Exploit:Java/CVE-2010-0840.CJ

Installation

Exploit:Java/CVE-2010-0840.CJ is an obfuscated Java applet trojan 4101 bytes in size. The applet is referenced by the name "lang" and is distributed as a part of a Java archive (.jar) package 4353 bytes in size. The applet class file heavily uses concatenate and reverse statements on printable strings normally visible inside the binary file in an attempt to obfuscate and thwart detection of the applet. In the wild, we have observed the package being detected with names related to the Internet Explorer cache files, however, the name is irrelevant for the trojan's functionality and may vary. The package also contains the following Java class files:

When executed, the trojan attempts to exploit a vulnerability described in CVE-2010-0840 to gain the user's account security privileges on the targeted computer. The vulnerability affects Java Runtime Environment (JRE) up to version 6 update 18.

If successful, the trojan downloads, writes and executes an arbitrary file, stored within the Windows 'temp' folder with a generated name such as '<random numbers>.exe'. The arbitrary file is referred by a URL string stored in a parameter "pid", which is specified inside the referencing the applet HTML file. The downloaded file is executed under the user's security context. The applet consists of the following member functions:

• lang
• start

When the applet is opened within a browser, an applet's "constructor" a member function lang is executed first attempting to exploit the vulnerability. If the exploit is successful, the 'start' function facilitates the downloading and execution of an arbitrary file by calling InputStream.read FileOutputStream.write methods in successions. The file is executed by invoking Runtime.execfunction.

Additional information