Security Researcher Discovers New Java Attack Toolkit


Security researchers at Webroot have uncovered a dangerous new automated attack toolkit made to conduct Web-based attacks targeting Java vulnerabilities.

The exploit toolkit is currently based entirely on two Java vulnerabilities that have been patched by Oracle, said Dancho Danchev, a security blogger and cyberthreat analyst at the Broomfield, Colo.-based endpoint security vendor.

According to the statistics identified by Danchev, the toolkit has had the most success infecting systems in the U.S., followed by Turkey, Poland and Brazil. The most widely infected operating systems are Windows NT 6.1 and Windows XP. The infection rate is 9.5 percent, which is low for an automated toolkit, Danchev said.

[Related: Malware Rising: Trojans Dominate Rankings, Study Finds]

The exploit kit can be rented for $40 an hour or up to $450 for a month. Automated services can notify those renting the kit if security vendors have identified infected domains. Danchev said he doesn't expect the toolkit to cause widespread damage because most enterprises and individuals are patching Java quickly or disabling it altogether.

"Some of the most recent Java vulnerabilities received massive media coverage, prompting enterprises and end users to permanently disable it," Danchev wrote in the Webroot Threat Blog. "Then again, this leads us to a dangerous myopia, where end and corporate users think that disabling Java prevents cybercriminals from establishing exploitation 'touch points' with their endpoints."

Other automated toolkits have added Java exploits, including the widely used Black Hole exploit kit, responsible for the bulk of financially motivated cyberattacks. Antivirus vendor Trend Micro said Black Hole is using a Java exploit from January in a spate of phishing emails masquerading as a PayPal email message. Clicking on a link in the message redirects victims to a website that checks their system for Adobe Reader, Flash Player and Java vulnerabilities, wrote Romeo Dela Cruz, a threat research engineer at Trend Micro. An open vulnerability will trigger the infection of malware that attempts to steal data stored in Google Chrome, Mozilla Firefox and Internet Explorer.

"At the end of the infection chain, this BHEK code will access the malicious page below to lead users into thinking that they're just redirected to a seemingly nonmalicious website," Dela Cruz said.

Oracle issued an emergency Java update Monday, repairing two recently discovered Java vulnerabilities, including one coding error being actively targeted by cybercriminals. Oracle is investigating five additional Java vulnerabilities submitted by Security Explorations, a Poland-based security research firm.

Security experts are urging users to disable Java in the browser if it is not needed. Oracle has set Java security settings to high by default to prevent nonapproved Java applets from running without permission.

PUBLISHED MARCH 5, 2013