Follow:

 

Exploit:Java/CVE-2010-0094


Java/CVE-2010-0094 is a family of malicious Java applets stored within a Java Archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including version 6 update 18. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its "sandbox" environment. It is discussed in CVE-2010-0094.



What to do now

Update vulnerable applications

This threat exploits a known vulnerability in the Java Runtime Environment (JRE). To prevent your computer from being vulnerable to this malware, make sure that you install the updates available from the vendor. You can read more about this vulnerability from the following links:

It may be necessary to remove older versions of Java that are still present. Keeping old and unsupported versions of Java on your system presents a serious security risk. To read more about why you should remove older versions of Java, see the following information.

Threat behavior

Java/CVE-2010-0094 is a family of malicious Java applets stored within a Java Archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including version 6 update 18. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its "sandbox" environment. It is discussed in CVE-2010-0094.

Installation

Java/CVE-2010-0094 is distributed using the Java Archive (JAR) file format. It has been observed in the wild that it arrives in the computer when users are tricked into visiting a webpage that hosts the malicious applet.

The JAR file contains classes and resources necessary to execute the exploit code implemented as a Java applet. Using remote method invocation (RMI), the main class exploits the vulnerability in the "RMIConnectionImpl" class by loading the serialized custom ClassLoader. The subclass of ClassLoader inherits a runtime permission which can call protected mode, enabling malicious classes to load in privileged context.

The JAR package consists of the following classes, which load during the exploit process:

  • Exploit or Main class
  • ClassLoader class
  • Payload class
Payload

Downloads arbitrary files
Java/CVE-2010-0094 variants are designed for drive-by download attacks, where an exploit is used for the purpose of downloading and executing arbitrary files, usually other malware.

Analysis by Methusela Cebrian Ferrer


Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.117.1455.0
Latest detected by definition: 1.179.1582.0 and higher
First detected on: Dec 20, 2011
This entry was first published on: Jul 11, 2011
This entry was updated on: Apr 26, 2012

This threat is also detected as:
No known aliases