Java 0day Mass Exploit Distribution

Just a quick note, it’s only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.

There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit’s prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.

Follow me on Twitter

As for Kaspersky users, our automatic exploit prevention (AEP) is generically preventing the 0day. Surprisingly, while there doesn’t appear to be a high level of server-side polymorphic obfuscation in the class files themselves, the hosted exploit files are being updated and changing since yesterday. Instead, the Blackhole developers and operators put a lot of effort behind shifting domain names.

Update (2012.01.10 3:30 p.m. MT) – Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422.
Well, the cat is out of the bag. Not only was the 0day circulating in the more prevalent exploit kits like Blackhole, Nuclear, and Red Kit, but now everyone is armed with the metaploit version. On that note, here is a bit more data…The filenames of the exploit as it was originally released and subsequently prevented by our AEP on December 17th (Moscow time) included ewjvaiwebvhtuai124a.class, hw.class, and test.class. This is interesting because previous Java exploits in Blackhole simply distributed mac.class, hw.class and test.class in their jar archives. So it was a simple switch, perhaps intended to fly under the radar. Perhaps it is interesting that the first known victim system executing the exploit retrieved the malcode with a Firefox browser, demonstrating the robustness of Java exploits. Also, in December 2012, the 0day was used to distributed TDSS and ZeroAccess malware.

Here is a chart of our Java 0day detections from late December through early Jan 2013. Notice the spike on January 9th. It’s great to see our technology working effectively:

For those of you that want to see detections on virustotal before you believe “AV” prevents a threat, you may also see HEUR:Exploit.Java.CVE-2013-0422.gen, Exploit.Java.Agent.ic,,, Exploit.Java.Agent.if and others for file scanning purposes. An updated heat map of the HEUR:Exploit.Java.CVE-2013-0422.gen detections shows a more widespread distribution of the exploit in the thousands, the time range here is January 6th – January 11th:

One of the best statements that I have seen in regards to the fairly impractical “just uninstall it” approach was presented by one of the handlers at the ISC Storm Center in today’s issue of SANS NewsBites: “Editor’s Note ([Mat] Honan): It seems each time a zero day exploit is found in software, be that Java or otherwise, the industry pundits recommend that people stop using that software. New vulnerabilities will always be discovered in the software we use. If our best defence to a threat is to cause a denial-of-service on ourselves then this in the long term is a no-win strategy for us as an industry. We need to look at better ways to defend our systems and data, one good place to start is the 20 Critical Security Controls. Cheers to that.

Java 0day Mass Exploit Distribution

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox