Java-based Malware

<This post has been graciously provided by a guest contributor Michael Kaur, who authors an anti-malware blog.  Let us know what you think! … Greg>

In the last few months, the amount of Java-based malware abusing Java vulnerabilities seems to have grown. There are hundreds of exploited Java vulnerabilities. Most of them are very well documented and have had security updates for years. Java has a strong security module, that’s for sure. They usually fix new vulnerabilities very quickly but unfortunately that’s not a problem for malware authors and distributors because most people for some odd reasons do not update Java. They also forget(?) to update Flash, PDF and, other third party software components.

The risks of Java are so obvious that you just can’t ignore them. The most popular exploit kits such as Blackhole, SpyEye, Orange pack, etc., are armed with Java exploits. Java Rhino, Java OBE, Java Skyline, Java SMB are just a few exploits that are used to infect computers and load malicious code. Usually, about 50% of actively used exploits are Java-based. Besides, they are not new, normally about 2-3 years old. In the first image (Fig.1) of Blackhole exploit kit admin panel you can see that more than 16k computers were taken over with the Java Rhino vulnerability. 366 computers were infected using the Java OBE exploit. In the second image (Fig.2) of the same exploit kit but an older version, probably v1.2.2 you can see lower numbers but still about 40% of successful loads are made using Java exploits. Numbers are very different for numerous reasons, but I’ve seen many exploit kits reporting 100k infected machines and even more.

Blackhole Exploit Kit - Java
Fig. 1


Fig. 2

If you’re running Java on your PC, but not the latest version, you may be asking for trouble. By the way, Mac users have to consider Java vulnerabilities too. Such cross-platform Java vulnerabilities as CVE-2011-3544 and CVE-2012-0507 are widely used by cyber criminals’ in exploit kits increasing the success rates of exploit kits in attacking vulnerable Internet users. Once your computer is infected, cyber criminals can choose what kind of malicious software they want to execute on your machine.

By the way, when you visit a malicious website serving Java exploit, you will see a notification similar to this one:

Very often it depends on victim’s geographical location. Internet users from U.S., Canada, UK, Germany and some other well established countries may expect various spyware modules: from banking Trojans to WoW account information grabbers. They usually become a part of a botnet whatsoever.

Another popular payload is a very sophisticated rootkit called ZeroAccess or Sirefef. Cyber crooks use this rootkit to either install rogue antivirus application or Google redirect virus on affected computers which basically redirects Google search results to malicious websites. Sometimes cyber crooks redirect users to web pages full of ads. In such case the goal is obvious – to generate fake traffic and ad clicks. This scheme is very popular and I believe it will remain so in the very near future. In my opinion, search engine redirects are not going away anytime soon.

There was a huge decrease in rogue security software distribution mostly because all major rogue payment gateways were closed. Cyber crooks simply couldn’t find a way out of this situation, so they decided to steal money from ad networks instead of is stealing money directly from victims. Of course, they can’t game Google and other huge ad networks. But they definitely can game smaller ones because most of the time they do not know how to properly identify fake clicks. Anyway, there are many more payloads for cyber crooks to choose from.

That’s why you have to make sure your software is up to date. You don’t need Java anymore? Even better, go ahead and uninstall it. It’s surprising how many people keep running it when there’s no valid reason to do so. Java is not installed by default with any modern version of Windows. Good news. On the other hand, most Adobe applications are dependable on Java. OpenOffice, a free alternative to Microsoft Office, uses Java for many features as well. Some other very, very popular applications are dependable on Java. Even some banks require you to use Java if you want to bank online. So obviously, some people can’t uninstall Java but that’s not a problem. Just keep it up to date. Simply visit the following link: http://www.java.com/en/download/installed.jsp or turn on automatic Java updates.

If you don’t need Java anymore, you can just remove JRE itself by following the instructions from the link below:

http://www.java.com/en/download/uninstall.jsp

By following these simple steps, you can protect your computer from Java-based malware. It’s the most effective method, a lot better than using an old Java version + free antivirus software.

1 Comment

    Trackbacks

    1. FLASH: If you’re using Java, update it « The Family HelpDesk

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: