Exploit kits abuse yet another zero-day vulnerability in Java

Exploit kits abuse yet another zero-day vulnerability in Java

Summary: Although Java has had a couple of quiet months without a security incident, criminals have been taking advantage of yet another vulnerability in Java to make money.

SHARE:
TOPICS: Security, Oracle
26

Another zero-day vulnerability in Java has been discovered and is actively being exploited in the wild, according to a number of security researchers.

Java has experienced a number of exploits in the past few months, followed by a few months of silence. However, recent updates to a number of exploit kits have revealed that new holes exist in Java 7 Update 10.

A researcher going by the name @kafeine spotted the exploit in action on a site that they claim receives "hundreds of thousands of hits daily". Looking at the HTTP GET requests and their related headers, kafeine shows how a number of sites using the exploit are able to download files directly to the victim's machine, and execute actions such as installing ransomware.

According to the researcher, the exploit is already being used in the Cool EK, Nuclear Pack, Redkit, Blackhole, and Sakura exploit toolkits, making it easy for criminals to deploy and make money.

Kafeine notified AlienVault labs, which has also independently verified that the exploit exists.

"The Java file is highly obfuscated, but based on the quick analysis we did, the exploit is probably bypassing certain security checks, tricking the permissions of certain Java classes," the company wrote on its blog.

As for kafeine's claims that it is already being used in exploit toolkits, at least one other source is backing him on his findings. Security commentator and blogger Brian Krebs, who has a history of maintaining memberships and reporting on the activities of a number of underground forums, said that the Blackhole curator, who goes by the name Paunch, provided the feature in the newest version of the kit as a New Year's gift. Krebs also confirmed a similar announcement made by the creator of the Nuclear Pack toolkit.

Users that have still not disabled Java are advised to uninstall it or disable the plug-in from their browser if they believe they are at risk.

Topics: Security, Oracle

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Its all FAKE

    melbaback..that site ( BIT40.ℂOℳ)..its fake, they ask u to submit the money and then u make fool of yourself....
    rubbish
    aaarush
    • ZD is embarrassing

      What makes ZD look like fools is the use of non-terms like "zero-day", over and over for years. Is that supposed to be "cool" or "leet", ZD?

      Pathetic.
      Oscar Goldman
  • Java

    I just took Java out by Revo Uninstaller but still have a not so pleasant Virus , backdoor or what ever it is , I contacted Toshiba and explained what was going on , IE constantly opens on its own driving me crazy , they wanted me to pay $190 for this one computer , that is just way to high , I can no longer log into my Bank as IE9 just spins all day , I have given up and walked away on return there it was still spinning, Now I have no Java and no doubt still have a back door , I have been a member of ZDNET since mid or early '90s when you could upload your own software , I did several pasting auto-run on programs when stuck in dreaded blue screen, This day and age I can not believe we have an opening in Java or any reasonable fix , I absolutely never give out my credit card over the phone but have bought from several trusted sites , I received a call with No Name and the # 1000000000 , I was online ran the name and a whopping 240 Rip Off reports hit with a warning they go by several names , then to my shock he gave me my credit card # then told me to wait to be transferred to the authorization section and repeat the numbers and date , I said no he hung up but later another call this time it was USA benefits and he told me run that name in rip off report , I told him no need , his accent along with that ridiculous # confirmed ,I told him no and boy did he get mad , no doubt he was in my computer thanks to Java . Please any fixes let me know , Thank You Rick Harold
    rgharold2@...
    • If I had all that going on...

      ... I'd disconnect the system from the network, THEN try and clean it.

      I might go so far as to format the drive(s) and reinstall everything.

      The other thing I'd do (cos I'm a mean SOB when it comes to people trying to exploit my system) is to get a backup/system image of the infected machine, and load it into a virtual machine on my server. Turn it into a honeypot, record every packet of network data going to and from it, from the host machine.
      dcnblues
    • I think you have a bad add-on.

      Try this. Start, All programs, Accessories, System tools, Internet Explorer (No Add-ons). If Internet Explorer works now you have a corrupt Add-on. You can enable Add-ons one at a time untill you find the bad one, and then just delete it. This has worked for me in the past.
      Good luck.
      moschultz@...
      • To : I think you have a bad add-on.

        Trying to be helpful from an ignorant point of view frequently results in increased damage. Some malware is designed to migrate through a system and hide itself where even the best scanners fail to check. Your advice here could result in malware taking up permanent residence with an unsuspecting host. Best to keep your suggestions under your hat and leave the "fixes" to the experts.
        materva
        • removing bad add on or other malware program is valid advice

          Disabling an add on will not remove the source of the infection but it may allow someone to get online and download the tools they need to remove the problem.
          Not everyone can afford to hire an expert. Downloading and running up to date versions of malwarebytes, spybot, ccleaner etc. can remove a lot of malevolent programs. The best written stuff will elude the experts and even a casual wipe and reload. Internet security is illusory. The casual user just wants to surf and doesn't really care as long as it functions.

          Using javascript disabled browsers for casual surfing can reduce the likelihood of future infection.
          jeyost@...
    • Use Ubuntu/Linux

      How bout trying Ubuntu/Linux while you are at it. At least, it has slightly better security
      inashdeen
    • I Would

      Go to Microsoft.com/security and run there Security Safety Software, previously known as the Malicious Software Removal Tool. You might try this first, it's free, and if that don't work you can search for another solution.
      eargasm
      • OOoops!

        After pressing the submit button, realized you cannot get on line or can you? If not, as you were!
        eargasm
  • Come on, give us a break....

    This is what happens when you put a monkey on a keyboard... He'll spill milk on the keyboard, accidently start up windows media player (preferably running OS win XP) playing "beethoven no 5 track" and then jump around in excitement, and making of course them monkey noises...

    It's awesomely incredible how uninformed people can be this days. A java applet does not fly into your browser, it's all dependent on your browsing habits... And for a java applet to run it needs to be downloaded.

    So what about updating browsers to ensure that users are informed before any malicious software is downloaded to their computers or sharing info on how users can configure their existing browsers to behave as such????
    Roland Kar-tet
  • The real criminals are the ones that said JAVA worked.

    JAVA the virus hasn't been functional since day one. Over hyped garbage, supposed to be write once use many, but in reality was write many, use never.
    Reality Bites
    • Insightful

      How do I get your newsletter?
      seanka@...
  • Install microsoft security essentials

    Microsoft is trying to take responsibility for the exploits through their software holes. The Microsoft Security Essentials is a free software package that you can download from their site. It will clean your machine out, and keep itself up to date. That's the best, free way to address known virus issues. This new exploit may not have a signature in any antiviral software, so your experience may not be positive yet. But, uninstall or turn off Java and then make sure you have an up to date AV program on your PC.
    greggwon@...
  • Java

    I've run java in my browser since day one, never had an exploit issue. Of course I also run a reliable fw and av from Eset. I highly recommend Eset they stay on top of all the script kiddies toys and cut them off at the pass.
    svfiat
    • I've run java in my browser since day one

      Famous last words of an over confident, latter day yuppie. . .
      materva
  • Does a Java exploit require JavaScript to work?

    And how can someone tell if they've been infected by some java exploit?
    qs.dz@...
  • RSS feed for this article and the comments.

    Where did the RSS feed for the comments go? This is an interesting post, but I have things to do. Don't tell me ZD stopped providing it, please.
    qs.dz@...
    • RSS feed

      It's still there, but you need Java to access it !

      BWAHAHAHAHAHAHAHAHAHAHAHAW ! ! !

      .
      materva
  • Java 7 Version 11

    Just installed this version on both of my computers today, so for all intents and purposes, I am up to date. I have never to my knowledge have any Java problems. I always have the latest version of W7 installed along with Zone Alarm Firewall and Avast Anti Virus, and also PSI installed to keep me up to date on all the software on my computers. When Viruses have tried to creep in in the past, Avast has spotted it in a hurry. You should also run WOT Web of Trust that will let you know if you are on a creepy page. I have had it keep pages from opening since they have a RED rating which means they are untrustworthy. I also try to stick to pages that have the GREEN rating with WOT. So far everything that I have put in the way of the malware has seemed to do the trick. It can be frustrating to have those things happen, but today you are offered better protection than at any time in the recent past, and it is imperative to take advantage of this security.
    rgeiken@...