TrojanDownloader:Java/OpenConnection.HB

TrojanDownloader:Java/OpenConnection.HB is a Java based malware that exploits a vulnerability discussed in CVE-2010-0094. The vulnerability affects Java Runtime Environment (JRE) up to version 6 release 18 inclusive, and makes it possible for untrusted code to gain browser security privileges under the user's account.

The vulnerability makes use of the "get" method of "java.rmi.MarshalledObject", which de-serializes an object from an internal byte array. At the same time, the byte array can contain a previously serialized "ClassLoader" which, after its full de-serialization by the "get" method of "java.rmi.MarshalledObject", becomes fully trusted and can load other classes and methods at the user's security context level outside the sandbox.

Installation

TrojanDownloader:Java/OpenConnection.HB is implemented as a Java applet "aefe.class" inside a JAR (Java Archive) package. The JAR package is 24,013 bytes size, and contains Java classes used by the Java applet. The applet creates an RMIConnectionImpl object with an obfuscated connection ID string which reads "okokokokhg".

The applet reads a parameter "game_id" which it expects to be specified in referencing the applet HTML file, and uses it as a location for a file to be downloaded and executed later. This information is passed to a separate class "a2ea.class", contained within the JRE package. The "a2ea.class" attempts to download and later execute a file from a remote location. The file is saved as "mstsc.exe" in the Internet Explorer cache folder, and is executed with elevated privileges.

Additional information

This malware is distributed in the form of a Java archive (.JAR) package. The JAR file consists of the following Java class files:

• WhatTheJava
• a2ea
• a3c1
• ab5a
• ab66
• ac60
• ac98
• aefe

Note: The class files are obfuscated with string variables which are never used in the code flow.

A number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that, at some stage, a webpage with a malicious applet had been visited and cached internally. To thwart such a notification it is often enough to purge the cache using a web browser's configurable security options.

Analysis by Oleg Petrovsky