Yesterday, FireEye documented a Java zero-day vulnerability (CVE-2012-4681) in the wild that is thought to have been used initially in targeted attacks. Symantec is aware that attackers have been using this zero-day vulnerability for at least five days, since August 22. We have located two compromised websites serving up the malware:
- ok.[REMOVED].net/meeting/applet.jar
- 62.152.104.[REMOVED]/public/meeting/applet.jar
One sample of malware downloaded by the exploit has been identified as 4a55bf1448262bf71707eef7fc168f7d (Trojan.Dropper). It has been observed with the following file names:
- hi.exe
- Flash_update.exe
This particular sample connects to hello.icon.pk, which resolves to 223.25.233.244.
The Java exploit is being detected by Symantec as Java.Awetook. The vulnerability consists of a privilege escalation due to a class that allows access to protected members of system classes, which should not be accessible. Because of this, malicious code can bypass the restrictions imposed by the sandbox and use the "getRuntime().exec()" function in order to execute a malicious payload. In our tests, we have confirmed that the zero-day vulnerability works on the latest version of Java (JRE 1.7), but it does not work on the older version JRE 1.6. A proof of concept for the exploit has been published and the vulnerability has already been added in Metasploit.
IPS detections for the exploit are covered under: