Pierluigi Paganini March 05, 2013

According security experts the numerous cyber attacks that hit principal IT companies, news agencies and government offices exploited zero-day vulnerabilities in Java software to the point that many recommend to uninstall Java plug-in from our browser unless absolutely necessary.

Same clamor had obtained in the past the discovery that malware source codes were signed with stolen digital certificates to elude victims defense systems and infect their machines.

These time the two events have concurred for the success of the recent attacks, malware used in a zero-day Java exploit was signed with certificates stolen from a Bit9 security firm that was hit itself by a cyber attack.

The is no peace for Java software, the malicious code targeted all early version of the popular software such as Java 6 Update 41 and Java 7 Update 15 released a couple of weeks ago.

The shocking revelation has been made by researchers at security firms FireEye and CyberESI that discovered the attack known as CVE-2013-1493 able to compromise both above editions of Java.

The researchers discovered that the malicious code used for the exploits is the same found in the recently attacks at security firm Bit9, according FireEye the exploit downloaded the McRat, a remote access trojan. Security analysts observed also that once infected the victims, the malware contacted  C&C server with IP address 110.173.55.187, exactly the same server used in the attack against Bit9 and described by same security firm in a blog post.

“It contains one (1) export: “DllRegisterServer”. When this function is called, the malicious DLL beacons to IP address “110.173.55.187” over port 80.”

The following information was found about the “110.0.0.0-110.255.255.255” net range:

• OrgName Asia Pacific Network Information Centre

Krebsonsecurity.com blog published the following eloquent declaration released by Alex Lanstein, a senior security researcher at FireEye:

 “Same malware, same [command and control server], I’d have to say it’s the same group that hit Bit9,”.

Security researchers at Symantec have proved the links between the malware (dubbed by Symantec as “Naid”) and the attacks against Bit9 firm, in July 2012, attackers stole certificates from Bit9 to sign malicious code.

The attack according Symantec is a watering hole attack that infects users while visiting a compromised web site, obviously hackers target web sites attractive for the victims.  The recent attacks against Apple, Facebook and Microsoft exploited zero day flaw the Java browser plugin while victims visited particular site.

The Symantec post states:

“As seen in figure 1, the initial stage of the attack involves a target visiting a compromised site that hosts a malicious JAR file, detected by Symantec as Trojan.Maljava.B. The JAR file contains the exploit CVE-2013-1493 which, if successful, downloads a file called svchost.jpg that is actually an MZ executable, detected by Symantec as Trojan.Dropper. This executable then acts as a loader for the dropped appmgmt.dll file, detected as Trojan.Naid”. 

Security experts suggest to disable Java in user’s browser in not necessary, anyway to disable it until a patch has been released by Oracle, but we cannot ignore that is not sure that Oracle will issue an update for retired version of Java software such as Jave 6.

We just have to wait for Oracle java software updates!

Pierluigi Paganini

(Security Affairs – Java)