Virus Profile: JV/Exploit-Blacole!zip

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/30/2012
Date Added: 6/30/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Exploit
DAT Required: 6803
Removal Instructions
   
 
 
   

Description

      This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

Fortinet - Java/CVE_2012_0507.OT!exploit
Microsoft - Exploit:Java/Blacole.GD
Symantec - Trojan.Maljava!gen23
Nod32  - Java/Exploit.CVE-2012-1723.AV Trojan

Indication of Infection

The exploit may download arbitrary files.
This exploit attempts to download and execute additional malware to the

Methods of Infection

This threat exploits an unpatched vulnerability in Sun Microsystems Java.
This Trojan can be installed while browsing compromised websites.
   

Virus Characteristics

------------------------------Updated on 5 Nov 2012----------------------------------------

Aliases

ESET-NOD32  - a variant of Java/Exploit.CVE-2012-1723.AL
Kaspersky  - Exploit.Java.CVE-2012-1723.cw
Microsoft  - Exploit:Java/CVE-2012-1723.DO
Norman  - CVE-2012-1723.U
Symantec  - Trojan.Maljava

JV/Exploit-Blacole!zip is a generic detection for malicious Java code that exploits CVE2012-1723. The intent of the exploit is to surreptitiously download and execute additional malware on the infected system.

"Exploit-CVE2012-1723" is the detection for a malicious Java class files stored within a Java archive (.JAR), which attempts to exploit a vulnerability in the Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

This exploit may be encountered when visiting a compromised webpage that contains the malicious code.

The code is created by an attacker using the "Blackhole" Exploit Kit and inserted into a compromised webpage.

When the page is visited by a user running vulnerable versions of Java, the malicious Java class run and allows the execution of arbitrary code.

The vulnerability exists due to type confusion between a static variable and an instance variable. A static variable is common in a class, whereas an instance variable is only valid in an instantiated class.

The malicious Java package r0a, which may contain the following malicious Java class files:

  • rt0a.class
  • rt0b.class
  • rt0c.class
  • rt0d.class

Upon successful exploitation tries to connect download other payload through remote port 5152 and listen to a Random port

Upon successful exploitation it creates the following file in the below location in order to execute the payload

  •  %temp%\V.class [Detected as Downloader.a!cjh]

-------------------------------Updated on 1 Nov 2012---------------------------------------

JV/Exploit-Blackole!zip is a generic detection for malicious Java code that exploits CVE-2012-0507 a vulnerability that allows the execution of arbitrary code. Also it will check for the installed components such as java plug-in and it looks for vulnerable version of java [JRE 5(update 33),6(Update 30) and 7(update 2)] and earlier updates allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Scripting.

The vulnerability is in the implementation of the AtomicReferenceArray class that allows type safety checks to be circumvented to bypass the Java sandbox will permit Java to download and execute malware. The Applet typically contains code that consumes a URL Name (also a part of the Applet) which hosts the malware.

The class file exploits the vulnerability present in the AtomicReference Array to bypass the java sandbox mechanism. The attacker crafts the class file with the serialized object data where it will trigger the vulnerability by deserializing the object array. The Vulnerability triggering class file is called by another class file which acts as a loader. Once it is exploited the loader class file will call another class file which will download the payload and execute it.

Upon successful exploitation tries to connect download other payload through remote port 5152 and listen to a Random port

Upon successful exploitation it creates the following file in the below location in order to execute the payload

 %temp%\V.class [Detected as Downloader.a!bzl]

------------------------------------------------------------------------------------------------------

JV/Exploit-Blacole!zip is a generic detection for malicious Java code that exploits CVE2012-1723. The intent of the exploit is to surreptitiously download and execute additional malware on the  infected system.

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.

Jar file is executed as applet in a crafted web page and url in encoded form will be passed as a parameter (site) to this applet.
Download the payloads into %temp% directory with random name.

Upon successful exploitation tries to connect download other payload through remote port 5152 and listen to a Random port

Upon successful exploitation it creates the following file in the below location in order to execute the payload

  •  %temp%\V.class [Detected as Exploit-CVE2012-1723]
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95