Risk
1/18/2013
10:56 AM
50%
50%

Java Security 'Fix' Is Disguised Malware Attack

Security researchers spot malware masquerading as a Java security update. Users urged to download Java updates directly from Oracle.

Beware any Java security update that you don't download directly from Oracle's website.

That warning comes via antivirus firm Trend Micro, which has spotted a new ransomware campaign using malware that's packaged to resemble Java 7 update 11. The real update was released Sunday by Oracle as an emergency fix for two zero-day vulnerabilities in Java -- including CVE-2012-3174 -- that are being actively exploited by attackers.

The malware may be encountered when visiting websites that have been compromised with a crimeware toolkit and used to launch drive-by attacks against browsers.

The attack begins with a Web page warning that a newer version of Java is required to access site content. The site then pushes a file named "javaupdate11," which will trigger an operating system alert asking whether the user wishes to execute the file. In reality, however, the application -- named "javaupdate11.jar" -- is a malicious dropper, which if installed then downloads and executes two malicious files -- up1.exe and up2.exe -- that create a backdoor on the system that can be accessed by attackers. Next, the dropper attempts to download ransomware that locks the system and requires the user to pay a fine, supposedly to a law enforcement agency, to unlock it.

[ Java-related security announcements have raised more questions than they've answered. See Java Security Warnings: Cut Through The Confusion. ]

To be clear, this is a social-engineering attack that leads to a scam, predicated on tricking people rather than exploiting actual bugs. "Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat [are] clearly piggybacking on the Java zero-day incident and users' fears," said Trend Micro fraud analyst Paul Pajares and security engineer Rhena Inocencio in a blog post. "The use of fake software updates is an old social engineering tactic."

The attack, of course, preys on ongoing questions about the safety of using Java. "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it?" said the researchers. If the answer is yes, they recommend only downloading Java updates directly from Oracle's Java SE Downloads page.

Don't let your Web browser install Java for you. That's because incompatibilities have been found -- for example by information security consultant Michael Hoowitz -- between the Java console and some browsers. Notably, some browsers aren't always correctly reporting whether or not Java is installed or not, or which version of Java might be running. For example, some Windows users who have Java 7 update 11 installed report that Firefox claims the plug-in isn't installed, and then offers to install Java 7 update 10, which is vulnerable to the recently disclosed zero-day attacks.

Will those seeming incompatibilities between the Java console and browsers require a fix from Oracle, browser developers, operating system makers or some combination thereof? An Oracle spokeswoman didn't immediately respond to an emailed request for comment on that question, or questions about whether Oracle might address widespread Java security confusion by reconfiguring Java to offer automatic updates, and creating a website to allow people to verify if their system is running Java.

But in light of the seeming incompatibilities between the Java console and browsers, Java users would appear to be due another update, stat. Furthermore, Oracle has unfinished patching business, since its fix for the two zero-day vulnerabilities only patched one outright. For the other, Oracle altered the default Java security settings from "medium" to "high," which means that any website that calls the Java browser plug-in will trigger a security warning asking users if they want the Java browser plug-in to run, noting that the site they're visiting may be attempting to compromise their security or run malware.

Meanwhile, a new zero-day Java vulnerability was reportedly being offered for sale just 24 hours after Oracle released its update on Sunday. Will a new attack campaign that uses malware to exploit the supposed zero-day vulnerability be far behind?

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

CVE-2014-2716
Published: 2014-12-19
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 reuses the RC4 cipher stream, which makes it easier for remote attackers to obtain plaintext messages via an XOR operation on two ciphertexts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.