Gong Da Exploit Kit Bundling Numerous Java Attacks

Don’t expect any relief from the current assault on Java. A new sandbox-escape exploit targeting a vulnerability in the Java Runtime Environment has been integrated into both the Black Hole and Gong Da exploit kits, setting the stage for additional attacks, researchers said.

Don’t expect any relief from the current assault on Java. A new sandbox-escape exploit targeting a vulnerability in the Java Runtime Environment has been integrated into both the Black Hole and Gong Da exploit kits, setting the stage for additional attacks, researchers said.

The exploit was initially discovered in the Cool Exploit Kit earlier this month and a researcher who goes by the handle Kafeiene told Threatpost that Paunch, the author of Black Hole, is likely behind the exploit.

Meanwhile, researcher Eric Romang wrote on his blog this week that Gong Da has been actively adding Java exploits for months, this one being the latest.

Romang found a website hosting the exploit; he said the site is still online. He said a JavaScript obfuscator, recognized by eight of 44 antimalware detectors on VirusTotal, was masking the malicious files hosted on the site and the presence of Gong Da.

In addition to the new exploit, which targets Java SE 7 Update 7 and earlier and was patched by Oracle in Java SE 7 Update 9, it also supports the Oracle Java Rhino exploit, a Java zero-day discovered in August and two other Java exploits detailed in CVE-2012-1723 and CVE-2012-0507. Previous versions of Gong Da also included exploits for an Adobe Flash Player and Windows Media Player vulnerabilities, but new versions of the kit don’t include those exploits.

Microsoft, meanwhile, published a detailed analysis of the new Java vulnerability and said the malware it has observed abuses a package access problem in the JRE configuration.

“This package access is important because, if some trusted code is exposed to the user, it can be abused to break the Java security model. Those packages usually contain critical operations that should not be performed from untrusted code like unsigned Java applets,” said Jeong Wook Oh, a security researcher with Microsoft’s Malware Protection Center. “These operations are usually about arbitrary class loading and method invoking inside the trusted code area.”

Oh said packages such as com.sun.org.glassfish.gmbal were exposed to untrusted Java applets. Applets that are not signed run in the sandbox, which prevents questionable code from running in a trusted environment. “However, when some dangerous packages are exposed to untrusted code, the malicious code can access packages that can be abused to create the user’s own class on the fly with escalated privileges,” Oh wrote.

In addition to privilege escalation and the ability to hop out of the sandbox, the malicious payload also disables the Java security managers, which allows the malware to create files and processes on the user’s system.

Oh confirmed that only Java 7 Update 7 is vulnerable. He said the malware did not exploit Java 6, regardless of patch status, and that could be a reason that malware samples exploiting this vulnerability are usually bundled with a series of other Java exploits.

Suggested articles

Chrome and Java Pwn2Own Vulnerabilities Explained

Details have been disclosed about vulnerabilities exploited in Chrome and Java during the Pwn2Own contest. Google made patches available for the Chrome flaw within 24 hours, while Oracle patched Java fully last week.

iOS Developer Site at Core of Facebook, Apple Watering Hole Attack

UPDATE – The missing link connecting the attacks against Apple, Facebook and possibly Twitter is a popular iOS mobile developers’ forum called iPhoneDevSDK which was discovered hosting malware in an apparent watering hole attack that has likely snared victims at hundreds of organizations beyond the big three.

Apple Breached by Facebook Hackers Using Java Exploit

Apple is the latest major American company to enter the security confessional and disclose it has been breached. The company told Reuters today it was attacked by the same crew that hit Facebook, which disclosed its breach last Friday, and that like the social media giant, no data had been stolen.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.