Exploit:Java/CVE-2010-0094.DB

The vulnerability makes use of the "get" method of "java.rmi.MarshalledObject", which  de-serializes an object from an internal byte array. At the same time, the byte array can contain a previously serialized "ClassLoader" which, after its full de-serialization by the "get" method of "java.rmi.MarshalledObject", becomes fully trusted and can load other classes and methods at the user's security context level outside the sandbox.

Exploit:Java/CVE-2010-0094.DB is implemented as a Java applet "main.class" inside a JRE package. The JRE package is 15,991 bytes size, and also contains Java classes used by the Java applet. The applet creates an RMIConnectionImpl object with a connection ID string "javasucks".
 
The trojan reads a parameter "url" that is decrypted before use. Exploit:Java/CVE-2010-0094.DB expects the parameter to be specified in referencing the applet HTML file, and uses it as a location for a file to be downloaded and executed later. This information is passed to a separate class contained within the JRE package "hubert.class", and attempts to download an executable file from a remote location. The file is saved in the Temporary files folder as "YCemSCi.exe". The Java class "hubert.class" executes the downloaded file with elevated privileges.

This malware is in the form of a Java archive (.JAR) package and consists of the following Java class files:

• "ClassPol.class"
• "Cload.class"
• "Clrepor.class"
• "CusBen.class"
• "Trolllllle.class"
• "main.class"
• "novell.class"
• "padle.class"

Additional information

A number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.

Analysis by Oleg Petrovsky