Monday, August 2, 2010

CVE-2009-3867 + CVE-2008-5353 JAVA low detection obfuscated malware

All the credit for this post goes to TomU (c-apt-ure.blogspot.com) .
Also, many thanks to Donato "ratsoul" Ferrante (inReverse.net) for his help with the identification.

FILE 1

FILE 2



Download  8d3dc9f89904405efac99d1209a31827 +  c093d9e1354c3c7a7f7dd85ccaa83d74 as a password protected archive (please contact me for the password if you need it)

FILE 1
CVE-2008-5353 The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".


Read more at InReverse JAVA Exploit Kit Malware #1



 File jar_cache5159677240627350244.tmp. received on 2010.07.30 07:02:21 (UTC)
http://www.virustotal.com/analisis/3ab2dd42406dc92e157ad10ae51fd4a05fa2db0787179b9e5a50e4571964be78-1280473341
Result: 1/41 (2.44%)
DrWeb     5.0.2.03300     2010.07.30     Exploit.Java.89
File size: 11062 bytes
MD5   : 8d3dc9f89904405efac99d1209a31827


Low detection is due to obfuscation


FILE 2

 
File jar_cache924482195637021488.tmp.j received on 2010.08.02 04:06:58 (UTC)
http://www.virustotal.com/analisis/41d5826e1c8eae1d8d10e9f3cc5e1fe9e96b17039a3976aabaa21d533b9b859a-1280722018
Result: 1/42 (2.39%)
DrWeb    5.0.2.03300    2010.08.02    Exploit.Java.88
Additional information
File size: 4071 bytes
MD5...: c093d9e1354c3c7a7f7dd85ccaa83d74

 

Low detection is due to obfuscation

Until recently, the detection was 0/41
https://www.virustotal.com/analisis/41d5826e1c8eae1d8d10e9f3cc5e1fe9e96b17039a3976aabaa21d533b9b859a-1280305057
https://www.virustotal.com/analisis/3ab2dd42406dc92e157ad10ae51fd4a05fa2db0787179b9e5a50e4571964be78-1280305067

infected website:  hxxp://www.formel1.de/
malware site:  hxxp://meinvorun.biz/zl/s1/ 

Tom pointed out that the traffic/ URL patterns are similar to those described here Webseite des US-Finanzministeriums gehackt,  where the malware loaded was from Eleonore v.1.3.2. Eleonore 1.4.1 does not contain CVE-2008-5353,  which makes us think these files could be indeed from Eleonore 1.3.2 Another possibility is Phoenix 2.0, which contains the same java exploits (if you figure out which exploit pack is hanging on that IP, let me know)

188.40.232.254

Host names sharing IP are made by a Russian speaker and point to Russian speaking cybercriminals
http://www.robtex.com/dns/meinvorun.biz.html#shared


Ip address 188.40.232.254 is in many blacklists

No comments:

Post a Comment