A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.
Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised.
Here is the list of active domains that we have seen so far. The Proof Of Concept (POC) is already public so I am not trying to hide these domains.
| Domains | Current IPs | Current Location |
|---|---|---|
| stone.facilitesandestates.co.uk stone.facilitesandestates.co.uk | 146.185.236.183 146.185.236.183 | Russia Russia |
| word.pipefreezekits.co.uk word.pipefreezekits.co.uk | 146.185.236.183 146.185.236.183 | Russia Russia |
| restoreairpowered.net restoreairpowered.net | 89.248.231.122 89.248.231.122 | Russia Russia |
| life.teainturkey.com life.teainturkey.com | 146.185.236.185 146.185.236.185 | Russia Russia |
| rock.tea-leaves-tea-lives.com rock.tea-leaves-tea-lives.com | 146.185.236.185 146.185.236.185 | Russia Russia |
| burnt.travelagentsinkerala.com burnt.travelagentsinkerala.com | 146.185.236.210 146.185.236.210 | Russia Russia |
| bread.kre8iveinterior.com bread.kre8iveinterior.com | 146.185.236.249 146.185.236.249 | Russia Russia |
| bricks.purekashmirisaffron.com bricks.purekashmirisaffron.com | 146.185.236.250 146.185.236.250 | Russia Russia |
| arrows.cardrivinggame.info arrows.cardrivinggame.info | 37.9.55.222 37.9.55.222 | Russia Russia |
| img.elitesplusstaffing.info img.elitesplusstaffing.info | 178.162.129.234 178.162.129.234 | Germany Germany |
| epafyszpyfoc.lookin.at epafyszpyfoc.lookin.at | 91.220.35.52 91.220.35.52 | Romania Romania |
| img.figureskatingtrainingaid.com img.figureskatingtrainingaid.com | 184.82.160.118 184.82.160.118 | USA USA |
| img.off-iceedgetrainer.com img.off-iceedgetrainer.com | 184.82.160.118 184.82.160.118 | USA USA |
| coindictionary.net coindictionary.net | 184.82.160.118 184.82.160.118 | USA USA |
| 7oiesdhfgkjsg.ns01.info 7oiesdhfgkjsg.ns01.info | 54.245.105.201 54.245.105.201 | USA USA |
| stinkersega.pro stinkersega.pro | 94.242.251.112 94.242.251.112 | Luxembourg Luxembourg |
| meessbnb.lflinkup.net meessbnb.lflinkup.net | 94.242.251.119 94.242.251.119 | Luxembourg Luxembourg |
Here is the visual representation of these exploit servers observed at the time of writing this article.
It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser. Users of Mac and Linux might choose OpenJDK, an open source implementation of the JRE provided by Oracle. If uninstallation is not an option then in order to avoid accidental visits to attacker websites, a user might choose to use iOS devices that are not affected by this exploit.
Security researchers interested in detailed intelligence and malware samples can reach us by emailing us at RESEARCH @ FIREEYE.com.
We'll keep updating this article with the most up to date information.
UPDATE: On August 30, Oracle released a patch for its Java plugin. Read more here.
UPDATE #2: As of September 4, the IP address 54.245.105.201 belonging to "Amazon Cloud Services" has been cleaned up and is no longer serving malicious content.
