For Consumer

Virus Profile: Generic Exploit!qtw

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/4/2012
Date Added: 8/4/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Trojan
DAT Required: 6793
Removal Instructions
   
 
 
   

Description

 An initial threat vector may be hosted on a website in the form of an Applet. The Applet would contain code to exploit CVE-2012-0507.The intent of the exploit is to surreptitiously download and execute additional malware on the infected system. An indication of this may be the presence unusual traffic to unknown domains.

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 5(update 33),6(Update 30) and 7(update 2) and earlier updates allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

Aliases

  • Trend Micro    -    JAVA_EXPLOIT.ES
  • Microsoft    -    Exploit:Java/CVE-2012-0507.CG
  • Fortinet    -    W32/Java.FR!tr
  • Ikarus        -    Trojan.Java.Exploit

Indication of Infection



  • The exploit may download arbitrary files.
  • This exploit attempts to download and execute additional malware to the infected system.


Methods of Infection

  • This threat exploits an unpatched vulnerability in Sun Microsystems Java.
  • This Trojan can be installed while browsing compromised websites.
   

Virus Characteristics

Generic Exploit!qtw “is a detection which will attempt to trigger the CVE-2012-0507 vulnerability, which allows the Java applet to run with elevated privileges so that it can download and run files from a remote host.

The class file exploits the vulnerability in the AtomicReference Array to bypass the java sandbox mechanism. The attacker crafts the class file with the serialized object data where it will trigger the vulnerability by de-serialization the object array. The Vulnerability triggering class is called by another class which acts as a Class loader. Once it is exploited, the Class loader will call another class which will download the payload and execute it.

Java applet which usually contains several Java classes working together that are bundled into a JAR (Java archive) file.

This archive file contains the following classes that make up the applet:

  • bdvnwtftvwqjbgpgvawghyav.class (Class which has the class loader)
  • buahvjbtdhju.class(Class which download the Payload)[Detected as Downloader-BCS]
  • eatwtjtkdrydyqqngj.class(Exploit Class which bypass the java sandbox) [Detected as Generic Exploit!qtw]
  • njfrdtcatahhtruydb.class(Applet class which loads the vulnerability)
  • wvldnmjqudgpmhgqsylskq.class(Vulnerable class which has the AtomicReferenceArray)


Upon successful exploitation it tries to connect the below IP address through remote port 80


  • 96.17.[Removed].67
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).