Exploit:Java/CVE-2010-0094.BA

Exploit:Java/CVE-2010-0094.BA is the detection for malicious Java applet stored within a Java Archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including version 6 update 18. The vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system, outside its "sandbox" environment.

 

The vulnerability exploits a flaw in the deserialization of "RMIConnectionImpl" objects, which allows remote attackers to call, without proper sandboxing, system level Java functions via the ClassLoader of a constructor that is being deserialized.

 

The vulnerability can be exploited by malware to gain access to a user's computer to download and install malicious programs. The malware installation may occur when a malicious Java applet is executed by a vulnerable JRE. This scenario can occur when a user visits a malicious webpage that hosts such an applet. Note that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet.

This malware has been observed to download and execute arbitrary files. 

 

In the wild, Exploit:Java/CVE-2010-0094.BA has been observed to be distributed with other malware, such as Trojan:Java/Rowindal.D, contained inside a malicious JAR package. The exploit attempts to trigger the vulnerability and later executes another Java class, detected as Trojan:Java/Rowindal.D, to download and install malware into the affected computer. Both Java classes are obfuscated.

The vulnerability is described in CVE-2010-0094 and affects Java Runtime Environment (JRE) version 6 update 18. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It does not necessarily mean that the computer is compromised. Most of the time it reflects the fact that at some stage a webpage with a malicious applet had been visited and cached internally. It is often enough to purge the cache using the web browser's configurable security options to remove the malware.