Exploit:Java/CVE-2012-0507.B

Exploit:Java/CVE-2012-0507.B is the detection for a malicious Java applet stored within a Java archive (.JAR) that attempts to exploit a vulnerability in the Java Runtime Environment (JRE) up to and including versions 7 update 2, versions 6 update 30 and versions 5 update 33. The vulnerability is described in CVE-2012-0507.

The vulnerability exploits a flaw in the deserialization of "AtomicReferenceArray" objects, which allows remote attackers to call system level Java functions via the ClassLoader of a constructor that is being deserialized without proper sandboxing.

Installation

The attacker may host a malicious script on a website. If a user visits the site, the script loads the Java applet.

The malicious Java package may contain the following malicious Java class files:

• Test.class - Exploit:Java/CVE-2012-0507.A
• Help.class - Exploit:Java/CVE-2012-0507.B

Payload

Downloads other malware

The file "Test.class" triggers the vulnerability. It then calls the function "doWork()" inside the file "Help.class" to act as class loader.

The loader class creates another class file at runtime and loads it with elevated privileges. This class, which is detected as TrojanDownloader:Java/Rexec.G, downloads malware from a certain server and executes it as "%Temp%\mor.exe". The downloaded file is a variant of Win32/Zbot.

In the wild, we have observed this malware downloading files from the server "freshnewstoday.org".

Analysis by Rex Plantado