We observed that a Java security bypass zero-day vulnerability (CVE-2013-0422) has been actively exploited in the wild starting Jan. 2. We have been able to reproduce the attack in-house with the latest Java 7 update (Java 7 update 10) on Windows.
We initially wanted to hold off on posting this blog entry until we received confirmation from Oracle; however, since other researchers are starting to blog on this issue, we have decided to release our summary. We will continue our research and continue to share more information.
Some initial landing pages are actually hosted on a popular file-sharing website. Eventually the landing pages redirect to several different domains hosting exploits and malware.
The malware will download an executable file from a remote server and execute it by exploiting the vulnerability. Though the malware is designed for Windows only, we expect that the vulnerability can also be exploited across different browsers and OS platforms.
The malware payload is ransomware, commonly known as Tobfy. It retrieves a template from the Web—in this case, http://<random>.cristmastea.info/get.php—and creates a full screen window demanding payment using some kind of social engineering scheme to scare the victim. Additionally, it disables Windows Safe Mode by deleting values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot, and it terminates processes like "taskmgr.exe," "msconfig.exe," "regedit.exe," and "cmd.exe" in order to deter the victim from trying to find or disable the malware. Strings such as \\xneo\\lock\\Release\\lock.pdb and "Conteneur ActiveX" were found in memory and helped make identification easier.
One more noteworthy finding is that the URLs used to download the template and make callbacks are stored XOR encoded and must be decoded before use. However, it appears the author forgot to call the decode function in the callback thread. This means that the malware is unable to communicate with the attacker. The malware is supposed to make an HTTP request for hxxp://<random>.my-files-download.ru/status.php, but instead requests the invalid URL hxxp://<random>.my-files-download.ru/.ru`utr/qiq. What makes this error even worse for victims is that this callback thread determines whether the victim has paid the fee and is responsible for removing the ransomware from the system. It seems even paying up will do no good in this case!
We have notified Oracle about this incident. Before Oracle releases a patch, we recommend that customers disable Java in their browser.
To FireEye customers: Detection for associated zero-day exploits and malware is provided via our signature-less Virtual Execution (VX) engine, with any resulting malware callbacks blocked.
Thanks to the following FireEye security researchers for their work: Julia Wolf, Darien Kindlund, and James Bennett.