Update - 31/08/2012
Oracle has issued a patch for the exploit. You can download the patch from:
Oracle has also issued an alert concerning this exploit.
---End update
I'm sure everyone has heard about the latest Java exploits lurking around.
I received the following mail recently:
Mail from ADP, which seems to be a payroll/HR outsourcing firm
Example mails:
#1
ADP Funding Notification - Debit DraftYour Transaction Report(s) have been uploaded to the web site:
https://www.flexdirect.adp.com/client/login.aspx
Please note that your bank account will be debited within one banking
business day for the amount(s) shown on the report(s).
Please do not respond or reply to this automated e-mail. If you have any
questions or comments, please Contact your ADP Benefits Specialist.
Thank You,
ADP Benefit Services
#2
ADP Generated Message: Final Notice - Digital Certificate Expiration
This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. If you have any questions, please contact your administrator for assistance.
---------------------------------------------------------------------
Digital Certificate About to Expire
---------------------------------------------------------------------
The digital certificate you use to access ADP's Internet services is about to expire. If you do not renew your certificate by the expiration date below, you will not be able to access ADP's Internet services.
Days left before expiration: 1
Expiration date: Aug 27 23:59:59 GMT-03:59 2012
--------------------------------------------------------------------
Renewing Your Digital Certificate
---------------------------------------------------------------------
1. Go to this URL: https://netsecure.adp.com/pages/cert/register2.jsp
2. Follow the instructions on the screen.
3. Also you can download new digital certificate at https://netsecure.adp.com/pages/cert/pickUpCert.faces.
---------------------------------------------------------------------
Deleting Your Old Digital Certificate
---------------------------------------------------------------------
After you renew your digital certificate, be sure to delete the old certificate. Follow the instructions at the end of the renewal process.
When clicking on one of the links in the mail, you get redirected to a compromised webpage, which will load the exploit on your system. The exploit kit responsible is Blackhole.
The exploit in question:
CVE-2012-4681
The following file was downloaded:
Pre.jar
Result: 13/42
MD5: 08fd3413aef2012f2b078fa07855e398
VirusTotal Report
Related files:
adb92c406847e55d699d22ccd36e5e25ff32
Result: 2/42
MD5: b97a943420c13a51af37acbfbcd11d48
VirusTotal Report
js.js
Result: 1/42
MD5: f11a182170557829c150617613cfbb6c
VirusTotal Report
I didn't investigate further at the point when I got the mails, but normally a file called updateflashplayer.exe would have been downloaded as well. At time of writing, it is already offline.
Files were hosted on the IP: 209.59.222.146 - IPVoid result
& 209.59.222.174 - IPVoid result
Google Safe Browsing Diagnostic page
The same reported exploit, but different Jar files and droppers:
applet.jar
Result: 25/42
MD5: 4af58300ee5cd6d61a3eb229afe0da9f
VirusTotal Report
hi.exe
Result: 36/42
MD5: 4a55bf1448262bf71707eef7fc168f7d
VirusTotal Report
Anubis Report
mspmsnsv.dll
Result: 24/42
MD5: 2f8ac36b4038b5fd7efad8f1206c01e2
VirusTotal Report
The malware tries to phone home to:
223.25.233.244 - IPVoid result
Prevention
Disable Java in your browser(s) or uninstall if you have no use for it. Brian Krebs has made a nice post on how to disable Java on several platforms & browsers:
How to Unplug Java from the Browser
Specifically for this exploit, you can block the following IP ranges in your Firewall or hostfile:
(or at least block the ones mentioned in this post)
223.25.233.0 --> 223.25.233.255
209.59.222.0 --> 209.59.222.255
There's an excellent post over at DeepEnd Research as well, which includes a workaround and patch (you will need to request this):
Java 7 0-Day vulnerability information and mitigation
Conclusion
Patch your third-party applications. In cases of Java and Adobe, remove them if unneeded.
To test whether your version of Java is out of date and vulnerable you can use:
Zscaler Java test
Is your Java exploitable?
What Version of Java Are You Using?
Use an antivirus which has or uses behavioural technologies and/or exploit prevention.
Delete emails from unknown senders, never click on links in a mail you allegedly get from your bank, from UPS, or in this case ADP. If you happen to have placed an order or a bank transfer of any kind; go to the website directly in your browser, by typing it in manually.
Note that the links to ADP in this post are not malicious, however the URL behind them was. You can verify this by 'hovering' over the URL to check what is really behind.
Use the add-on NoScript (Firefox) or NotScripts (Chrome) to prevent automatic loading of malicious Javascripts.
Download the latest Java updates from here.
.JPG)
0 comments:
Post a Comment