A few days ago I talked about the existence of a new java zero-day flaw (CVE-2012-4681). Soon after the publication of my blog, the white-hats kicked in and there was Proof Of Concept (POC) code ready overnight. At this point, a major outbreak was inevitable. We soon came to know that the master mind behind the Blackhole exploit kit has plans to add this zero-day to his package. This morning we started getting the first indication of a large scale attack. So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly. After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands.
Almost all of the domains are hosting multiple exploits. If nothing else works, the new Java zero-day kicks in and all of a sudden the machine is compromised.
Here is the list of active domains that we have seen so far. The Proof Of Concept (POC) is already public so I am not trying to hide these domains.
|Domains||Current IPs||Current Location|
|stone.facilitesandestates.co.uk stone.facilitesandestates.co.uk||184.108.40.206 220.127.116.11||Russia Russia|
|word.pipefreezekits.co.uk word.pipefreezekits.co.uk||18.104.22.168 22.214.171.124||Russia Russia|
|restoreairpowered.net restoreairpowered.net||126.96.36.199 188.8.131.52||Russia Russia|
|life.teainturkey.com life.teainturkey.com||184.108.40.206 220.127.116.11||Russia Russia|
|rock.tea-leaves-tea-lives.com rock.tea-leaves-tea-lives.com||18.104.22.168 22.214.171.124||Russia Russia|
|burnt.travelagentsinkerala.com burnt.travelagentsinkerala.com||126.96.36.199 188.8.131.52||Russia Russia|
|bread.kre8iveinterior.com bread.kre8iveinterior.com||184.108.40.206 220.127.116.11||Russia Russia|
|bricks.purekashmirisaffron.com bricks.purekashmirisaffron.com||18.104.22.168 22.214.171.124||Russia Russia|
|arrows.cardrivinggame.info arrows.cardrivinggame.info||126.96.36.199 188.8.131.52||Russia Russia|
|img.elitesplusstaffing.info img.elitesplusstaffing.info||184.108.40.206 220.127.116.11||Germany Germany|
|epafyszpyfoc.lookin.at epafyszpyfoc.lookin.at||18.104.22.168 22.214.171.124||Romania Romania|
|img.figureskatingtrainingaid.com img.figureskatingtrainingaid.com||126.96.36.199 188.8.131.52||USA USA|
|img.off-iceedgetrainer.com img.off-iceedgetrainer.com||184.108.40.206 220.127.116.11||USA USA|
|coindictionary.net coindictionary.net||18.104.22.168 22.214.171.124||USA USA|
|7oiesdhfgkjsg.ns01.info 7oiesdhfgkjsg.ns01.info||126.96.36.199 188.8.131.52||USA USA|
|stinkersega.pro stinkersega.pro||184.108.40.206 220.127.116.11||Luxembourg Luxembourg|
|meessbnb.lflinkup.net meessbnb.lflinkup.net||18.104.22.168 22.214.171.124||Luxembourg Luxembourg|
Here is the visual representation of these exploit servers observed at the time of writing this article.
It's very disappointing that Oracle hasn't come forward and announced a date for an emergency update patch. Once again I strongly recommend if it is not critical, uninstall the JRE plug-in from your browser. Users of Mac and Linux might choose OpenJDK, an open source implementation of the JRE provided by Oracle. If uninstallation is not an option then in order to avoid accidental visits to attacker websites, a user might choose to use iOS devices that are not affected by this exploit.
Security researchers interested in detailed intelligence and malware samples can reach us by emailing us at RESEARCH @ FIREEYE.com.
We'll keep updating this article with the most up to date information.
UPDATE: On August 30, Oracle released a patch for its Java plugin. Read more here.
UPDATE #2: As of September 4, the IP address 126.96.36.199 belonging to "Amazon Cloud Services" has been cleaned up and is no longer serving malicious content.