Exploit:Java/CVE-2008-5353.PZ

Exploit:Java/CVE-2008-5353.PZ is a detection for an obfuscated malicious Java class component that exploits the vulnerability described in CVE-2008-5353.

 

The vulnerability affects Java Virtual Machine (JVM) up to and including version 6 update 10. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside of its "sandbox" environment. 

The vulnerability has been exploited by malware to gain access to a user's computer to download and install malicious programs. The malware installation may occur when a malicious Java applet is executed by a vulnerable JVM. This scenario can occur when a user visits a malicious webpage that hosts such an applet. Note that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet.

 

Exploit:Java/CVE-2008-5353.PZ is a 5226 byte Java applet with a file name "sexxxy.class" and is part of a java package called "KAK.NED". The applet exploits the CVE-2008-5353 vulnerability executing "NOD32.class" (Note the name resemblance with the popular AV scanner), and then executes "crime4u.class" file with elevated privileges. The file "crime4u.class" is detected as TrojanDownloader:Java/OpenStream.W. Both files are also found inside the "KAK.NED" package.

When the Java component "crime4u.class" runs, it may download and execute malicious programs from a specific website.

The vulnerability exploits a relationship between serializable objects, the programming entities or objects that can remain beyond the lifespan of a parent process that created it, and a non-serializable super class constructor method defined in the derived class.

 

It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a webpage with a malicious applet had been visited and cached internally. To thwart such a notification, it is often enough to purge the cache using a web browser's configurable security options.