Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the “Nitro” cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don’t “come back” because they don’t go away. The Nitro attackers continued to be active after their activities were documented in 2011.

    In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012).

    The file Flashfxp.exe was hosted on one of the same servers that hosted the Java zero-day and Poison Ivy payload, and it connects to ok.{BLOCKED}n.pk which resolves to the same IP address, {BLOCKED}.{BLOCKED}..233.244. This is the same address as hello.{BLOCKED}n.pk, the domain used as the command and control server for the Poison Ivy payload dropped by the Java zero-day.

    Click to view full sizeDespite having at least two staging servers hosting the malicious files for the Java zero-day exploit (and at least three staging servers hosting executables), all the Poison Ivy payloads connect to domains that resolve to the same IP address. Numerous domain names used as Poison Ivy controllers related to the Nitro campaign also resolve to that IP address. While there was some initial skepticism regarding whether or not this Java exploit was used in targeted attacks, there appears to be increasing evidence that it was used by the “Nitro” attackers.

    Trend Micro products detect and remove the exploits and Poison Ivy payload. Deep Discovery™ also detects and blocks communication done by the Poison Ivy payload.

    Update as of August 31, 6:30 PM PDT

    Oracle has released an out-of-bound patch for Java which patches this zero-day exploit. The update increments the version number to Version 7 Update 7 for users on the latest JRE version; users still using Java 6 are also receiving an update that will increment their version to Version 6 Update 35. Users should immediately update their systems to protect against this threat.

    Update as of September 4, 11:10 AM PDT

    Trend Micro Deep Security users should apply the rule 1005178 – Java Applet Remote Code Execution Vulnerability – 2 to protect from threats seen exploiting this Java vulnerability.


    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice