Threat behavior
Exploit:Java/CVE-2010-0840.CL is a detection for a malicious and obfuscated Java class that exploits the vulnerability described in CVE-2010-0840. Successful exploitation leads to remote code execution.
When a user visits a website that contains the class using a computer that has a vulnerable version of Sun Java, security checks may be bypassed, allowing arbitrary code to be executed.
Installation
When loaded, the malicious Java class checks if the computer is running a Windows Operating System, and if so, proceeds with its installation process.
In the wild, the malicious Java class is bundled with other non-malicious Java class applets, and may be present as the following:
-
gendalf\fire.class - detected as Exploit:Java/CVE-2010-0840.CL gendalf\frost.class
- gendalf\lightening.class
- gendalf\poison.class
- mordor\bilbo.class
- mordor\frodo.class
- mordor\gorlum.class
- mordor\saruman.class
Payload
Downloads and executes arbitrary files
When the exploitation is successful, Exploit:Java/CVE-2010-0840.CL attempts to download and execute a malicious program from a specified URL.
In the wild, we have observed the downloaded binary file being stored with Exploit:Java/CVE-2010-0840.CL. The downloaded program is saved as %TEMP%\<number>.exe, where <number> is a random number.
Analysis by Vincent Tiu
Prevention