Exploit:Java/CVE-2010-0094.BG is a Java based malware that exploits a vulnerability discussed in CVE-2010-0094. The vulnerability affects Java Runtime Environment (JRE) up to version 6 release 18 inclusive, and makes it possible for untrusted code to gain the user's security context privileges outside the sandbox environment.
The vulnerability makes use of the "get" method of "java.rmi.MarshalledObject", which de-serializes an object from an internal byte array. At the same time, the byte array can contain a previously serialized "ClassLoader" which, after its full de-serialization by the "get" method of "java.rmi.MarshalledObject", becomes fully trusted and can load other classes and methods at the user's security context level outside the sandbox.
Exploit:Java/CVE-2010-0094.BG is implemented as a Java applet "wrsvwwfsfwhazilh.class" inside a JRE package. The JRE package is 17,265 bytes size, and also contains Java classes used by the Java applet. The applet creates an RMIConnectionImpl object with an obfuscated connection ID string, which reads "metasploit" when decrypted.
The trojan reads a parameter "data" that is also decrypted before use. Exploit:Java/CVE-2010-0094.BG expects the parameter to be specified in referencing the applet HTML file, and uses it as a location for a file to be downloaded and executed later. This information is passed to separate classes contained within the JRE package "d3bbd09724b6936399.class", which attempts to download and later execute a file from a remote location by invoking "cjkyxlbrfrwaxbyc.class". The file is saved as "hjiuvfdolecrtezq.exe" in the IE cache folder and is executed with elevated privileges.
This malware is in the form of a Java archive (.JAR) package and consists of the following Java class files with obfuscated names:
- "cjkyxlbrfrwaxbyc"
- "d3bbd09724b6936399"
- "pkwxgxnmtszfpfek"
- "wrsvwwfsfwhazilh"
A number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.
Analysis by Oleg Petrovsky
