Threat in context
This exploit targets the Java plug-in for web browsers. Java programs (or applets) can be used by websites and run in a "sandbox" – where the plug-in enforces rules on what the applet can do so that it cannot escape the restricted environment.
What is an exploit?
Exploits are written to take advantage of weaknesses (or vulnerabilities) in legitimate software. A project called Common Vulnerabilities and Exposures (CVE) gives each vulnerability a unique number, in this case "CVE-2008-5353".
You can find more information on the CVE website or on our page about exploits.
Payload
Downloads and installs files
If you visit a website containing the malicious code while using a vulnerable version of Java, Exploit:Java/CVE-2008-5353 is loaded. It then attempts to download and run files from a remote host/URL. The files that are downloaded and run could be any of the attacker's choice and can include other malware.
Additional technical details
Exploit:Java/CVE-2008-5353 uses a deserialization bug which is exposed by the java.util.Calendar class to execute its code with full privileges. In Java programming, serialization is when an object is stored to a file; deserialization is when this stored object is restored to an active object.
The exploit requests the Java runtime to deserialize a specially-crafted object which is stored inside the exploit. In a vulnerable version of Java, the code that deserializes runs with privileges to run outside the sandbox. The exploit takes these privileges and can then run outside of the sandbox.
In summary, Exploit:Java/CVE-2008-5353 attacks the security model instead of a buffer overflow. With a buffer overflow, the exploit is dependent on the specific CPU (Central Processing Unit), and might be affected by technology like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization).
Attacking the security model means that the exploit might be effective on any platform the Java interpreter is on; for example Windows, MacOS, Linux, etc.
Usually the exploits are written using a few Java classes working together. The various class files are bundled into an archive called a JAR, which uses the ZIP file format. Every JAR contains a Manifest.MF file to identify itself to the Java Runtime. Since it is found in every JAR, it won't be listed.
Below are some examples of files that exploit the vulnerability described in CVE-2008-5353:
- 005a26eabd72d56f4df217b59bbb4c007fb6baef (help.jar)
- 00c2e2ccd9daf95d30224fd36529b2cbf7dc031a (original file name unknown)
-
Mailvue.class
-
Skypeqd.class
-
Twitters.class
- 016ca167d6dfb4cc8358a0aaff6a3ed527b26e43,06cd2e2adb311b033b82a67ce60c03eb7a46896c (j1_t89w.jar)
-
Support.class
-
Manuals.class
-
Globales.class
- 018923e093c7fa8c4b9746bb9181cca75292457d (original file name unknown)
-
Byodsadc.class
-
Etyutve.class
-
Gsadvxc.class
-
Kfrwfdf.class
- 01a25dcce11a246d937b7110ad5da6dac81b58e6 & 06019621c9a0b997fb32ff26c6c274b713c8d8a9 (original file name unknown)
-
Hieeyfc.class
-
Hirwfee.class
-
Hiydcxed.class
- 01dbf7a2403275c1b7525a5ded3d5b9245cfbb14 (original file name unknown)
-
ad3740b4.class
-
a1500b0.class
-
a13d8.class
- 03e7ce213c87b8b0e4546dd6e45c7cad803cd086 (original file name unknown)
-
Resizer.class
-
Uploader.class
- 04dee9108b94804207151e80932787c891323793 (original file name unknown)
-
Drivers.class
-
Googles.class
-
Updaters.class
- 054da37d52cca332c2215ea3e4395574bd6a40c2 (original file name unknown)
-
PayloadX.class
-
LoaderX.class
-
AppletX.class
- 0560013e106ac283be57dcc7dfc197f8b52a8eeb (original file name unknown)
-
Changes.class
-
MyBuilds.class
-
MyFiles.class
- 05b04f15d46e933d0d40c8c32a1f44f54bd77a20 (original file name unknown)
-
AServers.class
-
Server1.class
-
Server2.class
It should be noted that although some of the names suggest specific purposes or company affiliations, they all are created by unknown entities for the purpose of installing software without the affected user's consent.
None of these contain an executable in their JAR file, or even an address containing a link to a file to download and run. They all take their instructions from the HTML file that loaded them.
Related information
The articles referenced below outline some of the the technical details of the weakness this vulnerability exploits:
Analysis by Chris Stubbs