“There is no delight in owning anything unshared.”

Cyberattacks August 2012 – Java Zero-Day Exploited in the Wild

This new vulnerability exploitation consists of two phases. The first phase will download a malicious Java applet from ok[.]aa24[.]net with IP address 59.120.154.62, which currently resolving to an IP address in Taiwan. Once the first exploitation is successful, it will download and execute a dropper on the infected host. The dropper appears to be poison Ivy RAT variant, which likely to be detected by many antivirus vendors. The dropper will then call to a C&C server, with domain hello[.]icon[.]pk. Currently, this domain is resolving to an IP address 223.25.233.244 located in Singapore.

Sources from Internet indicated that the exploitation seems to work on Internet Explorer, Firefox and Google Chrome, and it affects Java 7 (1.7) Update 0 to 6. Metasploit later integrated this exploit into its framework, and it was told that the attack is successful against a fully patched Windows 7 SP1 with Java 7 Update 6. Another additional landing page “62[.]152[.]104[.]149/public/meeting/applet[.]jar” which is serving Java Zero-Day Exploit (CVE-2012-4681).

The landing page ok[.]aa24[.]net looks like a blank page. Sometimes we may see the word “Loading”.

Advisories:
Disable Java plugin from your browser or uninstall it from your computer completely.
*[http://krebsonsecurity[.]com/how-to-unplug-java-from-the-browser/]
Block 59.120.154.62 – ok[.]aa24[.]net and 223.25.233.244 – hello[.]icon[.]pk.
*However attackers are not limited to the current domains and IP addresses.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s