2013-02-23 - Evolution

Popads add Social Engineering : Self-Generated fake cert on jar applet

Seems there is an unpatched vulnerability being exploited in the wild once again.
At least operational on java 1.7 update 15.  <-- Seems I need more coffee & training in fact :)

I first thought it was a 0 day

Successfull path to Epic Fail in that tweet :)


but it's a Self-Generated fake cert signed  applet requesting for privileged access that I spotted in Popads Exploit Kit. So pure Social Engineering.




No infection without user interaction but sneaky :

Class name in that jar

Which lead too :
Social Engineering in the class name of that jar
If you run :
jre1.7u15 downloading PE

------------------------------------------

$ jarsigner -verify -verbose -certs [jarname].jar

s        157 Fri Feb 22 19:35:40 CET 2013 META-INF/MANIFEST.MF

      X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
      [certificate will expire on 5/23/13 11:08 AM]
      [CertPath not validated: null]

         278 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.SF
        1040 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.RSA
sm      2726 Fri Feb 22 19:35:14 CET 2013 Urgent_Java_Security_Update.class

      X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
      [certificate will expire on 5/23/13 11:08 AM]
      [CertPath not validated: null]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose signer certificate will expire within six months. 
This jar contains entries whose certificate chain is not validated.
------------------------------------------

Files : dc374ce3c0a0bba5ac3cdd62fac623b9_popads_jre17u13.zip (OwnCloud)