Last Friday, Tavis Ormandy published details about a vulnerability in the Java Deployment Toolkit. The vulnerability allows an attacker to download and execute arbitrary Java code on a vulnerable system.
We released generic detection for attacks against this vulnerability, the exploitation code being detected as "JS/Exploit.JavaDepKit.A trojan". Since yesterday, we are starting to see this vulnerability being exploited in the wild, both in targeted attacks and on a wider scale.
As explained by Roger Thompson and Brian Krebs, the exploit code is being deployed on known malicious hosts, probably in an attempt to install malware on as many computers as possible. As of this morning, we have identified at least 145 different distribution points for this exploit code. Most of them hosted in Russia on domains with names like "rubytube.ru", "myownage.ru", and "redtagjewelers.ru". For now, most of the exploit code doesn’t do anything because the second stage JAR (Java ARchive) file hasn’t been placed on the server yet. It is probably only a question of time before these distribution points are used to install malware.
We are seeing many malicious links with file names like "test", or placed in folders named "test". This leads us to think the attackers are still preparing and testing their attack. In all cases, the exploit code we are observing is *exactly* the same as the one released by Tavis Ormandy in his advisory. The attackers didn’t even bother removing the comments at the end of the proof of concept. The only thing they changed is the URL for the payload. We have spotted at least five different payload URLs, all inactive for the moment.
What is more worrying is that we are also seeing the Java Deployment Kit vulnerability being exploited in what seems to be targeted attacks. We have seen at least one case in Asia where an executable was successfully downloaded and executed. This file ressembles to a malware family called Win32/Agent.RAZ used for political attacks in the last two weeks.
Credits to Alexis Dorais-Joncas, Patrick Sucansky, and Peter Kosinar for their work on this issue.
Author Pierre-Marc Bureau, ESET