Detector of sites that infect visitors' computers using malicious Java applets
As we said at VolgaCTF2012 , now more than 2/3 of the cases dangerous sites infect users' computers by downloading malicious Java applets to the browser. Such an infection can occur with regular updating of the browser, in some cases - even if you are using a non-Microsoft OS. If there is no Java virtual machine on the computer, the infected site will “carefully” suggest installing its version with a vulnerability, and then re-attack the user's computer. In order to detect sites using this infection method, Yandex launched a special behavioral analyzer of malicious code for Java applications . It allows the detection of obfuscated malicious code that exploits the most popular JRE vulnerabilities to date. As a result, since the beginning of February more than four thousand infected sites were found, the total attendance of which before the infection reached 1.5 million users per day.
One of the most current ways of spreading malicious code today is Java exploits, which are found in any exploit pack. Such popularity is due to several factors:
')
Java exploits have gained wide popularity among attackers due to the large number of logical vulnerabilities in Java. Such vulnerabilities allow to execute arbitrary code imperceptibly for the user, because their use is usually not accompanied by a crash of browser or Java virtual machine processes. Since 2010, attackers have exploited vulnerabilities CVE-2010–0806, CVE-2010–4452, CVE-2011–3544, CVE-2012-0500 and CVE-2012-4681, and from the very beginning of 2013 they began to actively exploit CVE -2013-0433.
Consider VE-2013-0433 . The essence of this vulnerability is that using the vulnerable method com.sun.jmx.mbeanserver.MBeanInstantiator.findClass, you can get a class reference from any package by the name of the class. However, the MBeanInstantiator class constructor is private and cannot be called directly. The necessary reference to an object of the MBeanInstantiator class is contained in an instance of the com.sun.jmx.mbeanserver.JmxMBeanServer class and can be obtained using the getMBeanInstantiator method . The JmxMBeanServer class has a public constructor. Thus, in order to increase your privileges, it is enough to do:
In order to infect a user's computer, attackers place malicious code on an infected web page, for example:
After visiting the page there is a chain of redirects:
Look at Yandex. Photos
As a result, the user is redirected to the page with exploits:
Look at Yandex. Photos
If there is a vulnerable version of Java, the 887.jar malware applet elevates its privileges in the system, downloads and launches malware. According to VT service data on 12.02.2013, the considered malware applet detects 5 antiviruses out of 40 , and the malware installed with its help does not detect any antivirus out of 40 . Attackers almost always obfuscate or encrypt malicious code inside Java applets, which allows them to bypass signature-based detection methods. So, the considered sample after decompiling looks like:
Look at Yandex. Photos
All string constants found in this applet are obfuscated, variable and class names are changed to random. The applet exploits the described vulnerability VE-2013-0433:
Look at Yandex. Photos
To avoid infection, we recommend:
Team Safe Search Yandex
One of the most current ways of spreading malicious code today is Java exploits, which are found in any exploit pack. Such popularity is due to several factors:
- using Oracle Java on more than 3 billion computers;
- cross-platform exploits;
- relative ease of exploitation of vulnerabilities;
- In most cases, the Java plugin is enabled in the browser.
')
Java exploits have gained wide popularity among attackers due to the large number of logical vulnerabilities in Java. Such vulnerabilities allow to execute arbitrary code imperceptibly for the user, because their use is usually not accompanied by a crash of browser or Java virtual machine processes. Since 2010, attackers have exploited vulnerabilities CVE-2010–0806, CVE-2010–4452, CVE-2011–3544, CVE-2012-0500 and CVE-2012-4681, and from the very beginning of 2013 they began to actively exploit CVE -2013-0433.
Consider VE-2013-0433 . The essence of this vulnerability is that using the vulnerable method com.sun.jmx.mbeanserver.MBeanInstantiator.findClass, you can get a class reference from any package by the name of the class. However, the MBeanInstantiator class constructor is private and cannot be called directly. The necessary reference to an object of the MBeanInstantiator class is contained in an instance of the com.sun.jmx.mbeanserver.JmxMBeanServer class and can be obtained using the getMBeanInstantiator method . The JmxMBeanServer class has a public constructor. Thus, in order to increase your privileges, it is enough to do:
javax.management.MBeanServer ms = com.sun.jmx.mbeanserver.JmxMBeanServer.newMBeanServer("any", null, null, true); com.sun.jmx.mbeanserver.MBeanInstantiator mi = ((com.sun.jmx.mbeanserver.JmxMBeanServer)ms).getMBeanInstantiator(); Class clazz = mi.findClass("some.restricted.class.here", (ClassLoader)null); In order to infect a user's computer, attackers place malicious code on an infected web page, for example:
After visiting the page there is a chain of redirects:
Look at Yandex. Photos
As a result, the user is redirected to the page with exploits:
Look at Yandex. Photos
If there is a vulnerable version of Java, the 887.jar malware applet elevates its privileges in the system, downloads and launches malware. According to VT service data on 12.02.2013, the considered malware applet detects 5 antiviruses out of 40 , and the malware installed with its help does not detect any antivirus out of 40 . Attackers almost always obfuscate or encrypt malicious code inside Java applets, which allows them to bypass signature-based detection methods. So, the considered sample after decompiling looks like:
Look at Yandex. Photos
All string constants found in this applet are obfuscated, variable and class names are changed to random. The applet exploits the described vulnerability VE-2013-0433:
Look at Yandex. Photos
To avoid infection, we recommend:
- use the latest software versions, be sure to update Java and other plugins;
- disable the launch of Java applets by default in the browser and confirm their launch only for trusted sites;
- use regular antiviruses and monitor the regularity of updating antivirus databases.
Team Safe Search Yandex
Source: https://habr.com/ru/post/170921/
All Articles