New Java Attack in Exploit Kit

Wednesday, November 14, 2012 @ 07:11 PM gHale


A new exploit is in the Cool Exploit Kit for a vulnerability in Java 7 Update 7 as well as older versions. The catch is Oracle patched that flaw in Java 7 Update 9.

Cool Exploit Kit came to light last month and is largely responsible for dropping the Reveton ransomware. A new Metasploit module came to life this week by researcher Juan Vazquez, developer Eric Romang said.

RELATED STORIES
Malware with Terms of Service Pact
Simple Works for Malware Writers
LinkedIn Emails lead to BlackHole
XSS Top Web Attack

Romang, a frequent Metasploit contributor, said the exploit may have been out there for a long time, but researchers are just now putting it into an exploit kit.

A researcher who goes by the handle Kafeine and runs the Malware don’t need Coffee site found the exploit by accident in Cool late last week while looking for something else. The new Java exploit, a sandbox escape, targets vulnerability CVE-2012-5076 repaired in Oracle’s October 2012 Critical Patch Update. Attackers can run arbitrary code on compromised machines, Romang said.

The vulnerability is in the Java Deployment subcomponent, according to the Open Source Vulnerability Database.

Reveton ransomware surfaced in August appearing in a phony message from the FBI. Users end up infected via drive-by downloads on sites hosting the malware. The malware locks a user’s computer, and displays a message the computer’s IP address has links to child pornography.

The written English on the warning is poor, a tip-off the situation is a scam. Regardless, the computer remains locked until a “fine” or ransom is paid. Officials said some victims pay the ransom, but their computers remain locked until they remove the malware themselves.

Reveton has links to the Citadel banking and botnet malware. Citadel is responsible for millions in fraudulent losses; its authors update it frequently. They also run it on an open source development model.

The malware sells as a service and also runs its own customer relationship management system, support teams and hosts discussion forums for its customers. It recently updated to include a dynamic configuration aspect that allows its authors to inject into compromised browser sessions on the fly.



Leave a Reply

You must be logged in to post a comment.