For Consumer

Virus Profile: Exploit-CVE2012-4681

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/29/2012
Date Added: 8/29/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6819
Removal Instructions
   
 
 
   

Description

An initial threat vector may be hosted on a website in the form of an Applet. The Applet would contain code to exploit CVE-2012-4681. The intent of the exploit is to surreptitiously download and execute additional malware on the infected system. An indication of this may be the presence unusual traffic to unknown domains.

CVE-2012-4681, available here explains, “Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses the Security Manager restrictions by 

  • Using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the for Name method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit. 
  •  Using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.”

Compromise of the Java Applet Sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

Aliases –

Microsoft - Exploit:Java/CVE-2012-4681.GJ
Ikarus  - Exploit.Java.CVE-2012
Fortinet - W32/Java.IG!tr

Indication of Infection

  • The exploit may download arbitrary files.
  • This exploit attempts to download and execute additional malware to the infected system.

Methods of Infection

  • This threat exploits an unpatched vulnerability in Sun Microsystems Java.
  •  This Trojan can be installed while browsing compromised websites

 

   

Virus Characteristics

Exploit-CVE2012-4681” is the detection for obfuscated Java applet Trojan that exploits the vulnerability described in CVE2012-4681.
This vulnerability is triggered by abusing restricted package permissions, due to a class[com.sun.beans.finder.ClassFinder] which makes it possible for un-trusted code to get access to classes which are part of restricted packages.

The following steps are involved to exploit the vulnerability:

1. First, the class file "com.sun.beans.finder.ClassFinder" is used to get access of the other package "sun.awt.SunToolkit" whereas, by default all the sun.* packages are restricted package.

2. Once after getting the reference to the "sun.awt.SunToolkit" class, they invoke the "getField" method which is used to get the access to private fields.

3. After gaining permission for a restricted package, they disable the Java Security Manager.

4. Then, it checks for the Installed Operating System and check if the system is vulnerable or not. If yes, the malware payload is downloaded and executed.

Exploit Analysis

The exploit package usually comes in as class files, where one of class file is used to exploit the vulnerability and the other to download and execute the malicious payload.

Malicious Package contain the following classes

• nrenera.class
• nrenerb.class [Class contain Applet to load the malicious script]
• nrenerc.class
• nrenerd.class [ Class has the URL to download]
• nrenere.class[ Exploit triggering class file]
• nrenerf.class[ Class has the obfuscated script]

The following code is responsible to get the reference of the restricted "sun.awt.SunToolkit" class and use this reference to call the "getField" method:

 

The following Code is used to disable Security Manager


 
Once the Security Manager is disabled, the applet can run any code in a browser as because it has no security check enabled. The exploit then downloads malicious payloads from the remote site and execute it in the compromised user system.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).