Exploit:Java/CVE-2010-0840.LE

Exploit:Java/CVE-2010-0840.LE is a variant of Exploit:Java/CVE-2010-0840 - a detection for malicious Java applets that exploit the vulnerability described in CVE-2010-0840. Successful exploitation may lead to remote code execution.

Exploit:Java/CVE-2010-0840.LE has been observed being distributed through the "Blackhole" Exploit Kit (detected, for example as Exploit:JS/Blacole.A).

Installation

The exploit may be bundled within a JAR file together with several non-malicious Java class files, as in the following example:

The JAR file,<bundled JAR file>.jar, may contain:

• MailAgent.class - detected as Exploit:Java/CVE-2010-0840.LE
• Cid.class
• ClassId.class
• ClassType.class
• VirtualTable.class

Payload

The exploit performs a privilege escalation on vulnerable versions of the Java Runtime Environment (up to and including version 6 update 18). Once it escapes Java's "sandbox" environment and gains unrestricted access to the host system, the applet downloads additional malware.

The malicious URLs are stored in an encrypted form inside the HTML that embeds the applet (as applet parameters).

Example: <param name='p' value='e00oMDD=h0fo=QTV/hBB./2RBf_Q=0.mR%hVqRmD2Voeoju83W6h8i'/>

Note: For the encryption algorithm, the malware uses a simple transposition cipher which changes from one version to another.

Exploit:Java/CVE-2010-0840.LE may download both executable files and DLL files to randomly-named files on the local affected computer. The DLLs are loaded with a call to "regsvr32 -s <random_number>.dll"

In the wild, Exploit:Java/CVE-2010-0840 has been seen to download malware from several major families, including the following:

• PWS:Win32/Sinowal.gen!Y (kernel mode rootkit)
• VirTool:Win32/VBInject.gen!GR

Analysis by Horea Coroiu