A new zero-day exploit in Java has been found in the wild. Currently, this exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).
CEK is the creation of the same author responsible for Blackhole Exploit Kit. It appears to be a high-end version of the more accessible BHEK. Zero-day exploits are first incorporated into CEK and only added into BHEK once they have been disclosed. It has been reported that CEK was being used to distribute ransomware, particularly Reveton variants.
Currently, we detect the exploits as JAVA_EXPLOIT.RG, with the sites that load this exploit code detected as HTML_EXPLOIT.RG. The Reveton payloads are detected as TROJ_REVETON.RG and TROJ_REVETON.RJ.
Reveton is one of the most common ransomware threats in existence today; these lock user systems and show spoofed notifications from local police agencies. These inform users that to unlock their system, they must pay a fine ranging from $200 to $300. We discussed these threats in our earlier report Police Ransomware Update. In addition, our researcher Loucif Kharouni observed that this year we will see more developments from toolkits. New toolkits that are stealthier or difficult to detect will emerge. Perhaps, this use of zero-day exploit is a taste of trends to follow with regards to cybercriminal toolkits.
To prevent this exploit, and subsequently the related payload, we recommend users to consider if they need Java in their systems. If it is needed, users must use the security feature to disable Java content via the Java Control Panel, that shipped in the latest version of Java 7. The said feature disables Java content in webpages. If Java content is not needed, users may opt to uninstall Java as it can pose certain security risk.
Trend Micro protects users from this zero-day exploit via its Deep Security rule 1005177 – Restrict Java Bytecode File (Jar/Class) Download. This rule blocks the .JAR and class files thus preventing users from downloading all related malware. OfficeScan with Intrusion Defense Firewall (IDF) plugin users can also apply this rule to protect users from the malicious .JAR and class files. Note that this rule blocks all Java content.
Watch this space for updates on a new rule that will be shipped for this particular exploit.
Update as of January 11, 2013 2:45 PM PST
Trend Micro Deep Security has released protection for this Java zero-day exploit as well as the Ruby on Rails vulnerabilities. For details on Trend Micro’s solutions, visit our blog entry, Java Zero-Day Exploit and Ruby on Rails Vulnerabilities.
