Generic.dx!bhnh is a detection for Java applets that are written with malicious intention to Downloads other payloads and execute them without user consent. The applet malware exploits a Java Runtime Vulnerability as explained in exploit CVE-2012-0507.
Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 5(update 33),6(Update 30) and 7(update 2) and earlier updates allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.
The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.
The exploit first creates an error object which the vulnerable Java Script Engine cannot handle, and then it executes a script that disables the Java Security Manager using the "toString" method. It then throws an Exception and proceeds further and calls with the malicious class file to execute the arbitrary code.
In the wild, it can be found as a Java archive. The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
The malicious HTML passes the encrypted URL of the file to download and execute as the parameter to the applet.
The JAR file contains class files in a package which triggers the Vulnerability
- bfb.class (Detected as generic.dx!bhnh)
- etui.class (Download the malicious URL) (Detected as generic exploit!wfl)
- ovm.class (Disables the Java Security Manager) (Detected as generic exploit!wfk)
- tyu.class (Applet class) (Detected as generic exploit!wfk)
- ulk.class (Exploit class) (Detected as generic exploit!wfk)
- xxx.class (Vulnerability triggering class file) (Detected as generic.dx!bhnj)
- yte.class (Java Script Engine)(Detected as generic.dx!bhnh)
Upon successful exploitation may lead to the download and execution of arbitrary files in the compromised system.