Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.
On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site. Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.
As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:
spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com
According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).
It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.
Update, 1:17 p.m. ET: The folks over at malwaredomainlist.com say that although the Wepawet scanning tool mentioned above detects this exploit kit as Crimepack, the pack in question may be one called SEO Sploit Pack. While this distinction may be lost on the hapless Windows user who stumbles upon such a site, I wanted to include this information nonetheless. Unfortunately, all I have is the stock logo for the SEO Sploit Pack (anyone want to share a screen shot of the admin page?).
Related posts:
- Exploit in the Wild for New Internet Explorer Flaw
- A Peek Inside the ‘Eleonore’ Browser Exploit Kit
- Java Patch Plugs 27 Security Holes
- Would You Have Spotted this ATM Fraud?
- Would You Have Spotted the Fraud?
Tags: AVG, crimepack, google, java, roger thompson, sans internet storm center, spyeraser, tavis ormandy
Good job Brian! Most folks like me have very little time to keep up with this sort of information. Thank you for being our representative.
Hidden due to low comment rating. Click here to see.
I decided it was time to uninstall Java and see what doesn’t work. So far I see no difference.
I gave up on Java years ago and have NEVER looked back. If a site requires it, I move on and find one that doesn’t. Unless you have an absolute need for it, dump it. Your computer security will increase immensely!
Are these types of hidden downloads/activities thwarted by using a limited access account? Thanks
No, they aren’t, Jars can be run in user land just as any executable would. However, you can make it so that jar files can’t execute, but at that point why wouldn’t you just uninstall Java?
A limited user account provides a great level of security in that malware can only infect the current user, NOT the whole operating system. That’s why it’s one MAJOR defense in a layered one. Should something get past your other defenses, a limited account can minimize damage.
@xAdmin
It’s certainly true that a limited account minimizes the damage from malware/attacks. But having some insight into the cleanup process now, we almost always recommend re-imaging the machine once malware is present. The time and skills required to get “confident” the malware didn’t escalate is vastly more than the effort to re-image. Now I find myself oddly ambivalent to a standard security recommendation that I know works – in general.
Excellent work Brian. I keep my friends informed of things like this, via email, my blog and my website (www.dragonnefyre.org.uk). This is the sort of information people need. I hope you don’t mind me copying a few sentences from these articles. I use them to inform my friends. Thank you.
Hi Andy. Don’t mind at all, just as long as you include a link back to this blog.
Hidden due to low comment rating. Click here to see.
Bottom line for Mozilla browsers appears to be disabling the Java Deployment Toolkit browser plug-in (Tools -> Add-ons -> Click on Plugins, then click Java Deployment Toolkit and click Disable).
Unfortunately, a major publisher of books for lawyers in California, Continuing Education of the BAR, better known as “CEB”, requires JAVA to access its books on line. A number of public entities in California also require JAVA to review their ordinances and other public records on line. Is there a way to use JAVA, but also use it safely?
Hidden due to low comment rating. Click here to see.
7 Mac & Linux users and counting…
I should add that other operating systems may not block the java exploit, but they would not be susceptible to the attempted malicious download.
Provided that someone doesn’t recompile their attempted download for the non windows OS of your choice.
Would running NoScript and/or RequestPolicy in Firefox block this Java exploit? Meanwhile, I’m trying Hemisphire’s suggestion and will see how it affects FF pages on my trusted (i.e. McAfee SiteAdvisor green) sites.
NoScript does block it: http://forums.informaction.com/viewtopic.php?p=17530#p17530
I just tried Hemisphire’s suggestion and it appears to have aborted the comment I just tried to submit here. Having re-enabled the Java Deployment Toolkit plugin on Firefox, I will try my question again: Will running NoScript and/or RequestPolicy block this Java exploit?
Oops, sorry fellow-posters. Seems that the failure of my submitted comment to appear was due to an ignored red flag in my RequestPolicy. (I have re-disabled the JDT plugin>)
BTW, I am pleased to see that this blog is finally “green” in the McAfee SiteAdvisor tab. At Brian’s request awhile back, I submitted my endorsement of this site to McAfee as a SiteAdvisor reviewer.
OK, final word. It is the disabling of the JDT plugin that keeps a submitted comment here from appearing right after you click the submit button. It was only after I re-enabled the JDT plugin that the previous comment appeared on my screen.
Have had JDT plugin disabled continuously for months and have never had a problem with seeing immediate posting of comments after clicking submit.
Hopefully Microsoft will come out with a Fix it solution that will set the killbit for IE if a Java update is not forthcoming soon.
While I have used GPO’s for a few settings, I have no idea how to implement File System ACL’s.
Java released update 20 this morning which should fix this issue.
Hidden due to low comment rating. Click here to see.
Brian, thank you. I always leave a link to this blog, usually it is a link to the article I am referring to.
To Tom Seaview – maybe m$ will see the light and switch windows to a more Unix-like OS. A bit like MAC OS X perhaps. I run Linux but I’m not going down the “my OS is better than your OS” road. I believe in the right tool for the job. I have never used MAC OS.
Actually Microsoft did market a Unix type OS in 1979. Their product was called Xenix which they obtained on a license from AT&T, and which they licensed to computer manufacturers.
Does update 20 (jre-6u20) fix this issue? Is this confirmed?
@Michael above: I stand corrected. For some reason, it takes only a page refresh on my browser to see a just-posted comment. Apparently has nothing to do with JDT.
Same here.
There aren’t a lot of details on Java bug. But we recently detected highly obfuscated javascript that wrote more javascript, which wrote a call to Java, which then automatically downloaded and executed a fake-av executable. All this is in the wild. I haven’t confirmed it’s the same issue, but it sounds remarkably similar. It’s written up at: http://www.cyberwart.com/blog/2010/04/14/malware-apr2010-01/
I really enjoy the sinister graphics. These (supply your own description)s have real flair. Also, genuinely curious whether the powder is supposed to be speed or coke. Doubt that it’s heroin.
Also notice that Windows 7 is MIA in the product listing.