Exploit:Java/CVE-2008-5353.FJ

Exploit:Java/CVE-2008-5353.FJ is a detection for an obfuscated malicious Java class component that exploits the vulnerability described in CVE-2008-5353.

 

The vulnerability affects Java Virtual Machine (JVM) up to and including version 6 update 10. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside of its "sandbox" environment. 

The vulnerability has been exploited by malware to gain access to a user's computer to download and install malicious programs. The malware installation may occur when a malicious Java applet is executed by a vulnerable JVM. This scenario can occur when a user visits a malicious Web page that hosts such an applet. Note that a number of legitimate Web sites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet.

 

Exploit:Java/CVE-2008-5353.FJ is 22,451 byte Java applet with a file name "Mailvue.class" and is part of a java package called "quote". The applet exploits the CVE-2008-5353 vulnerability executing "Skypeqd.class" and than executes "Twitters.class" file with elevated privileges. Both files are also found inside the "quote" package.

When the Java component "Twitters.class" runs, it may download and execute malicious programs from a specified Web site.

The vulnerability exploits a relationship between serializable objects, the programming entities which can be persisted beyond the lifespan of a parent process, and a non-serializable super class constructor method defined in the derived class.

 

It is not uncommon for antivirus software to detect malicious Java applets in a Web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a Web page with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a Web browser's configurable security options.