November 28, 2011

A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools.

The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.

A few weeks back, researcher Michael ‘mihi’ Schierl outlined how one might exploit this particular Java flaw. Over the weekend, I stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl. Below is a recording of a video posted by one of the members that shows the attack in action.

Java exploits are notoriously successful when bundled into commercial exploit packs, software kits that can turn a hacked Web site into a virtual minefield for Web users who aren’t keeping up to date with the latest security patches.  Users would need only to browse to a booby-trapped site with a version of Mozilla Firefox or Internet Explorer that is running anything older than the latest Java package, and the site could silently install malware (according to a miscreant selling access to the exploit, it does not run reliably against Google Chrome for some reason).

Because Java is cross-platform, this attack could theoretically be used to infiltrate non-Windows systems, such as computers running Mac OS X (Apple issued its own update to fix this flaw and other Java bugs earlier this month). For now, though, I’ve only heard about it being used to target Windows PCs: It is slowly being incorporated into the BlackHole exploit kit, one of the most widely-deployed exploit packs on the market today.

Reached via instant message, the hacker principally responsible for maintaining and selling BlackHole said the new Java exploit was being rolled out for free to existing license holders. For all others, the exploit can be had for a $4,000 price tag, in addition to the cost of a BlackHole license, which goes for $700 for three months, $1,000 for six months, or $1,500 per year. The author of BlackHole also sells his own hosted solution, in which customers can rent bulletproof servers with pre-installed copies of his kit for $200 a week, or $500 per month.

I stand by my advice urging those who don’t need Java to junk it; most people who have it won’t miss it. For those who need Java for the occasional site or service, disconnecting it from the browser plugins and temporarily reconnecting when needed is one way to minimize issues with this powerful program. Leaving the Java plugin installed in a secondary browser that is only used for sites or services that require Java is another alternative.


42 thoughts on “New Java Attack Rolled Into Exploit Kits

  1. Neej

    I have an application which I use from time to time that is only available as a Java runtime (not sure if this is correct terminology) and really has no equivalent that I’ve found (jDownloader).

    I run it in a Linux virtual machine which isolates any Java exploits from the host (I’m assuming at least) and also has the added benefit of running faster as far as I can tell just from “feel”. I have seen benchmarks showing Java running some applications almost twice as fast as on Windows in any case.

    1. SFdude

      Have 2 PCs:
      1 XP-SP3,
      another with UBUNTU Linux.

      I UNinstalled Java
      from my Win pc a year ago.
      No need for even more “problem software”…
      (Windows has enough problems of its own).

      Question:
      ————
      – How do I UNinstall Java
      from my UBUNTU Linux pc?
      (in step by step, plain English, please…).

      1. Scarab

        sudo apt-get remove –purge java

        apt-get clean

        This ensures that you removed it all (including config files)

        You’re welcome…..

  2. David Chasey

    Diabetics using insulin pumps, beware.

    I recently got an insulin pump created by Medtronic. The Medtronic website uses Java to generated data from the pump into PDF documents.

    For the first few months with the pump I did continue to use the pump and the Medtronic website. But weeks ago when I saw that Java had 20 vulnerabilities I decided that I would no longer use the Medtronic website to generate the medical data.

    What this means is that I can no longer access this information and, most significantly, can not deliver it to the excellent medical team that provided me the Medtronic insulin pump. I now wish I had chosen a different brand of insulin pump, one that does not use the most dangerous program on the web to generate the needed data.

    Before you get an insulin pump, make sure that Java is not used to generate the pump’s data. And spread the word.

    1. Neej

      Yeah, wow that is pretty bad for any users of that system and I offer my sympathies.

      Just imagine, on top of having health problems – silent installs of malicious software and potentially taken to the cleaners 🙁

      Maybe use it in a Live CD or VM? I don’t know, others are far more qualified than me I think here.

    2. bob

      Java is not per se dangerous. As with any piece of software, disable it if you don’t need it, keep it up-to-date if you do.

      Java isn’t a program, it’s a run time environment, and it’s by no means the most dangerous. It’s ironic you mention pdfs…

      1. kurtisj

        hey brian, nice writeup.
        yep, one sample is being hosted on around a dozen blackhole domains right now. that’s beta stuff, “version 1” of the exploit.

        1. BrianKrebs Post author

          Kurt is being modest: he’s a senior malware security researcher for Kaspersky, and an all-around swell guy 🙂

          Have we seen version 2 yet?

          Thanks for validating my report, Kurt!

          1. kurtisj

            hah, well, you caught it very early on, no “v2.jar” from the distributors yet. it looks like the operators currently are pushing zeus or spyeye with it. need to look into that further.

            where is the post on the flash exploit (newer to the kit) that they are pushing too? 🙂

          2. kurtisj

            whoops, the operators aren’t distributing zeus or spyeye. it was a russian “ransomware” package – it pops a screen with warnings of inappropriate images found on the drive, related russian criminal codes, and a mobile number to send 500 rubles within 12 hours or all contents will be deleted and images sent to “Court”.

  3. Jay Wocky

    The only need that I’m certain of in my usage for an enabled Java platform are the free Secunia scans, which I have found enormously helpful over the years. It’s a drag, but I will henceforth disable Java on Firefox unless I’m doing the Secunia scan, and see what happens.

    Question: in the Firefox extensions, should I also disable the “Java Deployment Toolkit” (also v. 6-29)? I have no idea what it’s for.

    1. BrianKrebs Post author

      Yes, you can safely disable that as well. If you find something doesn’t work right afterward (I doubt that you will), you can always just re-enable it.

    2. GA

      Hi,
      If you need Java only for Secunia scan, you can also use PSI from Secunia.
      Regards.
      PS: I have no link with secunia except being one of their free user.

      1. Jay Wocky

        I tried Secunia PSI when it first came out. For reasons I don’t recall now, it was buggy on my system; I uninstalled it and went back to the free online scans. Maybe I’ll try the PSI again.

      2. David Chasey

        Yeah, PSI, do download it. Of course it does not use Java, running as it does right from your computer. Hard to think how I managed without it.

  4. EJ

    I’m wondering if these exploits rely on Javascript being enabled – from my quick read they do. If so, then the easiest way to prevent them from being successful would be to make use of the NoScript add-on in tandem with Firefox browser. You can then add exceptions to allow Javascript running for domains you need and trust, while blocking it on any other domain.

    1. kurtisj

      none of the blackhole exploits are delivered when javascript is disabled.

    2. kurtisj

      btw, i believe that adding exceptions can help, but the problem remains that you might as well use lynx if you disable javascript – sites just aren’t functional enough for most users without it.

      and, another problem remains. if you think you can “trust” a site, they probably display banner ads, and even the most trustworthy 3rd party banner ad networks have been redirecting to malware of all sorts and legit sites have been compromised and serving malware too. the activity has been bad this year.

      1. EJ

        I’m not sure you understand how NoScript works, but a quick clarification might help. Ads typically aren’t served up from the same domain as the site you’re requesting; it comes from a 3rd party. AdBlock is a very effective defense against malicious ads, by preventing their content from reaching your browser in the first place. As far as NoScript’s exception processing, it’s more refined than what you seem to be indicating: for example, on this site, NoScript is identifying content coming from krebsonsecurity.com, topsy.com, addthis.com, fmpub.net, google-analytics.com, and youtube.com. Just because I added an exception for krebsonsecurity.com, it doesn’t automatically allow all the other content – I would still need to allow any of the other content. So actually it is still quite effective in the case of blocking malicious content from untrusted domains, while still allowing enough functionality for the originally-requested content to be served. This isn’t a recommended approach for your standard home PC users, but for those of us comfortable with more technical approaches, it’s quite effective and with a minimum of hassle.

        1. Jay Wocky

          In these discussion threads, should we not be distinguishing Java from Javascript. Are they not independent of, and distinct from one another? Only the latter can be blocked by NoScript, I believe.

          1. Brian Krebs

            Yes, Java and Javascript are two entirely separate beasts. But both are blocked by NoScript.

            http://noscript.net/features

            “When you install NoScript, JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default. You will be able to allow JavaScript/Java/… execution (scripts from now on) selectively, on the sites you trust. You can allow a site to run scripts temporarily, if you’re just surfing randomly, or permanently, when you visit it often and you really trust it. This means that NoScript learns from your own browser habits and tends to disappear in the background after a while, but it promptly comes back to save your day if you stumble upon a malicious web page.”

          2. F-3000

            There’s only two things that connects Java and Javascript: Latter contains “java” in it’s name, and they use same syntax (hence the name similarity). Otherwise – as Brian already mentioned – they’re two different things.

        2. kurtisj

          “I’m not sure you understand how NoScript works, but a quick clarification might help.”

          Are you being facetious? It’s hard to tell. If not, thanks for taking the time to put together that reply. But yes, I understand it very well.

          Here are my thoughts: I answered your question and pointed out that the blackhole exploits are not delivered when javascript is disabled. I also do not want that to be misconstrued as support for providing noscript as a workable security solution. It is not.
          And yes, there is an “allow all this page” option, which most users would select after seeing how many choices they have to wade through on each visited web page.

          Anyway, my point is that I often use noscript when doing research. At the same time, noscript is not an adequate solution for “most users”. You might as well give them lynx.

          1. EJ

            No facetiousness intended – it’s tough to distinguish the level of technical sophistication of posters on here, so I took a shot. As a security practitioner and proponent, the last thing I want to do is put off anyone who shows an interest.

            I agree that NoScript isn’t a complete solution for the non-technical user (your typical home user), but it is most certainly a livable solution for anyone that has an understanding of the basics of web pages. Once it’s configured properly, you lose little, if any, functionality on most sites. I and many, many others use it at home and work, with no loss of productivity, all while enjoying a full-featured web experience. If someone is able to poke around in IE’s security zones, they can certainly handle NoScript’s configuration.

            We’ll have to agree to disagree.

          2. EJ

            And Kurt, sorry I didn’t make the connection between your posts and Brian’s earlier pointing out you’re w/ Kaspersky. Thanks for contributing w/ your thoughts and insights here.

            1. kurtisj

              Hey, no problem, EJ. It’s great to see some knowledgeable posters here like you. I am interested in Blackhole (and other kits) exploit related issues and defensive approaches. Thanks for the discussion.

      2. F-3000

        “you might as well use lynx if you disable javascript”

        I wonder what makes you think that lynx is comparable to modern browser with JS off, even so strongly that you repeated your opinion. Or are you trying to say that almost all sites today are doing *all* the appearance and images with JS, and without JS all the pages would be plain text?

        IMHO, those sites which are unusable without JS are just plain and simply: badly designed. My site falls into that category when it comes to it’s “advanced features”, which doesn’t concern a mere bypasser – or even regular visitor, as long as he doesn’t want to login thru the main frame. Sites that are unreadable without JS are idiotically designed.

  5. mechBgon

    At work, we used to use a website that required Java to print shipping labels, so I was unable to rid us of Java entirely. But I did disable Java in Internet Explorer’s security zones other than the Trusted Zone (which I set to Medium-High) and added that one website to the Trusted Zone. Hence, IE was Java-proofed except for that site. I believe NoScript will allow a similar tuning of FireFox’s use of Java.

  6. c.cobb

    My bank uses a Java applet during the login process, so I created a custom remix of Ubuntu with Java. It runs from Live USB and includes NoScript and some other security-related stuff.

    Originally got the idea from your Oct, ’09 article that recommended Puppy Linux on Live CD — that was a great start and I learned a lot but Ubuntu is a lot nicer, IMHO, and a USB is a lot more convenient.

    Thank you, Brian.

  7. Chris

    The article mentions Firefox and Internet Explorer as vulnerable, Chrome less so. What about Safari (on OS X or Windows)?

    1. BrianKrebs Post author

      People use Safari on Windows? 🙂 I don’t even use Safari on my Mac!

      Sorry, it didn’t occur to me to ask about it. The answer is that I don’t know.

      1. Chris

        If this exploit is effective on Macs, then it’s an important question for Mac users, as I would hazard a guess the great majority use Safari, in much the same way that the majority of Windows users use Internet Explorer (also a guess).

  8. Nic

    It’s good to see people uninstalling Java. The majority of people don’t use it, and for those who do but don’t realize it, they can just reinstall as Java is a free download. No problem.

  9. Linda

    Brian,

    I want to report a different type of exploit. “Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.”

    Wanting to make sure I did not have Java installed, I followed your directions – only to cause Java to be downloaded onto my computer, much to my dismay. I am sure you are unaware of this practice and won’t be pleased to learn about it. Sorry to be the bearer of bad news.

    Thanks for all the good you do.

Comments are closed.