Exploit:Java/ByteVerify.F

Exploit:Java/ByteVerify is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer.

In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM.

This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003.

Due to the Microsoft Java VM byte code verifier vulnerability, the byte code loader may incorrectly process certain byte code sequences when loading Java applets. That may lead to input validation errors and Java Virtual Machine (later referred as VM) sandbox security breaches.

 

The vulnerability can be exploited by malformed applets which can bypass security checks of VM byte code verifier and gain unrestricted access outside the Java VM sandbox. Once running outside the
sandbox an applet can download and execute arbitrary code and have unrestricted access to local files on the compromised system. Note that the applet will still have to run in the context of the Microsoft Java virtual machine with the current user security permissions.

 

Exploit:Java/ByteVerify.F may appear as an op.class applet. The applet expects the arguments 'usid'and 'linkurl'. 'Usid'should contain the name of the file to be downloaded and executed (the file name has to be without an .exe extension) and the 'linkurl'should contain a URL showing the location from where the file is to be downloaded from. The downloaded file is placed in the Java VM temp directory.

 

Normally such an applet can be placed on a malicious website or can be sent as an HTML attachment. The malicious applet also may appear in the virtual machine or Internet explorer cache directory. It doesn't immediately mean that the computer has been compromised. It is possible that even though the malicious applet is located in one of the cache directories it was never loaded and executed. The malicious applet can be placed in the cache directories by visiting a malicious website or by opening an attachment containing the malicious java applet. Clearing cache directories should eliminate this problem.

 

Note that byte code verifier malformed applets rarely appear by themselves and they are normally used as a component of various trojan and trojandownloader attacks.