Risk
1/18/2013
10:56 AM
50%
50%

Java Security 'Fix' Is Disguised Malware Attack

Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.

Beware any Java security update that you don't download directly from Oracle's website.

That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that's packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an emergency fix for two zero-day vulnerabilities in Java -- including CVE-2012-3174 -- that are being actively exploited by attackers.

The malware may be encountered when visiting websites that have been compromised with a crimeware toolkit and used to launch drive-by attacks against browsers.

The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named "javaupdate11," which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named "javaupdate11.jar" -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.

[ Java-related security announcements have raised more questions than they've answered. See Java Security Warnings: Cut Through The Confusion. ]

To be clear, this is a social-engineering attack that leads to a scam, predicated on tricking people rather than exploiting actual bugs. "Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users' fears," said Trend Micro fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. "The use of fake software updates is an old social engineering tactic."

The attack, of course, preys on ongoing questions about the safety of using Java. "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it?" said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracle's Java SE Downloads page.

Don't let your Web browser install Java for you. That's because incompatibilities have been found -- for example by information security consultant Michael Hoowitz -- between the Java console and some browsers. Notably, some browsers aren't always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isn't installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.

Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didn't immediately respond to an emailed request for comment on that question, or questions about whether Oracle might address widespread Java security confusion by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.

But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the two zero-day vulnerabilities only patched one outright. For the other, Oracle altered the default Java security settings from "medium" to "high," which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site they're visiting may be attempting to compromise their security or run malware.

Meanwhile, a new zero-day Java vulnerability was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?