Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.
Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.
We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.
Though the dropped malware does not exploit CVE-2012-3174 or any Java-related vulnerability, the bad guys behind this threat is clearly piggybacking on the Java zero-day incident and users’ fears. The use of fake software updates is an old social engineering tactic. This is not the first time that cybercriminals took advantage of software updates. Last year, we reported about a malware disguised as a Yahoo! Messenger, which we found in time for Yahoo!’s announcement of its update for Messenger.
In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official Oracle website.
Trend Micro™ Smart Protection Network™ protects users from this threat by detecting and deleting the related malware if found on their system.
Update as of Jan. 18, 2013 2:22 AM PST
JAVA_DLOADER.NTW downloads and executes Up1.exe (BKDR_ANDROM.NTW) and Up2.exe (TSPY_KEYLOG.NTW). TSPY_KEYLOG.NTW then downloads and executes %User Temp%\{random file name}.exe, which is detected as TROJ_RANSOM.ACV. During our analysis, this ransomware locks user’s screen and attempts to access specific sites to display its notification to users.
However, the malware we analyzed failed to download the said notification, thus the user is possibly left with a blank page.
With additional analysis from Threat response engineer Rhena Inocencio
