Inside the Java 0-Day Exploit

The Java Web Start vulnerability that has been getting so much attention of late is being attacked by a number of different sites now, with a relatively simple and easily reproducible exploit, researchers say.

The Java Web Start vulnerability that has been getting so much attention of late is being attacked by a number of different sites now, with a relatively simple and easily reproducible exploit, researchers say.

The Java flaw, which Google researcher Tavis Ormandy disclosed publicly on April 9, was patched by Sun yesterday with an emergency out-of-cycle fix after evidence surfaced that it was being exploited on one Web site. But researchers at FireEye have seen some other sites using the exploit against visitors, as well. The company has published a detailed analysis of the exploit, which it says is quite simple.

The site, which is offline now, was hosting the exploit in a familiar fashion. The main page directed users to a secondary page, on which the exploit itself was actually hosted. That page performs a drive-by download that installs a Trojan downloader on the victim’s machine. That Trojan then downloads and installs a second stage piece of malware.

The series of downloads eventually installs a Trojan called Piptea, which is the basis of a large pay-per-install network, the researchers said.

 The FireEye researchers said that the site launching the exploit was registered on April 8, the day before Ormandy disclosed the Java flaw.

It’s pretty obvious that the
simplicity and reliability of this exploit will make it a lethal weapon
for the bad guys in coming days.  Plus, the unavailability of any
working patch is making the overall picture scarier.  I am pretty sure
that in the coming days, this exploit will become part of underground
exploit kits.  This means that even a kiddie with basic computer skills
and bad intentions can start making money out of this,” FireEye’s Atif Mushtaq said in the blog post.

Suggested articles

Discussion

  • xanda on

    I think it should be "application/npruntime-scriptable-plugin;deploymenttoolkit" instead of "application/npruntime-scriptable- plugineploymenttoolkit".. or it is working in both way?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.