Malware campaign uses direct injection of Java exploit code
Our ThreatSeeker® Network is constantly on the lookout to protect our customers from malicious attacks. Recently, it has detected a Rogue AV campaign that directly attacks the user's system instead of first redirecting to a dedicated attack server. Websense customers are protected from this attack by ACE, our Advanced Classification Engine.
Attackers usually compromise web pages to drive traffic to web servers hosting exploit kits. In this injection though, we see exploit code directly planted into legitimate pages:
The code shown attacks an Oracle Java vulnerability (CVE-2010-4452) by exploiting a design flaw in the Java class loader to execute an unsigned Java applet with local user rights. The exploit affects Java Runtime Environment versions 6 Update 23 and earlier. It was addressed by Oracle with Update 24 in February 2011. In internal tests, we could confirm that the malicious applet would load in all popular browsers with built-in Java support like IE, Firefox, and Opera. The applet in this attack is used to locate and execute a .exe payload that is disguised in the foreground parameter of the applet-tag as a .jpgfile. While the system gets attacked, the user would only see the Java icon popping up in the Windows taskbar:
The payload in this case is the nowadays ubiquitous Rogue Antivirus:
In case you haven't already done so, don't forget to update your Java version as soon as possible.