Tuesday, August 28, 2012

Java exploits lurking around

Update - 31/08/2012
Oracle has issued a patch for the exploit. You can download the patch from:

Oracle has also issued an alert concerning this exploit.
---End update


I'm sure everyone has heard about the latest Java exploits lurking around.


I received the following mail recently:


Mail from ADP, which seems to be a payroll/HR outsourcing firm


Example mails:
#1
ADP Funding Notification - Debit Draft

Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services



#2

ADP Generated Message: Final Notice - Digital Certificate Expiration

This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.

---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.

Days left before expiration: 1
Expiration date: Aug 27 23:59:59 GMT-03:59 2012

--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp

2. Follow the instructions on the screen.

3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.

---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.


When clicking on one of the links in the mail, you get redirected to a compromised webpage, which will load the exploit on your system. The exploit kit responsible is Blackhole.

The exploit in question:
CVE-2012-4681


The following file was downloaded:

Pre.jar
Result: 13/42
MD5: 08fd3413aef2012f2b078fa07855e398
VirusTotal Report



Related files:

adb92c406847e55d699d22ccd36e5e25ff32
Result: 2/42
MD5: b97a943420c13a51af37acbfbcd11d48
VirusTotal Report


js.js
Result: 1/42
MD5: f11a182170557829c150617613cfbb6c
VirusTotal Report


I didn't investigate further at the point when I got the mails, but normally a file called updateflashplayer.exe would have been downloaded as well. At time of writing, it is already offline.


Files were hosted on the IP: 209.59.222.146 - IPVoid result
& 209.59.222.174 - IPVoid result



Google Safe Browsing Diagnostic page


The same reported exploit, but different Jar files and droppers:

applet.jar
Result: 25/42
MD5: 4af58300ee5cd6d61a3eb229afe0da9f
VirusTotal Report


hi.exe
Result: 36/42
MD5: 4a55bf1448262bf71707eef7fc168f7d
VirusTotal Report
Anubis Report


mspmsnsv.dll
Result: 24/42
MD5: 2f8ac36b4038b5fd7efad8f1206c01e2
VirusTotal Report


The malware tries to phone home to:
223.25.233.244 - IPVoid result




Prevention

Disable Java in your browser(s) or uninstall if you have no use for it. Brian Krebs has made a nice post on how to disable Java on several platforms & browsers:
How to Unplug Java from the Browser

Specifically for this exploit, you can block the following IP ranges in your Firewall or hostfile:
(or at least block the ones mentioned in this post)
223.25.233.0 --> 223.25.233.255
209.59.222.0 --> 209.59.222.255

There's an excellent post over at DeepEnd Research as well, which includes a workaround and patch (you will need to request this):
Java 7 0-Day vulnerability information and mitigation



Conclusion

Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.

To test whether your version of Java is out of date and vulnerable you can use:
Zscaler Java test
Is your Java exploitable?
What Version of Java Are You Using?

Use an antivirus which has or uses behavioural technologies and/or exploit prevention.

Delete emails from unknown senders, never click on links in a mail you allegedly get from your bank, from UPS, or in this case ADP. If you happen to have placed an order or a bank transfer of any kind; go to the website directly in your browser, by typing it in manually.

Note that the links to ADP in this post are not malicious, however the URL behind them was. You can verify this by 'hovering' over the URL to check what is really behind.

Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.

Download the latest Java updates from here.

2 comments:

  1. I also get a message with the warning that my digital certificate is expired and now I know what to do. I'll share this information with my colleagues

    ReplyDelete
  2. Thanks for posting a good contribution.I was very encouraged to find this site. Thanks, Hanes Marry

    ReplyDelete