2013-02-23 - Evolution
Popads add Social Engineering : Self-Generated fake cert on jar applet
I first thought it was a 0 day
 |
| Successfull path to Epic Fail in that tweet :) |
but it's a Self-Generated fake cert signed applet requesting for privileged access that I spotted in Popads Exploit Kit. So pure Social Engineering.
No infection without user interaction but sneaky :
 |
| Class name in that jar |
Which lead too :
 |
| Social Engineering in the class name of that jar |
 |
| jre1.7u15 downloading PE |
$ jarsigner -verify -verbose -certs [jarname].jar
s 157 Fri Feb 22 19:35:40 CET 2013 META-INF/MANIFEST.MF
X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
[certificate will expire on 5/23/13 11:08 AM]
[CertPath not validated: null]
278 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.SF
1040 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.RSA
sm 2726 Fri Feb 22 19:35:14 CET 2013 Urgent_Java_Security_Update.class
X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
[certificate will expire on 5/23/13 11:08 AM]
[CertPath not validated: null]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose signer certificate will expire within six months.
This jar contains entries whose certificate chain is not validated.
------------------------------------------
Files : dc374ce3c0a0bba5ac3cdd62fac623b9_popads_jre17u13.zip (OwnCloud)