In October, I showed why Java vulnerabilities continue to be the top moneymaker for purveyors of “exploit kits,” commercial crimeware designed to be stitched into hacked or malicious sites and exploit a variety of Web-browser vulnerabilities. Today, I’ll highlight a few more recent examples of this with brand new exploit kits on the market, and explain why even fully-patched Java installations are fast becoming major enablers of browser-based malware attacks.
Check out the screenshots below, which show the administration page for two up-and-coming exploit packs. The first, from an unusually elaborate exploit kit called “Dragon Pack,” is the author’s own installation, so the percentage of “loads” or successful installations of malware on visitor PCs should be taken with a grain of salt (hat tip to Malwaredomainlist.com). Yet, it is clear that miscreants who purchase this pack will have the most success with Java flaws.
This blog has a nice writeup — and an additional stats page — from a compromised site that last month was redirecting visitors to a page laced with exploits from a Dragon Pack installation.
The second image, below, shows an administrative page that is centralizing statistics for several sites hacked with a relatively new $200 kit called “Bleeding Life.” Again, it’s plain that the Java exploits are the most successful. What’s interesting about this kit is that its authors advertise that one of the “exploits” included isn’t really an exploit at all: It’s a social engineering attack. Specifically, the hacked page will simply abuse built-in Java functionality to ask the visitor to run a malicious Java applet.
On Dec. 29, the SANS Internet Storm Center warned about a wave of Java attacks that were apparently using this social engineering approach to great effect. The attacks were taking advantage of built-in Java functionality that will prompt the user to download and run a file, but using an alert from Java (if a Windows user accepts, he or she is not bothered by a separate prompt or warning from the operating system).
“If you don’t have any zero-days, you can always go back to exploiting the human!” SANS incident handler Daniel Wesemann wrote. “This is independent of the JRE version used – with JRE default settings, even on JRE1.6-23, all the user has to do is click ‘Run’ to get owned. The one small improvement is that the latest JREs show ‘Publisher: (NOT VERIFIED) Java Sun’ in the pop-up, but I guess that users who read past the two exclamation marks will be bound to click ‘Run’ anyway.”