Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.
On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site. Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.
As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:
spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com
According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).
It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.
Update, 1:17 p.m. ET: The folks over at malwaredomainlist.com say that although the Wepawet scanning tool mentioned above detects this exploit kit as Crimepack, the pack in question may be one called SEO Sploit Pack. While this distinction may be lost on the hapless Windows user who stumbles upon such a site, I wanted to include this information nonetheless. Unfortunately, all I have is the stock logo for the SEO Sploit Pack (anyone want to share a screen shot of the admin page?).
Good job Brian! Most folks like me have very little time to keep up with this sort of information. Thank you for being our representative.
Just want to ditto Tim’s comment.
I decided it was time to uninstall Java and see what doesn’t work. So far I see no difference.
I gave up on Java years ago and have NEVER looked back. If a site requires it, I move on and find one that doesn’t. Unless you have an absolute need for it, dump it. Your computer security will increase immensely! 🙂
Are these types of hidden downloads/activities thwarted by using a limited access account? Thanks
No, they aren’t, Jars can be run in user land just as any executable would. However, you can make it so that jar files can’t execute, but at that point why wouldn’t you just uninstall Java?
A limited user account provides a great level of security in that malware can only infect the current user, NOT the whole operating system. That’s why it’s one MAJOR defense in a layered one. Should something get past your other defenses, a limited account can minimize damage. 🙂
@xAdmin
It’s certainly true that a limited account minimizes the damage from malware/attacks. But having some insight into the cleanup process now, we almost always recommend re-imaging the machine once malware is present. The time and skills required to get “confident” the malware didn’t escalate is vastly more than the effort to re-image. Now I find myself oddly ambivalent to a standard security recommendation that I know works – in general.
Excellent work Brian. I keep my friends informed of things like this, via email, my blog and my website (www.dragonnefyre.org.uk). This is the sort of information people need. I hope you don’t mind me copying a few sentences from these articles. I use them to inform my friends. Thank you.
Hi Andy. Don’t mind at all, just as long as you include a link back to this blog.
FireEye secures against broad and targeted information, identity, and resource theft due to modern malware. The core technology stops both inbound, zero-day attacks and outbound malware communications protecting against the criminal compromise of assets as well as data extraction attempts.
Conventional technologies rely upon signatures and lists to stop known attacks targeting known vulnerabilities. However, they were not designed to defend against modern attacks that target unknown vulnerabilities and use polymorphism or code obfuscation to evade current defenses.
Zero-day Malware Protection at Near-zero False Positives FireEye achieves near-zero false positives with its multi-phase malware inspection engine that identies targeted, zero-day attacks. Known and zero-day attacks (as well as its outbound transmissions) are blocked preventing data theft, alteration, and destruction.
In addition to blocking known attacks, FireEye stops zero-day attacks using a malware inspection engine that features advanced capture heuristics coupled with virtual machine technology to confirm if the suspicious trafficc infects the virtual machine.
The engine is a cyber Petri dish to confirm the presence of malware. Zero-day malware inside the virtual machine is then analyzed to create a full malware profile including dynamic signatures, callback destinations across protocols, and malware commands issued.
Global Network to Share Local Malware Intelligence
Customers share and add to their local malware intelligence by tying into the Malware Analysis and Exchange (MAX) Network. Auto-generated security
intelligence is distributed to subscribers worldwide to stop global attacks targeted at their local network.
http://blog.fireeye.com/
Bottom line for Mozilla browsers appears to be disabling the Java Deployment Toolkit browser plug-in (Tools -> Add-ons -> Click on Plugins, then click Java Deployment Toolkit and click Disable).
Unfortunately, a major publisher of books for lawyers in California, Continuing Education of the BAR, better known as “CEB”, requires JAVA to access its books on line. A number of public entities in California also require JAVA to review their ordinances and other public records on line. Is there a way to use JAVA, but also use it safely?
Is there a way to use JAVA, but also use it safely?
Not meaning to sound like a broken record*, but an operating system other than Windows would be a viable defense at this time.
*For you youngsters – vinyl records, which proceeded CDs, could be damaged in such a way that the needle used in reading the disc would skip backwards, playing the same piece of the recording over and over and over. This situation was commonly referred to as “a broken record”.
7 Mac & Linux users and counting…
I should add that other operating systems may not block the java exploit, but they would not be susceptible to the attempted malicious download.
Provided that someone doesn’t recompile their attempted download for the non windows OS of your choice.
Would running NoScript and/or RequestPolicy in Firefox block this Java exploit? Meanwhile, I’m trying Hemisphire’s suggestion and will see how it affects FF pages on my trusted (i.e. McAfee SiteAdvisor green) sites.
NoScript does block it: http://forums.informaction.com/viewtopic.php?p=17530#p17530
I just tried Hemisphire’s suggestion and it appears to have aborted the comment I just tried to submit here. Having re-enabled the Java Deployment Toolkit plugin on Firefox, I will try my question again: Will running NoScript and/or RequestPolicy block this Java exploit?
Oops, sorry fellow-posters. Seems that the failure of my submitted comment to appear was due to an ignored red flag in my RequestPolicy. (I have re-disabled the JDT plugin>)
BTW, I am pleased to see that this blog is finally “green” in the McAfee SiteAdvisor tab. At Brian’s request awhile back, I submitted my endorsement of this site to McAfee as a SiteAdvisor reviewer.
OK, final word. It is the disabling of the JDT plugin that keeps a submitted comment here from appearing right after you click the submit button. It was only after I re-enabled the JDT plugin that the previous comment appeared on my screen.
Have had JDT plugin disabled continuously for months and have never had a problem with seeing immediate posting of comments after clicking submit.
Hopefully Microsoft will come out with a Fix it solution that will set the killbit for IE if a Java update is not forthcoming soon.
While I have used GPO’s for a few settings, I have no idea how to implement File System ACL’s.
Java released update 20 this morning which should fix this issue.
The final answer to all this crap will be read-only operating systems. Live CDs can do that, but there is no easy way to customize them.
I see the future of Windows as a protected operating system on a read-only flash hard disk, with user profiles kept on USB flash drives. There would be separate read-only flash media for applications, which would also put a big dent in the piracy issue.
Secure computers could require a PIN and a SecurID token along with the flash media.
Brian, thank you. I always leave a link to this blog, usually it is a link to the article I am referring to.
To Tom Seaview – maybe m$ will see the light and switch windows to a more Unix-like OS. A bit like MAC OS X perhaps. I run Linux but I’m not going down the “my OS is better than your OS” road. I believe in the right tool for the job. I have never used MAC OS.
Actually Microsoft did market a Unix type OS in 1979. Their product was called Xenix which they obtained on a license from AT&T, and which they licensed to computer manufacturers.
Does update 20 (jre-6u20) fix this issue? Is this confirmed?
@Michael above: I stand corrected. For some reason, it takes only a page refresh on my browser to see a just-posted comment. Apparently has nothing to do with JDT.
Same here.
There aren’t a lot of details on Java bug. But we recently detected highly obfuscated javascript that wrote more javascript, which wrote a call to Java, which then automatically downloaded and executed a fake-av executable. All this is in the wild. I haven’t confirmed it’s the same issue, but it sounds remarkably similar. It’s written up at: http://www.cyberwart.com/blog/2010/04/14/malware-apr2010-01/
I really enjoy the sinister graphics. These (supply your own description)s have real flair. Also, genuinely curious whether the powder is supposed to be speed or coke. Doubt that it’s heroin.
Also notice that Windows 7 is MIA in the product listing.