Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Last week, a Google security researcher detailed a little-known feature built into Java that can be used to launch third-party applications. Today, security experts unearthed evidence that a popular song lyrics Web site was compromised and seeded with code that leverages this Java feature to install malicious software.
On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site. Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.
As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:
spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com
According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).
It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.
Update, 1:17 p.m. ET: The folks over at malwaredomainlist.com say that although the Wepawet scanning tool mentioned above detects this exploit kit as Crimepack, the pack in question may be one called SEO Sploit Pack. While this distinction may be lost on the hapless Windows user who stumbles upon such a site, I wanted to include this information nonetheless. Unfortunately, all I have is the stock logo for the SEO Sploit Pack (anyone want to share a screen shot of the admin page?).
Tags: AVG, crimepack, google, java, roger thompson, sans internet storm center, spyeraser, tavis ormandy
Good job Brian! Most folks like me have very little time to keep up with this sort of information. Thank you for being our representative.
Well-loved. Like or Dislike:
15 
1
Just want to ditto Tim’s comment.
Like or Dislike:
0 
5
I decided it was time to uninstall Java and see what doesn’t work. So far I see no difference.
Well-loved. Like or Dislike:
15 
0
I gave up on Java years ago and have NEVER looked back. If a site requires it, I move on and find one that doesn’t. Unless you have an absolute need for it, dump it. Your computer security will increase immensely!
Well-loved. Like or Dislike:
11 
0
Are these types of hidden downloads/activities thwarted by using a limited access account? Thanks
Like or Dislike:
0 
1
No, they aren’t, Jars can be run in user land just as any executable would. However, you can make it so that jar files can’t execute, but at that point why wouldn’t you just uninstall Java?
Well-loved. Like or Dislike:
5 
0
A limited user account provides a great level of security in that malware can only infect the current user, NOT the whole operating system. That’s why it’s one MAJOR defense in a layered one. Should something get past your other defenses, a limited account can minimize damage.
Well-loved. Like or Dislike:
6 
0
@xAdmin
It’s certainly true that a limited account minimizes the damage from malware/attacks. But having some insight into the cleanup process now, we almost always recommend re-imaging the machine once malware is present. The time and skills required to get “confident” the malware didn’t escalate is vastly more than the effort to re-image. Now I find myself oddly ambivalent to a standard security recommendation that I know works – in general.
Like or Dislike:
2 
0
Excellent work Brian. I keep my friends informed of things like this, via email, my blog and my website (www.dragonnefyre.org.uk). This is the sort of information people need. I hope you don’t mind me copying a few sentences from these articles. I use them to inform my friends. Thank you.
Like or Dislike:
2 
1
Hi Andy. Don’t mind at all, just as long as you include a link back to this blog.
Like or Dislike:
2 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
0 
42
Bottom line for Mozilla browsers appears to be disabling the Java Deployment Toolkit browser plug-in (Tools -> Add-ons -> Click on Plugins, then click Java Deployment Toolkit and click Disable).
Like or Dislike:
3 
1
Unfortunately, a major publisher of books for lawyers in California, Continuing Education of the BAR, better known as “CEB”, requires JAVA to access its books on line. A number of public entities in California also require JAVA to review their ordinances and other public records on line. Is there a way to use JAVA, but also use it safely?
Like or Dislike:
2 
0
Hidden due to low comment rating. Click here to see.
Poorly-rated. Like or Dislike:
7 
14
7 Mac & Linux users and counting…
Like or Dislike:
0 
1
I should add that other operating systems may not block the java exploit, but they would not be susceptible to the attempted malicious download.
Like or Dislike:
3 
4
Provided that someone doesn’t recompile their attempted download for the non windows OS of your choice.
Well-loved. Like or Dislike:
6 
0
Would running NoScript and/or RequestPolicy in Firefox block this Java exploit? Meanwhile, I’m trying Hemisphire’s suggestion and will see how it affects FF pages on my trusted (i.e. McAfee SiteAdvisor green) sites.
Like or Dislike:
2 
1
NoScript does block it: http://forums.informaction.com/viewtopic.php?p=17530#p17530
Well-loved. Like or Dislike:
7 
0
I just tried Hemisphire’s suggestion and it appears to have aborted the comment I just tried to submit here. Having re-enabled the Java Deployment Toolkit plugin on Firefox, I will try my question again: Will running NoScript and/or RequestPolicy block this Java exploit?
Like or Dislike:
1 
1
Oops, sorry fellow-posters. Seems that the failure of my submitted comment to appear was due to an ignored red flag in my RequestPolicy. (I have re-disabled the JDT plugin>)
BTW, I am pleased to see that this blog is finally “green” in the McAfee SiteAdvisor tab. At Brian’s request awhile back, I submitted my endorsement of this site to McAfee as a SiteAdvisor reviewer.
Like or Dislike:
3 
1
OK, final word. It is the disabling of the JDT plugin that keeps a submitted comment here from appearing right after you click the submit button. It was only after I re-enabled the JDT plugin that the previous comment appeared on my screen.
Like or Dislike:
2 
1
Have had JDT plugin disabled continuously for months and have never had a problem with seeing immediate posting of comments after clicking submit.
Like or Dislike:
2 
0
Hopefully Microsoft will come out with a Fix it solution that will set the killbit for IE if a Java update is not forthcoming soon.
While I have used GPO’s for a few settings, I have no idea how to implement File System ACL’s.
Like or Dislike:
0 
0
Java released update 20 this morning which should fix this issue.
Well-loved. Like or Dislike:
6 
0
The final answer to all this crap will be read-only operating systems. Live CDs can do that, but there is no easy way to customize them.
I see the future of Windows as a protected operating system on a read-only flash hard disk, with user profiles kept on USB flash drives. There would be separate read-only flash media for applications, which would also put a big dent in the piracy issue.
Secure computers could require a PIN and a SecurID token along with the flash media.
Hot debate. What do you think?
2 
7
Brian, thank you. I always leave a link to this blog, usually it is a link to the article I am referring to.
To Tom Seaview – maybe m$ will see the light and switch windows to a more Unix-like OS. A bit like MAC OS X perhaps. I run Linux but I’m not going down the “my OS is better than your OS” road. I believe in the right tool for the job. I have never used MAC OS.
Like or Dislike:
0 
0
Actually Microsoft did market a Unix type OS in 1979. Their product was called Xenix which they obtained on a license from AT&T, and which they licensed to computer manufacturers.
Like or Dislike:
2 
0
Does update 20 (jre-6u20) fix this issue? Is this confirmed?
Like or Dislike:
0 
0
@Michael above: I stand corrected. For some reason, it takes only a page refresh on my browser to see a just-posted comment. Apparently has nothing to do with JDT.
Like or Dislike:
1 
1
Same here.
Like or Dislike:
0 
0
There aren’t a lot of details on Java bug. But we recently detected highly obfuscated javascript that wrote more javascript, which wrote a call to Java, which then automatically downloaded and executed a fake-av executable. All this is in the wild. I haven’t confirmed it’s the same issue, but it sounds remarkably similar. It’s written up at: http://www.cyberwart.com/blog/2010/04/14/malware-apr2010-01/
Like or Dislike:
2 
0
I really enjoy the sinister graphics. These (supply your own description)s have real flair. Also, genuinely curious whether the powder is supposed to be speed or coke. Doubt that it’s heroin.
Also notice that Windows 7 is MIA in the product listing.
Like or Dislike:
0 
2