For Home

Virus Profile: Generic Exploit!1mt

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/2/2012
Date Added: 1/2/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6791
Removal Instructions
   
 
 
   

Description

      An initial threat vector may be hosted on a website in the form of an Applet. The Applet would contain code to exploit CVE-2012-0507.The intent of the exploit is to surreptitiously download and execute additional malware on the infected system. An indication of this may be the presence unusual traffic to unknown domains.

Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 5(update 33),6(Update 30) and 7(update 2) and earlier updates allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

Aliases

  • Ikarus        -    Exploit.Java.CVE-2012
  • Microsoft    -    Exploit:Java/CVE-2012-0507.CG

Indication of Infection

  •  The exploit may download arbitrary files.
  •  This exploit attempts to download and execute additional malware to the infected system.

Methods of Infection

  • This threat exploits an unpatched vulnerability in Sun Microsystems Java.
  • This Trojan can be installed while browsing compromised websites.
   

Virus Characteristics

-----------------Updated on  Feb 02,2012 ------------

"Generic Exploit!1mt" is a detection which is used by attacker to bypass the Java sandbox restriction and execute arbitrary code.

The class file exploits the vulnerability present in the AtomicReference Array to bypass the java sandbox mechanism. The attacker crafts the class file with the serialized object data where it will trigger the vulnerability by deserializing the object array. The Vulnerability triggering class file is called by another class file which acts as a loader. Once it is exploited the loader class file will call another class file which will download the payload and execute it.

The vulnerability is related to deserializing calendar objects and may allow an untrusted applet or application to escalate privileges.

The malicious HTML passes the encrypted URL of the file to download and execute as the parameter x to the applet.

 Compromise of the Java Applet Sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

The JAR file contains class files in the ltdypqfbvuppuhw package which triggers the Vulnerability

  • upkkjfuvvasetkbste.class (Vulnerability triggering class file) (Detected as Generic Exploit!1mt)
  • wcpnanseeeyjbbflhsmhbfu.class (Class Loader) (Detected as Generic Exploit!1mg)
  • gwbpas.class (Applet class) (Detected as Generic Exploit!1mt)
Upon successful exploitation may lead to the download and execution of arbitrary files in an affected system.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).