Skip to content

Java: No Longer a Low Profile Exploit Target

2012-04-11

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Better late than never, Apple has been releasing updates to its customized OSX build of Java, kind-of-fast on the heels of a new malware nemesis, Flashback.K. Windows users have had access to Java version 6.30 since Oracle released that operating system’s update to the ubiquitous runtime engine in February, but Mac users have been hanging in limbo, waiting for Apple to release the update. Well, not exactly waiting on the edge of their seats.

In February, I described some of my experiences investigating botnets (and the schemes which result in infections) in a webinar cohosted with Sonicwall (free registration required to view). The webinar has a “pop quiz” feature, so I preconfigured a bunch of poll type questions, to keep the audience engaged. The response to one question really floored me, though. I had asked the audience members to choose what they thought was the software component of a Windows computer they thought was the most “attacked” or targeted by malicious code.

As you can see in the screenshot above, lots of people chose the “E: All of them” answer, but that’s really just a throwaway. I was honestly shocked to see that none of the (admittedly small) number of people people who completed this survey question chose Java (or, to be more specific, application/java-archive) as the MIME type most frequently abused by exploit kits. Not even a single person, and this among an audience of security professionals at least some of whom investigate precisely these kinds of infections in the course of their duties.

Wow, just wow. Now that’s low profile. But no longer.

With all the attention the issue is getting, the updates are churning out. Apple is finally getting around to releasing patches for OSX Lion. That’s good, but is the problem tied to how Apple controls its software distribution model: If Apple allowed the third parties who write software for the OSX platform to release their own fixes, rather than insisting on releasing only Apple-approved code, would the flood of Flashback.K infections – currently numbering just below half of the peak of 600,000 machines estimated to be infected by antivirus companies DrWeb and Symantec – have reached such a fevered pitch?

It’s telling that the Mozilla foundation pushed an add-on “blacklist” for the vulnerable versions of Java earlier this month. Even on installations of Firefox where the browser is configured not to check in with Mozilla for updates, the program began alerting users about a week ago that they really should disable Java 6.29. In fact, Firefox pretty much strongarms you into disabling vulnerable Java, as does Thunderbird, if you have it installed. You know what? That’s OK with me. Even though I use NoScript, I don’t need the trouble of another vulnerable plugin hanging around in my browser.

The screenshot above illustrates how the open source software jsunpack-n interprets the initial infection vector of a driveby download site hosting the Blackhole Exploit Kit. The script decodes the heavily-obfuscated Javascript common to Exploit Kit pages, then retrieves any payloads, and performs analysis on some of them. This example is just one of many where, as you can see in the highlighted boxes, at least two malicious Java JAR applets are pushed down to the targeted browser in the course of the initial infection process.

I tried to uninstall Java 6.24 and 6.29 installations from a Windows 7 64-bit laptop over last weekend. First, the uninstaller claimed it had lost the original installer, which rendered it unable to remove Java. When I pointed it in the right direction, it eventually self-removed, but left behind the Registry keys that list the two outdated products in Windows’ Programs and Features control panel. Removing those erroneously left-behind listings required a little hedge-trimming work in Regedit.

Java’s appeal as a vehicle to deliver malware appears to be tied to its ability to run in nearly every modern variety of computational device on the planet. Why wouldn’t a criminal want to build multiplatform malware? It’s an efficient use of development time, broadening the potential usefulness of the mal “product.” Add in the fact that not everyone treats Java updates with the seriousness they should, and it’s a perfect target platform for infecting the Macs or PCs of unsuspecting victims. Solera blog stats

Comments are closed.

%d bloggers like this: