Java Releases Zero-Day Patch – Why you Need to Install it Now

Java Setup

Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.

The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.

Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.

SET Java 0-Day

Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.

Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:

Surf to page

It doesn’t seem that anything happens. No warnings or pop-ups.

But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:

SET Session Created

We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address

We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:

SET Windows 7 Shell

In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.

Now, let’s go to the Java Download page and download the latest update (update 11):

Java Update

Then let it install:

Java Setup Complete

Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.

The webpage opens and acts like it did on the victim’s side. So far no change.

But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:

After Update No Shell

That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.

Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.

Malware Code that infects any OS came from Security Tool

(F-Secure image of malware backdoor Java App)

Last week, Security researchers at F-Secure have analyzed a new malware that targets Macs, Linux and Windows machines. (Thanks Dangertux!) The code, found on a Colombian Transport website, determines what operating system the visitor is using and then delivers a tailored backdoored Java applet. If the user allows the applet to run, the attackers get remote access to their machine.

Sound familiar?

Well it should, the code was taken from one of our favorite security tools, the Social Engineering Toolkit! Dave Kennedy (Rel1k) responded to an Arstechnica article about the new malware, stating that the code was indeed from SET:

Just a heads up, this is my open-source tool called the social-engineer toolkit.. Java applet attack source code is open to everyone. Looks like the payloads were custom though. This is used by millions of security researchers.

This is a problem with open source software and several software tools in fact. Though the creator meant the tool for good, unfortunately there are those out there that will try to use them for evil.

Recently a program created by a young French coder Jean-Pierre Lesueur, was used by the Syrian government to spy on its own people! Once Lesueur found out that it was used in this way, he created a removal tool for it and finally gave up developing it all together. Well known security guru Kevin Mitnick who used the tool in security demonstrations commented on Lesueur’s choice saying:

I don’t think that’s a good reason to stop development on it, because you always have bad actors,” he says. “That’s just a fact of life.”

Open source security tools are a huge benefit to the IT community. Especially to smaller companies that cannot afford high priced security solutions. They should not get a bad rap because of a few miscreants that twist them to do evil.

Move over Stuxnet, Say Hello to the new Cyberweapon: “Flame”

(Screenshot of Iran CERT warning for “Flame” Malware)

Yesterday Iran’s Computer Emergency Response Team released a warning about a new modular malware that resembled Stuxnet and Duqu. Dubbed “Flame”, the new cyberweapon is causing quite a stir in the media with it’s “advanced features and complexity”.

But looking at the malware’s features disclosed by Iran’s CERT team, it doesn’t seem very game stopping:

  • Distribution via removable medias
  • Distribution through local networks
  • Network sniffing, detecting network resources and collecting lists of vulnerable passwords
  • Scanning the disk of infected system looking for specific extensions and contents
  • Creating series of user’s screen captures when some specific processes or windows are active
  • Using the infected system’s attached microphone to record the environment sounds
  • Transferring saved data to control servers
  • Using more than 10 domains as C&C servers
  • Establishment of secure connection with C&C servers through SSH and HTTPS protocols
  • Bypassing tens of known antiviruses, anti malware and other security software
  • Capable of infecting Windows Xp, Vista and 7 operating systems
  • Infecting large scale local networks

All of these “threats” have been seen before. I especially liked the “bypassing tens of known anti-viruses…” line.

But there are several features that do set “Flame” apart from the pack. First of all the malware is very large, a whopping 20MB. Also, it contains several files and seems to be able to attack using swappable modules. But there is more.

According to an article on The Register, Flame has the following features:

  • It has been active for at least 2 years, but possibly 5-8 years
  • Contains exploits for known and fixed vulnerabilities
  • Uses open source libraries
  • Uses a SQLlite database
  • Uses some Scripts written in Lua (of Angry Birds fame)

All the big name security companies that have analyzed it seem to agree that with it’s complexity, it was most likely written by a Nation State and not individuals or small groups.

The malware could have been created by Israel (and possibly the US) as many of the countries that have detected infection would be logical targets for them.

As according to Symantec:

Initial telemetry indicates that the targets of this threat are located primarily in Palestinian West Bank, Hungary, Iran, and Lebanon. Other targets include Russia, Austria, Hong Kong, and the United Arab Emirates. The industry sectors or affiliations of individuals targeted are currently unclear.”

I am not sure of it’s “CyberWeapon” title, as it seems to be an information gatherer. Definitely worth keeping an eye on, but as with “APT” and “Stuxnet”, I am sure the media will beat this topic to death.