Java Bot, a cross-platform malware capable of running on Windows, Mac and Linux


Security researchers at Kaspersky has came across a cross-platform malware which is capable of running on Windows, Mac and Linux.

The malware is completely written in Java.  Even the exploit used for delivering the malware is also well-known Java exploit(CVE-2013-2465) which makes the campaign completely cross-platform.

Once the bot has infected a system, it copies itself into user's home directory as well as add itself to the autostart programs list to ensure it gets executed whenever user reboots the system.

Once the configuration is done, the malware generates an unique identifier and informs its master.  Cyber criminals later communicates with this bot through IRC protocol.

The main purpose of this bot is appeared to be participate in Distributed-denial-of-service(DDOS) attacks.  Attacker can instruct the bot to attack a specific address and specify a duration for the attack.

The malware uses few techniques to make the malware analysis and detection more difficult.  It uses the Zelix Klassmaster obfuscator.  This obfuscator  not only obfuscate the byte code but also encrypts string constants.

All machines running Java 7 update 21 and earlier versions are likely to be vulnerable to this attack.

Cyber criminals inject malicious java applet into Trading FOREX site


A FOREX Trading website was injected with a malicious java applet that is designed to drop the malware file on visitors system.

A Popular FOREX (foreign exchange market) website called "Trading Forex" (tradingforex.com) has been infected by the malware, according to WebSense report.

malicious java
Injected applet code

The dropped backdoor from the Trading Forex website is written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and operational on a victim's computer. It seems like hacker target only those who use .NET framework or they only know .NET coding?!

It is not usual Java exploit Jar . It is simple Java file that loads an exe file hosted in the malware site.

"Basically the Java code is just another Java loader which requires user interaction to successfully load the binary file '123.exe'. One interesting point in the screenshot above is that we can also see in the MANIFEST-INF that the Java applet has been signed with a certificate." Researcher said.

Yet Another Java vulnerability discovered, bypass the sandbox

java vulnerability

This is bad news for Java users. The Polish security researcher Adam Gowdiak has found yet another vulnerability in Java that can completely bypass the security sandbox implemented in several versions of the program.The good news is that so far, there's no exploit code circulating--yet.

According to researcher Java versions SE 5, 6, and 7 are affected. He gave details of the discovery in a posting to the Full Disclosure mailing list.

Using the hole, Gowdiak has been able to create a Java applet which, when running in the browser, can run with the user's privileges and then place malicious code on the system and execute it.

"We hope that a news about one billion users of Oracle Java SE software being vulnerable to yet another security flaw is not going spoil the taste of [Oracle CEO] Larry Ellison's morning java," Gowdiak joked.

The researcher has already confidentially sent information about the hole to Java maker Oracle, along with proof-of-concept code.

CVE-2012-4681 : New zero-day Java Exploit added to Blackhole Exploit kit


As we expected , The Cyber criminals have added the New zero-day java exploit to the BlackHole Exploit kit.

According to a post of Paunch, the Blackhole creator, the actual java 0 day (CVE-2012-4681) is available for Blackhole owner since yesterday evening.

"ATTENTION! Added 0day Java exploit to knock for new clothes, breaking is cool ... competitors - Tightens)))" He said(translated).

The exploited vulnerability exists in all versions of Java 7, and can be used to exploit not just Windows, but also Apple OS X and Linux systems

As there is no patch from Oracle, the only solution to protect you from this attack is disabling the Java.

Update: The exploit has been included in other exploit kits includeing redkit,sakura kits.

[POC] Source code for the New 0-day Java Exploit is available


Security Researchers from FireEye have reported that a new Zero-day Java vulnerability is currently being exploited in a wild. The most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable.

Initially , Researchers discovered that this exploit hosted on named ok.XXX4.net. Currently this domain is resolving to an IP address in China.

A successful exploit attempt can result in a dropper (Dropper.MsPMs) getting installed on infected systems. The dropper executable is located on the same server.(http://ok.XXX4.net/meeting/hi.exe)

The Dropper.MsPMs connects to C&C domain hello.icon.pk which is currently resolving to an IP address 223.25.233.244 located in Singapore.

POC:
Metasploit researchers has developed a metasploit module that exploit this latest vulnerability and the source code is available in public(http://pastie.org/4594319). 

Researchers successfully exploit a fully patched Windows 7 SP1 with Java 7 Update 6.They  have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safar on OS X 10.7.4

While this is in the wild, this is not being widely used at this time.  What is more worrisome is the potential for this to be used by other malware developers in the near future. I believe that this exploit will soon be rolled into the BlackHole exploit kit.

Java users should take this problem seriously, because there is currently no patch from Oracle. We recommend users to either unplug Java from your browser or uninstall it from your computer completely.

Nepalese Government Sites hacked and serves Zegost RAT

Nepalese Government Sites exploits java vulnerability and infects users system with Zegost malware 

Researchers have detected that two Nepalese government websites, the National Information Technology Center (NITC) and the Office of the Prime Minister and Council Minister (nitc.gov.np and opmcm.gov.np respectively), have been compromised and serves Zegost(Gh0st RAT) malware.

The site injected with malicious code that tries to exploit the Java vulnerability CVE-2012-0507. After successul exploitation, it will infect the visitor system with the Zegost.

Interestingly, the binary installed on infected machines as part of the attack is signed by a valid certificate issued by VeriSign.

"The main page was injected with a Java JAR file loader which once rendered by the Web browser is executed and attempts to exploit the CVE-2012-0507 vulnerability. The name used for the Java class name ("msf.x.Exploit.class") and the content of the file confirmed that the code was taken from the Metasploit framework" Gianluca Giuliani of Websense said in an analysis of the attack.

"If the exploit code in the JAR file has been successfully executed, the exploit shellcode downloads and runs the executable file named "tools.exe" on the impacted system (MD5: 3c7b7124f84cc4d29aa067eca6110e2f),"

Zegost is a known Remote-Administration Tool(RAT) that's been used in other targeted attacks, specifically in Asia. Once on an infected machine, the backdoor used in the attack on the Nepalese sites initiates an outbound connection to a C&C server hosted on a domain in China at "who.xhhow4.com".


That same Java vulnerability was used in attacks earlier this year on Amnesty International and the Institute for National Security Studies in Israel, Websense said.