Exploit:Java/CVE-2010-0094.BI

Exploit:Java/CVE-2010-0094.BI is a variant of the Exploit:Java/CVE-2010-0094 family - a family of malicious Java applets that exploit a vulnerability in the Java Runtime Environment (JRE) up to and including version 6, update 18 (described in CVE-2010-0094).

The unsigned Java applet, detected as Exploit:Java/CVE-2010-0094.BI, will attempt to trigger the CVE-2010-0094 vulnerability and run its downloader class with elevated privileges, detected as Trojan:Java/Rowindal.D, to download and run malware on your computer.

The Java class is obfuscated, a technique used to make reverse engineering and analysis more difficult.

For an explanation of signed and unsigned Java applets, Java classes and elevated privileges, please see the Additional information section in this entry.

Installation

In the wild, Exploit:Java/CVE-2010-0094.BI is part of an unsigned Java applet, which also contains Java classes for downloading and running files. The applet exploits the CVE-2010-0094 vulnerability in Java to run the downloader class with elevated privileges, which is detected as Trojan:Java/Rowindal.D.

The Java applet may arrive on your computer when you visit a malicious webpage that hosts the applet. Note, however, that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which themselves could redirect to or host a malicious Java applet.

Payload

Downloads arbitrary files

When the downloader class runs, detected as Trojan:Java/Rowindal.D, it attempts to download and run other files. See the encyclopedia entry on Trojan:Java/Rowindal.D for more information.

Additional information

A Java applet is a stand-alone program that has been written in the Java programming language. Java applets can run on any computer that has the JRE installed.

Java applets are either "signed" or "unsigned" and are comprised of "classes".

Java classes are the files within an applet that perform the applet's various functions. One such class is a "downloader class", which downloads files or information, depending on how it has been told to do so. Another is an "executable class", which runs or opens files.

A signed Java applet contains a signature that is verified by a remote, independent certificate authority server.
Unsigned applets do not have these signatures, so there is no authority check made to determine their authenticity or safety.

Because of this, unsigned applets usually have limited access to your computer's processes and resources, as their provenance cannot be fully identified.

However, the CVE-2010-0094 vulnerability in Java allows malicious unsigned Java applets to gain a higher level of access than they are otherwise entitled to, known as "elevated privileges".

Malware can exploit this vulnerability by using an unsigned Java applet to gain access to your computer to download and install malicious programs.

Vulnerabilities in the JRE are rectified through the application of patches from the Java website.

Therefore, the best way to protect your computer from all Java vulnerabilities is to ensure that your version of Java is up-to-date. See the Java updates page for links to download the latest version for your operating system.

Related encyclopedia entries

Exploit:Java/CVE-2010-0094

Trojan:Java/Rowindal.D

Analysis by Jonathan San Jose