Exploit:Java/CVE-2008-5353.EQ

Exploit:Java/CVE-2008-5353.EQ is based on a vulnerability which affects Java Virtual Machine (JVM) up to and including version 6 update 10. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its "sand box" environment.

 

The vulnerability exploits a relationship between objects that can be serialized, the programming entities which can be persisted beyond the lifespan of a parent process, and a non-serializable super class constructor method defined in the derived class.

 

The vulnerability has been exploited by malware to gain access to a user's computer to download and install malicious programs. The malware installation may occur when a malicious Java applet is executed by a vulnerable JVM. This scenario can occur when a user visits a malicious webpage that hosts such an applet. Note that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames, which could redirect to or host a malicious Java applet.

Exploit:Java/CVE-2008-5353.EQ is a 13,401 byte Java applet distributed as a file named "vmain.class", part of a package called "jar_cache". The applet executes a "____vload.class" which exploits the CVE-2008-5353 vulnerability, and is also found inside the "jar_cache" package. The applet reads parameters "sdata" and "slink" from referencing its HTML file, and uses it to download and execute malicious programs from specified websites. The "____vload.class" among other exports the following functions:

 

When the Java component "____vload.class" runs, it may download and execute malicious programs from a specific website. 

It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.