Follow:

 

Exploit:Java/CVE-2011-3544.A


Exploit:Java/CVE-2011-3544.A is a malicious Java applet stored within a Java Archive (.JAR) file. It attempts to exploit a vulnerability in the Java Runtime Environment (JRE) component in Oracle JAVA SE JDK and JRE 7, 6 Update 27 and earlier. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to run arbitrary Java code outside of the "sandbox" environment.

More information about the vulnerability is available in the following articles:



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Update vulnerable Java applications

This threat exploits a known vulnerability in Java. After removing this threat, make sure that you install the updates available from the vendor. You can read more about this vulnerability in Java, as well as where to download the software update from the following links:

It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.

Threat behavior

Exploit:Java/CVE-2011-3544.A is a malicious Java applet stored within a Java Archive (.JAR) file. It attempts to exploit a vulnerability in the Java Runtime Environment (JRE) component in Oracle JAVA SE JDK and JRE 7, 6 Update 27 and earlier. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to run arbitrary Java code outside of the "sandbox" environment.

More information about the vulnerability is available in the following articles:

Installation

Exploit:Java/CVE-2011-3544.A is distributed using the Java Archive (JAR) file format. The JAR file contains classes necessary to execute the exploit code implemented as a Java applet. The exploit takes advantage of the way Java handles Rhino JavaScript errors. A remote attacker may craft an error object in JavaScript which can call protected mode, enabling malicious payload to run in a privileged context.

The JAR package may consist of the following class files:

  • <applet class file> - malicious class detected as Exploit:Java/CVE-2011-3544.A
  • z.class - a legitimate class from Allatori, a Java obfuscator

where <applet class file> may be, but is not limited to, any of the following:

  • applet.class
  • av34v.class
  • market.class
  • v1.class
Payload

Downloads arbitrary files

Any browser in which Exploit:Java/CVE-2011-3544.A runs may potentially be used to download arbitrary files into the affected computer. In-the-wild scenarios entail a compromised browser connecting to certain hosts, which may include the following:

  • 129.<removed>1.67.196
  • 76.8<removed>1.61
  • cire<removed>et.ru
  • crf3<removed>dyndns.org
  • desi<removed>portal1.com
  • doll<removed>s3.in
  • ix69<removed>.com
  • port<removed>3for8.in

and then downloading files that have been identified as malware that belongs to any of the following families:

Additional information

Exploit:Java/CVE-2011-3544.A has been observed to be distributed through the Blackhole exploit kit servers.

Analysis by Methusela Cebrian Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:
    • <applet class file> - malicious class detected as Exploit:Java/CVE-2011-3544.A

    where <applet class file> may be, but is not limited to, any of the following:

    • applet.class
    • av34v.class
    • market.class
    • v1.class

Prevention


Alert level: Severe
First detected by definition: 1.115.2760.0
Latest detected by definition: 1.119.55.0 and higher
First detected on: Nov 28, 2011
This entry was first published on: Nov 28, 2011
This entry was updated on: Dec 14, 2011

This threat is also detected as:
No known aliases