2013-01-10 - 0day
0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW !
Was wondering what to do with that...
Disclose, do not Disclose.Hundreds of thousands of hits daily where i found it. This could
I think it's better to make some noise about it.
.png) |
| Standard PE download via CVE-2013-0422 with jre1.7u10 - Firefox Windows XP |
 |
| Standard PE download via CVE-2013-0422 with jre1.7u9 - Internet Explorer 9 Windows 7x64 |
<edit1 10/01/13 14:24 GMT+1>
Reading this, Zero-Day Java Exploit Debuts in Crimeware by Brian Krebs
I think there is no reason anymore to try to hide anything. Let's Disclose.
Cool EK :
 |
| CBeplay.P Cool EK Landing 10/01/13 |
 |
| 0 day in Cool EK Cbeplay.P Spain Landing |
GET http://geurtdenhaupdad.bounceme .net/read/offer-canvas.jsp
200 OK (text/html)
GET http://geurtdenhaupdad.bounceme .net/read/UTTER-OFFEND.JAR
200 OK (application/java-archive) ee4930874422c818267b44112ac8f29b
GET http://geurtdenhaupdad.bounceme .net/read/UTTER-OFFEND.exe
200 OK (application/x-msdownload) 237f8ffc0c24191c5bb7bd9099802ee4 CBeplay.P Ransomware - ES (out of scope)
.png) |
| The payload : CBeplay.P - Localized for Spain |
.png) |
| The payload : CBeplay.P - Localized for UK |
If you are interested by this Specific Threat (CBeplay.P), feel free to drop a mail.
 |
| 0 day in Cool EK Reveton |
GET http://50ee59e132505.painfree123 .com/news/COSTLY-PROCURE.PHTML
200 OK (text/html)
GET http://50ee59e132505.painfree123 .com/news/contempt.eot <- CVE-2011-3042 failed (IE9) attempt (duqu like font drop)
200 OK (text/html)
GET http://50ee59e132505.painfree123 .com/news/Edit.jar ee4930874422c818267b44112ac8f29b
200 OK (application/java-archive)
GET http://50ee59e132505.painfree123 .com/news/Edit.exe
200 OK (application/x-msdownload) 0623ce6af469c041c3908f5c64e2cad6 Reveton Ransomware (out of scope)
(More Reveton : d28964c1f895c8edcb613f8b2cb5d051 fdf12efe66d614bfb29c51897a104430 ec7ad2a9c4ccff2630fb00db435a8941 )
 |
| Reveton SE "Winter" Landing More information here |
one more Java:
a3608c0086c93eec085f3f078c44fdf3
Useless video showing live infection (working referrer incl.)
Nuclear Pack :
 |
| Announcement for Nuclear Pack. |
 |
| CVE-2013-0422 Positive path on Nuclear Pack |
GET http://hrertfdgfdgdf.uk .to:44329/t/a157f0a63a7c2a1b827c78527ef0ff77
200 OK (text/html)
GET http://hrertfdgfdgdf.uk .to:44329/images/830ccc2f0965442c0baa7ad8bbbaa2db/1358194984/aaf63962aad6edec92505d83ae53ac96.jar
200 OK (application/java)
GET http://hrertfdgfdgdf.uk .to:44329/images/830ccc2f0965442c0baa7ad8bbbaa2db/1358194984/aaf63962aad6edec92505d83ae53ac96.jar
200 OK (application/java) c8b6266ba7862b93fa086c9babc175d5
GET http://hrertfdgfdgdf.uk .to:44329/f/1358194984/aaf63962aad6edec92505d83ae53ac96/830ccc2f0965442c0baa7ad8bbbaa2db/2
200 OK (application/octet-stream) 61d1985915800ac7bc36329d669f2f17 Fast look. Seems to be Urausy Ransomware
Redkit :
 |
| Redkit featuring what could be the same 0day |
GET http://streamwoman .com/mfui.htm
200 OK (text/html)
GET http://streamwoman .com/miqt.htm
200 OK (text/html)
GET http://streamwoman .com/332.jar
404 Not Found (text/html)
GET http://streamwoman .com/887.jar
200 OK (application/java-archive) 7143829b81963bd7c3fad219b595ec4c
200 OK (application/octet-stream)
 |
Blackhole :
 |
| Sinowal Blackhole featuring 0 day |
GET http://wymxxnb.compress .to/adfasdfksjdfn/implying-specify-dropping-fundamental.php
200 OK (text/html)
GET http://wymxxnb.compress .to/adfasdfksjdfn/implying-specify-dropping-fundamental.php?cvwms=iyokjb&ssyoa=favubmb
200 OK (application/java-archive) 483b40f21a9e97f0dc6c88a21fddc1ec
GET http://wymxxnb.compress .to/adfasdfksjdfn/implying-specify-dropping-fundamental.php?uf=1j:1l:1o:1l:2v&xe=1f:30:1h:1o:1o:31:1o:1l:2v:1f&p=1f&yt=w&pu=o
200 OK (application/x-msdownload)
Another one :
 |
| CVE-2013-0422 in BH EK |
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/sort.php
200 OK (text/html)
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/info/last/index.php
200 OK (text/html)
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/info/last/index.php?qtp=mux&aqdyg=knny
200 OK (application/java-archive) 483b40f21a9e97f0dc6c88a21fddc1ec
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/info/last/index.php?yf=2w:30:1i:31:33&oe=33:1g:2v:32:1o:1h:2v:32:1m:1h&h=1f&fz=p&kq=u
200 OK (application/x-msdownload) dfc4995203b8e7d87df6dfbae1d7774c - Leechole.A - Malwr.com analysis
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/exit.php?x=31&t=timeout
200 OK (text/html)
GET http://014044130110225951863963ee92258948f1673f95d31ad.jtmtir .eu/exit.php?go=3035
302 Found to http://www.maturepornxxxtube .com/?t=113244,1,206,0
Sakura :
 |
| Sakura CVE-2013-0422 Positive Path |
GET http://fc70efc87b.tespena.lapy .pl:82/forum/index.php?showtopic=715530
200 OK (text/html)
GET http://fc70efc87b.tespena.lapy .pl:82/forum/dare.php?hsh=tr&key=671bf50c83d3346a782094d74b655140
200 OK (application/pdf)
GET http://fc70efc87b.tespena.lapy .pl:82/forum/dare.php?hsh=6&key=f3a6e4200aeea550e9bbb090ffc13e12
200 OK (application/x-java-archive) 253c57c3f5e2abb23861134a343a7308
GET http://fc70efc87b.tespena.lapy .pl:82/forum/viob.php?cnf=c
200 OK (application/octet-stream) fe1e6410aac2b6af1ab92d1301f0c4ff
<edit n 13/01/13 10:00 GMT+1>
<edit 2013-09-06>
Late disclosure : Sakura Stats on January 12
 |
| Stats on for a Sakura on January 12. Have been told that DK ratio is due to Online Bank System there requiring Java |
And to help figure out, here is what is was on January 5:
Payload was mainly (not only cause geo conditioned) Zaccess</edit>
 |
| Same Exploit Kit before 0 Day - January 5 |
Payload was mainly (not only cause geo conditioned) Zaccess</edit>
SofosFO:
Seems it has just been integrated. Found many since 2 days, but first one integrating the CVE.
Have been told that it's integrated since at least 2013-01-11
GET http://tropical.finale.ceapy-wirealtyseou .org/dank-cashier.html
200 OK (text/html)
GET http://tropical.finale.ceapy-wirealtyseou .org/psemzhFIKWDhIWDmhwGKhDyFppGwK/QmxmlmQlwUo00/packets.js
200 OK (text/html)
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar
200 OK (application/java-archive)
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar
200 OK (application/java-archive) c1638d5ee237fc3228121b389d1cd3b0
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/4393992
200 OK (application/octet-stream)
ProPack Sploit Pack :
Thanks to to @switchingtoguns for that one.
GET http://46.30.42 .195/build2/doc/4yioqp.php
200 OK (text/html)
GET http://46.30.42 .195/build2/doc/axhncumubx.php?k=32203313104201
200 OK (application/java-archive)
GET http://46.30.42 .195/build2/doc/gneyipb.php?k=32203313104201
200 OK (application/java-archive)
GET http://46.30.42 .195/build2/doc/jxipmwgoksgu.php?k=32203313104201
200 OK (text/html) - ffe3784eeff840770e4c453658384beb
GET http://46.30.42 .195/build2/doc/4mx57e.php?j=1&k=1
200 OK (application/octet-stream) ac91753182db3a9562a27bd78c95972e Zaccess
SofosFO Fiddler File: http://goo.gl/CB5mb
</edit n>
<edit n+2 13/01/13 21:00>
Sweet Orange :
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/plugins.php?arrowwiki=988&profile=193&scripts=194&users=78&baseball=950&movies=698&photoshop=16
200 OK (text/html)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg
200 OK (application/x-java-archive) cfefb5235c9ae1bfd25aa5df4ea7933b
GET http://rubefasttrack .info/products.php?info=53&mapa=334&classes=12&pages=677&sport=1251&hotel=81&free=178&intl=58&style=604&openparadise1=299
200 OK (application/octet-stream)
GET http://b4wd52ftevtwvd .org/ad4/?jlrhg=rFssAhgRAFQ4SDEAAQAAAAUQ1KCkeEiX
200 OK (application/octet-stream) (Lyposit/Lucky Locker call home)
SWT Fiddler file : http://goo.gl/4cDMy
</edit n+2>
<edit n+1 2012-01-13 - 19h GMT+1>
Have seens some stats from an EK featuring this CVE. % of successful infection was between 13-15% overall (double usual rates on that EK). In DK it seems the % is higher. From 25% to 30%. Have been told that one explanation could be that Banks require Java to login in that country
</edit n+1>
Source of the Exploit :
http://pastebin.com/raw.php?i=cUG2ayjh - Gdark - DamageLabs
Files are now with public Password ( The default password almost everyone use for infected stuff ) .
http://goo.gl/tzjfr (Google Drive) Ctrl+s or File->Download to get the zip.
http://goo.gl/AdAZR (Mega)
Note : All request for the public password in comment will be deleted.
Remove Java or disable plugins.
See :
Vulnerability Note VU#625617 - Solution part - Will Dorman - US-Certs
How do I disable Java in my web browser? - Oracle - Java.com
<edit n+3 13/01/13>
Patch is out. You can now update to 1.7u11
http://java.com/en/download/index.jsp
</edit3>
What is behind the curtains :
Look : The path to infection - Eye glance at the first line of "Russian Underground"
Some readings - Post Publication :
Vulnerability Summary for CVE-2013-0422 - NVD
Nasty New Java Zero Day Found; Exploit Kits Already Have It - Michael Mimoso - ThreatPost - 2013-01-11
First Java 0day For The Year 2013 - Arseny Levin - SpiderLabs - 2013-01-11
Have been told that it's integrated since at least 2013-01-11
 |
| SofosFO - CVE-2013-0422 Positive path |
GET http://tropical.finale.ceapy-wirealtyseou .org/dank-cashier.html
200 OK (text/html)
GET http://tropical.finale.ceapy-wirealtyseou .org/psemzhFIKWDhIWDmhwGKhDyFppGwK/QmxmlmQlwUo00/packets.js
200 OK (text/html)
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar
200 OK (application/java-archive)
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/terrorist.jar
200 OK (application/java-archive) c1638d5ee237fc3228121b389d1cd3b0
GET http://tropical.finale.ceapy-wirealtyseou .org/7afdfihFIKWDhIWDmhwGKhDyFppGwy/010922216/4393992
200 OK (application/octet-stream)
ProPack Sploit Pack :
Thanks to to @switchingtoguns for that one.
 |
| Propack EK CVE-2013-0422 positive Path |
GET http://46.30.42 .195/build2/doc/4yioqp.php
200 OK (text/html)
200 OK (application/java-archive)
GET http://46.30.42 .195/build2/doc/gneyipb.php?k=32203313104201
200 OK (application/java-archive)
GET http://46.30.42 .195/build2/doc/jxipmwgoksgu.php?k=32203313104201
200 OK (text/html) - ffe3784eeff840770e4c453658384beb
GET http://46.30.42 .195/build2/doc/4mx57e.php?j=1&k=1
200 OK (application/octet-stream) ac91753182db3a9562a27bd78c95972e Zaccess
SofosFO Fiddler File: http://goo.gl/CB5mb
</edit n>
<edit n+2 13/01/13 21:00>
Sweet Orange :
 |
| Sweet Orange Positive Path on CVE-2013-0422 and Lucky Locker (aka Lyposit) call Home |
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/plugins.php?arrowwiki=988&profile=193&scripts=194&users=78&baseball=950&movies=698&photoshop=16
200 OK (text/html)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/wLsShgHc
200 OK (application/x-java-archive)
GET http://fluorescentgrandfather .info/2008/meta_login/phpmyadmin2/Fxptg
200 OK (application/x-java-archive) cfefb5235c9ae1bfd25aa5df4ea7933b
GET http://rubefasttrack .info/products.php?info=53&mapa=334&classes=12&pages=677&sport=1251&hotel=81&free=178&intl=58&style=604&openparadise1=299
200 OK (application/octet-stream)
GET http://b4wd52ftevtwvd .org/ad4/?jlrhg=rFssAhgRAFQ4SDEAAQAAAAUQ1KCkeEiX
200 OK (application/octet-stream) (Lyposit/Lucky Locker call home)
SWT Fiddler file : http://goo.gl/4cDMy
</edit n+2>
<edit n+1 2012-01-13 - 19h GMT+1>
Have seens some stats from an EK featuring this CVE. % of successful infection was between 13-15% overall (double usual rates on that EK). In DK it seems the % is higher. From 25% to 30%. Have been told that one explanation could be that Banks require Java to login in that country
</edit n+1>
Source of the Exploit :
http://pastebin.com/raw.php?i=cUG2ayjh - Gdark - DamageLabs
 |
| Unverified Source of the Exploit Credits : Gdark - damagelabs |
Files are now with public Password ( The default password almost everyone use for infected stuff ) .
http://goo.gl/tzjfr (Google Drive) Ctrl+s or File->Download to get the zip.
http://goo.gl/AdAZR (Mega)
Note : All request for the public password in comment will be deleted.
Remove Java or disable plugins.
See :
Vulnerability Note VU#625617 - Solution part - Will Dorman - US-Certs
How do I disable Java in my web browser? - Oracle - Java.com
<edit n+3 13/01/13>
Patch is out. You can now update to 1.7u11
 |
| Screenshot of Java Download zone on Oracle.com |
http://java.com/en/download/index.jsp
</edit3>
What is behind the curtains :
Look : The path to infection - Eye glance at the first line of "Russian Underground"
Some readings - Post Publication :
Vulnerability Summary for CVE-2013-0422 - NVD
Java MBeanInstantiator.findClass 0Day Analysis - Esteban Guillardoy - Immunity
Happy New Year From New Java Zero-Day - FireEye Blog - 2013-01-11Nasty New Java Zero Day Found; Exploit Kits Already Have It - Michael Mimoso - ThreatPost - 2013-01-11
First Java 0day For The Year 2013 - Arseny Levin - SpiderLabs - 2013-01-11