Friday, January 13, 2006
Old Java Bug exploited from Ukraine
It's nothing new to see pages that use two or more browser vulnerabilities to infect innocent browsers. In fact Michael Ligh wrote about one of the first in Tri-mode browser exploits and followed up with Red-Headed Browsers. One of my recent blog entries talks about an exploit hosted in the Ukraine that uses java to download an and execute malware.
I wanted to provide a little more detail for those looking for information on this particular malware. This site uses 4 unique exploits. The most interesting part is the Sun JRE vulnerability. This exploits a vulnerability in the Sun JRE published in June 2004.
I have confirmed that this exploit works on all versions of JRE prior to 1.4.2_06 and 1.5.0_2. The best part about this exploit is it doesn't discriminate against browsers or operating systems. Think you can't get spyware because you run Linux, Mac OS X or Firefox? Guess again.
Also keep in mind, this vulnerability is 18 months old and there are a lot of people still vulnerable. Everybody is worried about patching Windows and IE and they forget about Java, Quicktime, Flash and the other cross-browser/OS applications that are just as dangerous.
I have some sample exploits for your own testing with links below. Be forewarned that by visiting that URL you are downloading an arbitrary executable that I claim is harmless but could be anything.
Windows - downloads and executes a copy of calc.exe
Linux - coming soon
Mac OS X - coming soon
Solaris - coming soon
Here is more information on the specific exploits and malware distributed by fullchain.net:
Exploit #1 - Sun Java Plugin Arbitrary Package Access Vulnerability
Uses:
I wanted to provide a little more detail for those looking for information on this particular malware. This site uses 4 unique exploits. The most interesting part is the Sun JRE vulnerability. This exploits a vulnerability in the Sun JRE published in June 2004.
I have confirmed that this exploit works on all versions of JRE prior to 1.4.2_06 and 1.5.0_2. The best part about this exploit is it doesn't discriminate against browsers or operating systems. Think you can't get spyware because you run Linux, Mac OS X or Firefox? Guess again.
Also keep in mind, this vulnerability is 18 months old and there are a lot of people still vulnerable. Everybody is worried about patching Windows and IE and they forget about Java, Quicktime, Flash and the other cross-browser/OS applications that are just as dangerous.
I have some sample exploits for your own testing with links below. Be forewarned that by visiting that URL you are downloading an arbitrary executable that I claim is harmless but could be anything.
Windows - downloads and executes a copy of calc.exe
Linux - coming soon
Mac OS X - coming soon
Solaris - coming soon
Here is more information on the specific exploits and malware distributed by fullchain.net:
Exploit #1 - Sun Java Plugin Arbitrary Package Access Vulnerability
Uses:
- index.php
- sets up the java exploit with the required javascript and calls classes
- has error handling to redirect you to the MS java exploit if this fails
- Anima.class
- main applet class for exploit
- downloads class omfg
- Anima literally means spirit, soul, or breath of life.
- View the JAD disassembled version here
- omfg.class
- downloads "http://fullchain.net/psg/psj.exe"
- executes psg.exe using "Runtime.getRuntime().exec()" function
- omfg literally means "oh my freaking god"
- View the JAD disassembled version here
- psj.exe
- md5sum - 453ebbe8de81bc687180231dc5612ece
- same as web.exe used by the byteverify bug in exploit #3
- McAfee detects as "Generic Downloader.ab"
- Symantec detects as "Trojan.Desktophijack"
Exploit #2 - MS05-002 Cursor parsing vulnerability
Uses::
- index.php
- includes the ani parsing setup code
- indexit.php
- also contains the ani parsing setup code
- psg.anr
- current ani exploit used by site
- full.anr
- no longer posted but past ani exploit used by site
Exploit #3 - MS03-011 MS JVM vulnerability
Uses:
- indexit.php
- contains call specifically to the MS JVM to execute jar.jar in case both Sun and MS are installed on system
- jar.jar
- Counter.class
- Gummy.class
- VerifierBug.class
- web.exe
- Worker.class
- Xeyond.class
- web.exe
- md5sum - 453ebbe8de81bc687180231dc5612ece
- same as web.exe used by the Sun bug in exploit #1
Exploit #4 - MS04-013 MHTML vulnerability
Uses:
- main.chm
Subscribe to Posts [Atom]