Posts Tagged: CVE-2013-1493

Jul 13

Styx Exploit Pack: Domo Arigato, PC Roboto

Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code  — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”

Styx Pack victims, by browser and OS version.

Styx Pack victims, by browser and OS version.

Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.

Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.

The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.

Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2” are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.

Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.

According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.

The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those  four vulnerabilities (but mostly the Java bugs).

Continue reading →

Mar 13

Oracle Issues Emergency Java Update

Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software. This patch plugs a dangerous security hole in Java that attackers have been exploiting to break into systems.

javamessJava 7 Update 17 and Java 6 Update 43 address a critical vulnerability (CVE-2013-1493) in Java that security experts warned last week was being used in targeted attacks against high-profile targets. Oracle had intended to quit shipping updates for Java 6 at the end of February, but apparently reversed course for the time being to help Java 6 users address this latest crisis.

I thought this was unusually speedy patch response for Oracle, that is until I read an Oracle blog post that accompanied the patch release. Oracle said that while reports of active exploitation against the vulnerability were recently received, this bug was originally reported to Oracle on Feb. 1, 2013, “unfortunately too late to be included in the Critical Patch Update that it released on Feb. 19.

“The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013),” wrote Oracle’s Eric Maurice.  “However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.”

What makes Java vulnerabilities so dangerous is that Java is a cross-platform product, meaning exploits against vulnerabilities in Java can be used to deliver malicious payloads to Mac and Linux systems just the same as they can Windows PCs.  The previous Java update released on Feb. 19 came amid revelations by AppleFacebook and Twitter that employees at these organizations and dozens of others were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines.

Continue reading →

Mar 13

New Java 0-Day Attack Echoes Bit9 Breach

Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9.

The discovery of the Java zero-day is being co-credited to FireEye and CyberESI, two companies that specialize in tracking cyber espionage attacks. In its writeup, FireEye said multiple customers had been attacked using a newly-found flaw in the latest versions of Java — Java 6 Update 41, and Java 7 Update 15.

FireEye said the Java exploit used in this attack downloaded a remote access Trojan called McRat. This threat, also known as HiKit and Mdmbot.F, calls home to a malicious control server at the Internet address Turns out, this is the same malware and control server that was used in the attack on Bit9, according to details that Bit9 released in a blog post this week documenting a sophisticated attack that resulted in a breach of its own systems last year.

Alex Lanstein, a senior security researcher at FireEye, said it’s unlikely in this case that multiple attack groups are using the same infrastructure and malware.

“Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,” Lanstein said.

Continue reading →