Risk
1/18/2013
10:56 AM
Connect Directly
RSS
E-Mail
50%
50%

Java Security 'Fix' Is Disguised Malware Attack

Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.

Beware any Java security update that you don't download directly from Oracle's website.

That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that's packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an emergency fix for two zero-day vulnerabilities in Java -- including CVE-2012-3174 -- that are being actively exploited by attackers.

The malware may be encountered when visiting websites that have been compromised with a crimeware toolkit and used to launch drive-by attacks against browsers.

The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named "javaupdate11," which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named "javaupdate11.jar" -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.

[ Java-related security announcements have raised more questions than they've answered. See Java Security Warnings: Cut Through The Confusion. ]

To be clear, this is a social-engineering attack that leads to a scam, predicated on tricking people rather than exploiting actual bugs. "Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users' fears," said Trend Micro fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. "The use of fake software updates is an old social engineering tactic."

The attack, of course, preys on ongoing questions about the safety of using Java. "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it?" said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracle's Java SE Downloads page.

Don't let your Web browser install Java for you. That's because incompatibilities have been found -- for example by information security consultant Michael Hoowitz -- between the Java console and some browsers. Notably, some browsers aren't always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isn't installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.

Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didn't immediately respond to an emailed request for comment on that question, or questions about whether Oracle might address widespread Java security confusion by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.

But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the two zero-day vulnerabilities only patched one outright. For the other, Oracle altered the default Java security settings from "medium" to "high," which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site they're visiting may be attempting to compromise their security or run malware.

Meanwhile, a new zero-day Java vulnerability was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio