Security Researchers from FireEye have reported that a new Zero-day Java vulnerability is currently being exploited in a wild. The most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable.
Initially , Researchers discovered that this exploit hosted on named ok.XXX4.net. Currently this domain is resolving to an IP address in China.
A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.(http://ok.XXX4.net/meeting/hi.exe)
The Dropper.MsPMs connects to C&C domain hello.icon.pk which is currently resolving to an IP address 18.104.22.168 located in Singapore.
Metasploit researchers has developed a metasploit module that exploit this latest vulnerability and the source code is available in public(http://pastie.org/4594319).
Researchers successfully exploit a fully patched Windows 7 SP1 with Java 7 Update 6.They have also tested the module against the following environments:
- Mozilla Firefox on Ubuntu Linux 10.04
- Internet Explorer / Mozilla Firefox / Chrome on Windows XP
- Internet Explorer / Mozilla Firefox on Windows Vista
- Internet Explorer / Mozilla Firefox on Windows 7
- Safar on OS X 10.7.4
While this is in the wild, this is not being widely used at this time. What is more worrisome is the potential for this to be used by other malware developers in the near future. I believe that this exploit will soon be rolled into the BlackHole exploit kit.
Java users should take this problem seriously, because there is currently no patch from Oracle. We recommend users to either unplug Java from your browser or uninstall it from your computer completely.