-----------------Updated on Feb 02,2012 ------------
is a detection which is used by attacker to bypass the Java sandbox restriction and execute arbitrary code.
The class file exploits the vulnerability present in the AtomicReference Array to bypass the java sandbox mechanism. The attacker crafts the class file with the serialized object data where it will trigger the vulnerability by deserializing the object array. The Vulnerability triggering class file is called by another class file which acts as a loader. Once it is exploited the loader class file will call another class file which will download the payload and execute it.
The vulnerability is related to deserializing calendar objects and may allow an untrusted applet or application to escalate privileges.
The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.
Compromise of the Java Applet Sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.
The JAR file contains class files in the ltdypqfbvuppuhw package which triggers the Vulnerability
Upon successful exploitation may lead to the download and execution of arbitrary files in an affected system.
- upkkjfuvvasetkbste.class (Vulnerability triggering class file) (Detected as Generic Exploit!1mt)
- wcpnanseeeyjbbflhsmhbfu.class (Class Loader) (Detected as Generic Exploit!1mg)
- gwbpas.class (Applet class) (Detected as Generic Exploit!1mt)