Java 6 Update 34 was released on August 14th. If it had similar vulnerabilities, I presume we’d be hearing about those. It doesn’t have this particular issue according to reports.
    If you need Java on some web sites, this seems like a good time to step back to Java 6, unless you need Java 7, which is unlikely, although it’s been out for a while. Also, consider disabling Java except when accessing a web site where you need Java. In the Opera browser, for one, you can choose to allow Java and other optional features for only web sites that you choose: they remain disabled elsewhere. I -think- that an anti-vis!rus program alsowill stop this attack if it’s recognised, and a tool such as MalwareBytes will just prevent you from visiting exploited sites – only, that’s no good if they sneak the exploit onto web sites that -everyone- visits.
    If you don’t need Java, then just disable it or un-install it fror a while.

  7. If you are fortunate enough to have proxy that blocks executables (not just extension, actually stitches packets back into file and then scans) are we close to covering users from their own mistakes? Or does this obfuscate packet content and stitch together after it gets to client?

  8. Quick question: Is there a simple registry change to disable Java from the Internet Explorer “Internet” untrusted zone? (Particularly since Firefox also honors them, though I’m not sure how many of the settings.) My company needs it for internal web apps, and it would be a pain to revert to JRE 6 across the board, but it sounds pretty critical to do something today.

  9. Anyone know if UAC and/or “Standard User” will protect our stupid users from this exploit?

  10. @Heny/Rahim
    Yes Henry is right due to zero-day nature of this exploit, I decided to hide a portion of the exploit domain. But now after two days, this domain is no longer alive.
    So in case you don’t know ..
    XXX = aa2
    i.e. o k. aa24. n e t

  11. I am right in thinking that if we are running Java 6 update 34 then there are presently no publically know vulnerabilities in this version? Deependresearch.org stated that they do not recommend downgrading to v6 due to vulnerabilties on that version but I cannot understand that advice since v6 is as I understand it still under support and being patched by Oracle.
    Can anyone clarify this for me?

  12. Disbale Java ::
    Here’s How:
    If you use Internet Explorer version 7 or above, open Internet Explorer and select Tools | Manage Add-ons then skip to Step 3.
    If you use an older version of Internet Explorer, open Internet Explorer and select Tools | Internet Options and continue to Step 2.
    From the Internet Options window, click the Programs tab and select Manage Add-ons.
    From the Add-ons windows, click once to select (highlight) Java Plug-in then click the Disable button. Click Close and OK to accept the change.
    Alternatively, you can also click Tools | Internet Options | Advanced. If Java is installed in your browser, you will see a listing for Sun Java in the Internet Options menu. Just uncheck it to disable.
    When you encounter a site that requires Java (for example, some small online games and calculators), you can re-enable Java easily by following the same steps above, this time selecting the enable option.

  13. I acquired this Java trojan on August 23, when I downloaded and ran Java (JRE) Version 7, update 6, release date August 16, 2012 from the CNET.com website. I am using O/S Vista Ultimate 32-bit, with UAC active. I am also running McAfee Internet Security Suite. It slipped by both the UAC and McAfee. McAfee did an automatic update sometime after August 23, and on August 26 it found and quarantined the virus. It reported it as a file named “6f2f1ae6-6b2d63ea” found in the folder C:\users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache McAfee gave three names for the trojan:”JV/Exploit-Bacole”, “Exploit-CVE2012-1723″, and “JV/Exploit-Blacole.q” I deleted the file from the quarantine and subsequent virus scans have not found it.
    Curiously, I have to enable Java in order to send this message!!

  14. Does this set of exploits affect OpenJDK versions of java, in particular:
    java -version
    OpenJDK Runtime Environment (IcedTea6 1.11.3) (fedora-67.1.11.3.fc16-i386)
    OpenJDK Server VM (build 20.0-b12, mixed mode)
    ?

  15. According to an analysis conducted by the AV-Comparatives test lab on behalf of The H’s associates at heise Security, less than half of the 22 anti-virus programs tested protect users against the currently circulating Java exploit that targets a highly critical vulnerability in Java version 7 Update 6.
    Only 9 of the 22 tested products managed to block both variants of the exploit (Avast Free, AVG, Avira, ESET, G Data, Kaspersky, PC Tools, Sophos and Symantec). Twelve virus scanners were found to be unsuccessful (AhnLab, Bitdefender, BullGuard, eScan, F-Secure, Fortinet, GFI-Vipre, Ikarus, McAfee, Panda Cloud Antivirus, Trend Micro and Webroot). Microsoft’s free Security Essentials component at least managed to block the basic version of the exploit.
    http://www.donotcrack.com/2012/09/only-9-of-22-antivirus-block-java.html

Comments are closed.