Java zero-day malware 'was signed with certificates stolen from security vendor'

A new Java zero day shares traits with attacks on Hong Kong Amnesty International, researchers have found.
Written by Liam Tung, Contributing Writer

Malware used in a zero-day Java exploit was signed with certificates stolen from a security firm, researchers have found.

The editions of Java targeted by the malware, Java 6 Update 41 and Java 7 Update 15 were released 10 days ago. However, researchers at security firms FireEye and CyberESI have already discovered an attack — known as CVE-2013-1493 — that successfully exploits the two editions of Java, and have informed Oracle of its existence.

Although the exploit in most cases causes a Java virtual machine to crash before executing, if it is successful, it will install a trojan, according to FireEye

Researchers at security vendor Symantec have identified links between the malware and recent attacks on security firm Bit9. In July 2012, hackers stole code signing certificates from Bit9 to illegitimately sign malware as having come from the company; Bit9 discovered the theft in January of this year.

The trojan, which Symantec calls Naid and FireEye calls McRat, was signed by the compromised Bit9 certificates, according to Symantec. And, as noted by Krebsonsecurity.com, the malware calls to the same command server IP address discovered in the Bit9 attacks. (We've asked FireEye for comment, and we'll update the story if any comes back.)

The attacks using the Naid trojan have employed a number of zero days, according to Symantec, including a Microsoft Internet Explorer zero day that was used in a so-called "watering hole attack" on Amnesty International Hong Kong.

Attackers behind watering hole attacks select a site that would be attractive for the intended target to visit. An example was the recent attacks on iOS developers at Apple, Facebook and Microsoft, which used the site "iPhoneDevSDK" and exploited a zero day flaw the Java browser plugin.

Users can fall victim to the latest Java exploit after visiting a compromised site that hosts a malicious JAR (Java Archive) file containing the exploit CVE-2013-1493. 

2013-03-04 11.52.05 am
How the attack works. Credit: Symantec.

FireEye has advised users to "disable Java in your browser until a patch has been released", however it's unclear whether Oracle will issue an update for Java 6, which it retired last month.

The next Java 7 update is not scheduled until 16 April, however Oracle released an early update on 1 February that fixed 50 flaws, including one that was being exploited by attackers. It released a further update to fix five more flaws in the scheduled February 19 update that delivered Java 7 Update 15.

Editorial standards