A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.
Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised.
Here is the list of active domains that we have seen so far. The Proof Of Concept (POC) is already public so I am not trying to hide these domains.
|Domains||Current IPs||Current Location|
|stone.facilitesandestates.co.uk stone.facilitesandestates.co.uk||188.8.131.52 184.108.40.206||Russia Russia|
|word.pipefreezekits.co.uk word.pipefreezekits.co.uk||220.127.116.11 18.104.22.168||Russia Russia|
|restoreairpowered.net restoreairpowered.net||22.214.171.124 126.96.36.199||Russia Russia|
|life.teainturkey.com life.teainturkey.com||188.8.131.52 184.108.40.206||Russia Russia|
|rock.tea-leaves-tea-lives.com rock.tea-leaves-tea-lives.com||220.127.116.11 18.104.22.168||Russia Russia|
|burnt.travelagentsinkerala.com burnt.travelagentsinkerala.com||22.214.171.124 126.96.36.199||Russia Russia|
|bread.kre8iveinterior.com bread.kre8iveinterior.com||188.8.131.52 184.108.40.206||Russia Russia|
|bricks.purekashmirisaffron.com bricks.purekashmirisaffron.com||220.127.116.11 18.104.22.168||Russia Russia|
|arrows.cardrivinggame.info arrows.cardrivinggame.info||22.214.171.124 126.96.36.199||Russia Russia|
|img.elitesplusstaffing.info img.elitesplusstaffing.info||188.8.131.52 184.108.40.206||Germany Germany|
|epafyszpyfoc.lookin.at epafyszpyfoc.lookin.at||220.127.116.11 18.104.22.168||Romania Romania|
|img.figureskatingtrainingaid.com img.figureskatingtrainingaid.com||22.214.171.124 126.96.36.199||USA USA|
|img.off-iceedgetrainer.com img.off-iceedgetrainer.com||188.8.131.52 184.108.40.206||USA USA|
|coindictionary.net coindictionary.net||220.127.116.11 18.104.22.168||USA USA|
|7oiesdhfgkjsg.ns01.info 7oiesdhfgkjsg.ns01.info||22.214.171.124 126.96.36.199||USA USA|
|stinkersega.pro stinkersega.pro||188.8.131.52 184.108.40.206||Luxembourg Luxembourg|
|meessbnb.lflinkup.net meessbnb.lflinkup.net||220.127.116.11 18.104.22.168||Luxembourg Luxembourg|
Here is the visual representation of these exploit servers observed at the time of writing this article.
It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser. Users of Mac and Linux might choose OpenJDK, an open source implementation of the JRE provided by Oracle. If uninstallation is not an option then in order to avoid accidental visits to attacker websites, a user might choose to use iOS devices that are not affected by this exploit.
Security researchers interested in detailed intelligence and malware samples can reach us by emailing us at RESEARCH @ FIREEYE.com.
We'll keep updating this article with the most up to date information.
UPDATE: On August 30, Oracle released a patch for its Java plugin. Read more here.
UPDATE #2: As of September 4, the IP address 22.214.171.124 belonging to "Amazon Cloud Services" has been cleaned up and is no longer serving malicious content.