Multiple Java Exploits Hide in a Jar (File)

Exploits of the Java Runtime Environment (JRE) have been extensively used in drive-by-download toolkits such as Blackhole and Red Kit. New vulnerabilities discovered in 2013, such as CVE-2013-1493 and CVE-2013-0422, are popular, and we still see lots of older exploits such as CVE-2012-1723, CVE-2012-4681, and CVE-2012-0507.  These vulnerabilities are already fixed in the latest JRE. However, not all users have an updated JRE.

Attackers often create malicious .jar (Java class files archive) files to take advantage of the latest exploit. One problem for attackers, however, is that some vulnerabilities do not affect older versions of JRE. For example, CVE-2013-0422 exists only in Java 7, not in Java 6.

This inequality among versions could also happen with other applications, such as Adobe Reader. Typically malicious JavaScripts embedded in PDF-exploit files check the version of Acrobat installed, and exploit an appropriate vulnerability to install Trojans.

The same technique is also used in malicious jar files. The jar file in the following screen capture, for example, exploits multiple JRE vulnerabilities:



This next malicious applet class checks the version of JRE and attacks vulnerabilities as follows:

if version > Java6  Update 32 or  if version > Java7  Update 10, then

       exploit the newest vulnerability CVE-2013-1493.

else if Java 7 (version <= Java 7 Update 10) then

       exploit CVE-2013-0422

else (version < Java 6 Update 32) then

      exploit CVE-2012-1723


Note that CVE-2012-1723 occurs in Java 6 Update 32 or earlier and CVE-2013-0422 affects Java 7 Update 10 or earlier, but not in Java 6 or earlier. Here is another example of a malicious Java class:


The applet class first calls sectoff() to exploit CVE-2012-0461. If the target JRE is fixed against the vulnerability, bypassing applet sandbox security fails and an exception is thrown. The exception is caught in the “catch” statement and then calls invgo_rmethod to attack CVE-2012-0507. If that fails, then it calls invgotwo_rmethod to attack CVE-2012-1723. When one of the exploits works, it drops a fake-alert sample to the temp folder:


To protect your systems against these attacks, we strongly recommend that you update to the latest version of Java. Also because these exploits typically (but don’t always) drop executable files to the temp folder, you should restrict running executable files from that folder.

McAfee products detect these JRE exploits as Exploit-CVE(cve number) or Exploit-XXX!CVE-(cve number). For example, CVE-2012-1723 exploits are detected as Exploit-CVE2012-1723, Exploit-FDI!CVE-2012-1723, and Exploit-FDJ!CVE-2012-1723, to name a few.

Japanese One-Click Fraud Campaign Comes to Google Play

One-click fraud refers to a scam that attempts to lure users interested in adult-related video to a site that attempts to trick them into registering for a paid service. For many years, it has been common to see this type of fraud on computers. As smartphone usage has increased, so has the number of these types of scams on smartphone devices. People typically come across these scam sites by searching for things that they are interested in or by clicking on links contained in spam messages. We also witnessed the advent of one-click fraud Android apps just over a year ago and those apps can now be found on Google Play.


Figure 1. One of the developers hosting the apps

app_page1.png  app_page2.png

Figure 2. Two examples of one-click fraud apps

The apps can easily be found on Google Play through keyword searches in the same manner as an Internet search. For example, entering Japanese words related to pornographic video results in one of these apps being at the top of the search results at the time of writing. Typically, the apps only require the user to accept the “Network communication” permission, although some variants do not require the user to accept any permissions. This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites. The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app.

no_permission.png  one_permision.png

Figure 3. Typical permissions requested by the apps

The first variant of this type of app that we have seen appeared in late January, although it is possible that apps were released earlier than this. From then on, the apps were published by different developers each time and the number of apps steadily grew though many were removed from Google Play at one point for unconfirmed reasons. We are now seeing multiple developers fiercely publishing apps in bulk on a daily basis. We have so far confirmed over 200 of these fraudulent apps published by over 50 developers, although it is likely that more exist. These apps have been downloaded at least 5,000 times in the last two months. As far as victims go, we are not aware of how many of these users actually paid money to the scammers; the “service” costs about 99,000 yen (approximately US$1,000). It certainly must be worth the time and effort for the scammers as they have continued doing business for over two months.

siteA.png  siteB.png  siteC.png

Figure 4. Examples of sites that the apps open


Figure 5. Registration page that is displayed when attempting to view a video

Interestingly, it appears that the scammers are not only interested in one-click fraud. A couple of the developers we have come across also publish dating service apps. It is not surprising to see scammers involved with both one-click fraud apps and dating service apps because these types of dating services are typically considered dodgy in Japan.


Figure 6. Scammer publishing both a one-click fraud app (far right) and dating service apps

Symantec detects the apps discussed in this blog as Android.Oneclickfraud. When looking for apps, we recommend downloading them from trusted sources regardless of where the apps are hosted or found. Installing a security app, such as Norton Mobile Security or Symantec Mobile Security, on your device is a good idea to keep your device protected as well. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

(Code) Size Doesn’t Matter: Happy Easter and Enjoy Some Brilliant Computer Art

One thing that disturbs me is how people classify some malware by how surprising large the file is, how many libraries it uses, etc. In many cases, this just means the malware has inefficient code and all the tools are available to easily convert the binaries back into human-readable pseudocode. Let’s look back a bit to put things into perspective:

The first PC virus (back then almost all malware were true viruses) I analyzed was Tequila, after my own system was infected by it. It was 2,468 bytes in size, one of the first widespread polymorphic viruses, and pretty complex. Do you think I’m kidding when I write “complex” for a 2.5KB file? It was just highly optimized, written in pure assembly code. Well, times have changed. Modern operating systems provide all sorts of APIs, drivers for different hardware, etc. So let’s see what is now possible with 4,096 bytes of executable code, roughly one page when printed on paper:

Currently there is a competition among coders and artists going on in Saarbrücken, Germany; here is the 4k category. There are 12 entries in total and the stream is a bit broken after the second entry, so just skip forward if you don’t happen to like one piece. Make sure to check out the last couple of entries at least!

Yes, these are extreme examples of programming, produced by highly talented and experienced people. Free and for fun. Expect attackers to also employ high-caliber programmers to achieve their goals. So keep in mind that pure code size doesn’t really matter. The SQL Slammer worm was only 268 bytes, by the way.

Disclaimer: The video is a live stream from the event posted by the organizers, this author doesn’t necessarily condone any messages or other positions that are displayed or expressed.