Java Zero-Day - First Outbreak

A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.

 

Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised.

Here is the list of active domains that we have seen so far. The Proof Of Concept (POC) is already public so I am not trying to hide these domains.

Domains Current IPs Current Location
stone.facilitesandestates.co.uk stone.facilitesandestates.co.uk 146.185.236.183 146.185.236.183 Russia Russia
word.pipefreezekits.co.uk word.pipefreezekits.co.uk 146.185.236.183 146.185.236.183 Russia Russia
restoreairpowered.net restoreairpowered.net 89.248.231.122 89.248.231.122 Russia Russia
life.teainturkey.com life.teainturkey.com 146.185.236.185 146.185.236.185 Russia Russia
rock.tea-leaves-tea-lives.com rock.tea-leaves-tea-lives.com 146.185.236.185 146.185.236.185 Russia Russia
burnt.travelagentsinkerala.com burnt.travelagentsinkerala.com 146.185.236.210 146.185.236.210 Russia Russia
bread.kre8iveinterior.com bread.kre8iveinterior.com 146.185.236.249 146.185.236.249 Russia Russia
bricks.purekashmirisaffron.com bricks.purekashmirisaffron.com 146.185.236.250 146.185.236.250 Russia Russia
arrows.cardrivinggame.info arrows.cardrivinggame.info 37.9.55.222 37.9.55.222 Russia Russia
img.elitesplusstaffing.info img.elitesplusstaffing.info 178.162.129.234 178.162.129.234 Germany Germany
epafyszpyfoc.lookin.at epafyszpyfoc.lookin.at 91.220.35.52 91.220.35.52 Romania Romania
img.figureskatingtrainingaid.com img.figureskatingtrainingaid.com 184.82.160.118 184.82.160.118 USA USA
img.off-iceedgetrainer.com img.off-iceedgetrainer.com 184.82.160.118 184.82.160.118 USA USA
coindictionary.net coindictionary.net 184.82.160.118 184.82.160.118 USA USA
7oiesdhfgkjsg.ns01.info 7oiesdhfgkjsg.ns01.info 54.245.105.201 54.245.105.201 USA USA
stinkersega.pro stinkersega.pro 94.242.251.112 94.242.251.112 Luxembourg Luxembourg
meessbnb.lflinkup.net meessbnb.lflinkup.net 94.242.251.119 94.242.251.119 Luxembourg Luxembourg

Here is the visual representation of these exploit servers observed at the time of writing this article.

GeoMap_l

It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser. Users of Mac and Linux might choose OpenJDK, an open source implementation of the JRE provided by Oracle. If uninstallation is not an option then in order to avoid accidental visits to attacker websites, a user might choose to use iOS devices that are not affected by this exploit.

Security researchers interested in detailed intelligence and malware samples can reach us by emailing us at RESEARCH @ FIREEYE.com.

We'll keep updating this article with the most up to date information.

UPDATE: On August 30, Oracle released a patch for its Java plugin. Read more here.

UPDATE #2: As of September 4, the IP address 54.245.105.201 belonging to "Amazon Cloud Services" has been cleaned up and is no longer serving malicious content.