Java/CVE-2010-0094 is a family of malicious Java applets stored within a Java Archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including version 6 update 18. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its "sandbox" environment. It is discussed in CVE-2010-0094.
Java/CVE-2010-0094 is distributed using the Java Archive (JAR) file format. It has been observed in the wild that it arrives in the computer when users are tricked into visiting a webpage that hosts the malicious applet.
The JAR file contains classes and resources necessary to execute the exploit code implemented as a Java applet. Using remote method invocation (RMI), the main class exploits the vulnerability in the "RMIConnectionImpl" class by loading the serialized custom ClassLoader. The subclass of ClassLoader inherits a runtime permission which can call protected mode, enabling malicious classes to load in privileged context.
The JAR package consists of the following classes, which load during the exploit process:
- Exploit or Main class
- ClassLoader class
- Payload class
Downloads arbitrary files
Java/CVE-2010-0094 variants are designed for drive-by download attacks, where an exploit is used for the purpose of downloading and executing arbitrary files, usually other malware.
Analysis by Methusela Cebrian Ferrer
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptoms.