cve2012xxxx/Gondzz.class – contains the main codes and the code that exploits JAVA 7 by using the .ClassFinder class.When we examined the Java applet, we also noticed the following classes: Below is the screenshot that shows the parameters are passed to the in order to download and execute the malicious binary FLASH_UPDATE.exe. It then passes some parameters, which is then used to download BKDR_POISON.BLW.īased on our analysis of index.html code, the script was heavily obfuscated and encrypted using Dadong's JSXX 0.44 VIP.ĭecompiling this script, we were able to get hold of the parameters being passed to the malicious Java applet. Users may encounter this threat by visiting a site, one of which is which results to the downloading and loading of the malicious Java applet (JAVA_GONDY.A).
This threat is composed of an HTML page with malicious JavaScript ( index.html detected as JS_FIEROPS.A), a Java applet ( applet.java detected as JAVA_GONDY.A), and the malicious binary ( FLASH_UPDATE.exe detected as BKDR_POISON.BLW). The affected vulnerability is related to the new Java 7 .ClassFinder that allows the class to load, modify and execute the malicious code. Technical Analysis of the Exploit and Payload According to a testing done by Metasploit, the vulnerability also runs on Google Chrome and Safari. The zero-day exploit successfully runs in all versions of Internet Explorer, Firefox and Opera. Successful exploit leads to the download of a backdoor, in effect allowing remote malicious users to execute their desired commands on the vulnerable system. An unpatched JRE 1.7/Java 7 zero-day vulnerability (CVE-2012-4681) was recently found to be exploited by a malicious.