Virus Characteristics
---------------------Updated on 12 March 2013----------------------------------
“JV/Exploit-Blacole” is for Java applets that are written with malicious intention to Downloads other payloads and execute them without user consent. The applet malware exploits a Java Runtime Vulnerability as explained in exploit CVE-2012-0507.
The vulnerability present in the AtomicReference Array to bypass the java sandbox mechanism. The attacker crafts the class file with the serialized object data where it will trigger the vulnerability by deserializing the object array. The Vulnerability triggering class file is called by another class file which acts as a loader. Once it is exploited the loader class file will call another class file which will download the payload and execute it.
This vulnerability is triggered due to the way error objects are handled by the vulnerable JavaScript engine. Normally Java Script Engines ensure that it executes only trusted code within the Java Runtime Environment as opposed to untrusted Applet code.
The exploit first creates an error object which the vulnerable Java Script Engine cannot handle, and then it executes a script that disables the Java Security Manager using the "toString" method. It then throws an Exception and proceeds further and calls with the malicious class file to execute the arbitrary code.
In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
The JAR file contains class files which triggers the Vulnerability and executes the arbitrary code to download other payloads
BadRun.class
Getter.class
Hello.class
hw.class
Indestuctable.class
LocalizeMem.class
NotebookNew.class
popers.class
Upon execution, the Trojan attempts to affects the vulnerability in Java Runtime Environment (JRE) and tries to connect the below URL to download other payload like PWS variants and root kit.
hxxp://173.192. [Removed].194/gate.php
hxxp://173.192. [Removed].194/6.exe
hxxp://173.192. [Removed].194/1.exe
hxxp://50.22. [Removed].70/app/geoip.js
47.225. [Removed].178
[Removed]cdn-node.com
173.192. [Removed].194
194.50. [Removed].173
j.m[Removed]ind.com
50.22. [Removed].70
7.177. [Removed].68
The following are the payloads dropped by the Trojan
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-[Varies]\6b29ae44e85efac3c72ff4d1865d73f1_ee30d8fa-eeea-4127-9fa3-3b2699ade84e
%APPDATA%\Microsoft\Protect\S-1-5-[Varies]\9a9cd726-c7a8-40e8-b9f1-8381db73e03d
%APPDATA%\Sun\Java\Deployment\cache\6.0\2\2d75f742-1c88413f
%APPDATA%\Sun\Java\Deployment\cache\6.0\2\2d75f742-1c88413f.idx
%Temp%\4485000.exe
The following are the folders created in the system
%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$8799278523af799c26e02500d72b61fb
%SYSTEMDRIVE%\RECYCLER\S-1-5-18
The following are the Registry key have been added to the system
HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}
HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32
HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}
HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32
The following are the Registry key values have been added to the system
HKEY_USERS \S-1-5-[Varies]\Software\WinRAR\HWID: 7B 41 41 31 46 37 33 44 30 2D 44 45 45 38 2D 34 45 45 31 2D 38 46 30 31 2D 39 33 44 34 36 36 36 34 43 34 32 32 7D
HKEY_USERS \S-1-5-[Varies]\Software\WinRAR\Client Hash: 59 50 78 7B 73 C7 51 86 59 CF 39 A5 33 4A 7E E0
HKEY_USERS \S-1-5-[Varies]\Software\WinRAR\73AA0ABBD4D7AA73341CB4F7564CD9C9: 74 72 75 65
HKEY_USERS \S-1-5-[Varies]\Software\WinRAR\5CEB93082950D0E1D2B9D9B5677EE92D: 74 72 75 65
The above registry key values confirm that the system is compromised by PWS variant.
HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
HKEY_USERS\S-1-5-[Varies]\Software\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$8799278523af799c26e02500d72b61fb\n."
HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32\ThreadingModel: "Both"
HKEY_USERS\S-1-5-[Varies]_Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-[Varies]\$8799278523af799c26e02500d72b61fb\n."
The above registry key values confirm the Trojan installed rootkit and registers with the compromised system and executes the rootkit upon system boot.
The following are the registry key values modified from the system
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%WINDIR%\system32\wbem\fastprox.dll"
HKEY_LOCAL_MACHINE \SOFTWARE\Classes\CLSID\{GUID}\InprocServer32\: "%SYSTEMDRIVE%\RECYCLER\S-1-5-18\$8799278523af799c26e02500d72b61fb\n."
The above registry entry confirms that the dropped file registered with the compromised system and gets execute upon system boot.
The following are the Registry keys deleted from the system in order to disables the Windows Firewall and Security center.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SHAREDACCESS\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
-------------------Updated on Dec 12,2012-------------------------------------
JV/Exploit-Blacole is a generic detection for malicious Java code that exploits CVE2012-1723.
"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR) , which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
This exploit may be encountered when visiting a compromised webpage that contains the malicious code.
The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.
When the page is visited by a user running vulnerable versions of Java, the malicious Java class run and allows the execution of arbitrary code.
The vulnerability exists due to type confusion between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.
The malicious Java package may contain the following malicious Java class files:
- bnkztn.class
- hppomlen.class
- iamknrheybxait.class
- jkmiqxqyklnz.class
- jljotijthvtk.class
- kmljqr.class
- lnydqmghg.class
- lwpj.class
- opwuxteyhljfc.class
- oqafpd.class
- vqhfxwnooy.class
Upon successful exploitation tries to connect download other payload.
------------------------------------------------------------------------------------------------------------------
JV/Exploit-Blacole is a detection for malicious Java applets which attempts to exploit vulnerabilities in the Java Runtime Environment (JRE). This exploit files are mainly distributed by the Blackhole exploit kit. Allowing it to download and install malwares in the affected system.
Java files detected as JV/Exploit-Blacole are known to exploit any of the following vulnerabilities:
- CVE 2012-0507
- CVE 2012-1723
It usually comes as a jar file with multiple class files components inside. Some of the class filenames that have been observed are:
- a.class
- b.class
- javaww.class
Successfull exploitation will allow other malwares to be downloaded and installed on the system. URL to be downloaded are usually passed to the java applet as an encrypted string parameter.