Archive for the ‘CVE-2011-3544’ Category

Economies of scale: A perspective on cross-platform vulnerabilities

July 31st, 2012 No comments

A year ago, we published a blog post titled ‘Backdoor Olyx – is it malware on a mission for Mac?‘. It explored the intriguing questions that lay behind this backdoor’s discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to ‘how’ the threat was installed to its targets – an important missing piece that we’ve continued to investigate over time.

As shown in the timeline below, a succeeding variation of threats can be identified with the same suggested attack tactic – exploiting known vulnerabilities in software to install a backdoor to its target.

Upon closer inspection of this event, we observed that this malicious code may be delivered via the Web by exploiting Java vulnerabilities (referred to in CVE-2011-3544 and CVE-2012-0507). The second form of delivery we observed was via email attachment, where the malware distributors may attempt to take advantage of known Word document vulnerabilities (referred to in CVE-2010-3333) and the vulnerabilities resolved with the release of Microsoft Security Bulletin MS09-027. It is also important to point out that these vulnerabilities affect multiple platforms, and in this case, affect both Windows and Mac.

This observation is limited and based on the samples we identified, acquired and processed, however, this understanding provides us with an opportunity to recognize a trend we can describe as economies of scale in cross-platform vulnerabilities. This method of distribution allows the attacker to maximize their capability on multiple platforms. Thus, regardless of a particular attacker’s motive, the value and demand for these vulnerabilities is likely to persist – we know for a fact that Java vulnerabilities CVE-2011-3544 and CVE-2012-0507 are widely used by cybercriminals’ in exploit kits, such as Blacole/Blackhole.

If we look at this trend, then we start to notice that the following vulnerabilities in Java, Adobe PDF and Flash, and Microsoft Office documents, listed in the table below, may be used to target and attack multiple platforms. Note that these vulnerabilities have been patched; appropriate security updates for them have been released.

This highlights the importance of keeping security software up-to-date, and ensuring operating system and 3rd party security patches are installed (soon after they become available) in order to reduce the risk of malware infection. And, this best practice should extend to all devices and platforms, especially those in large enterprise networks.

Methusela Cebrian Ferrer
MMPC Melbourne

Piecing the malware puzzle – Exploring a spike in exploit activity

March 20th, 2012 No comments

In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity.

While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant — TrojanDownloader:Java/OpenConnection.PK. Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further.

A signature for this threat was introduced on February 22, 2012, and spiked to 7.5k reports on the first day. In the following days, the daily report volume fluctuated between 7.8k and 5k reports a day (this kind of spike is not entirely expected for this kind of threat, and such a peak is not very common), until on 28th February the volume started to subside and broke through 5k support, plateauing around 2.5k reports a day, as shown in the figure below:

Figure 1 – daily report volume of Java/OpenConnection.PK

Looking at prevalent reported samples of TrojanDownloader:Java/OpenConnection.PK, we see that there’s no clear leader in the volume per sample distribution. A long tail spike in the distribution may point out a file of interest; however in this case, the top range numbers were quite flat and didn’t appear in any way skewed, as shown in the graph below:

Top 10 samples

Figure 2 – top 10 Java/OpenConnection.PK samples

Closer examination confirmed all of the top reported files to be malware, detected legitimately.

The detected TrojanDownloader:Java/OpenConnection.PK class file contains mangled strings and variables which suggests that its code was generated by a machine or an obfuscation tool. In other words, it could be a product of one of the Java exploit toolkits, an obfuscation tool, or both.

Some of most prevalent toolkits around today are Blackhole and Phoenix. This particular threat, however, does not seem to be associated with either Blackhole or Phoenix, indicating that possibly another (less-utilized) expolit kit was used. A reminder that there are exploit kits out there that, while not as popular, are still causing users a considerable amount of pain.

What we know is that currently, most of the popular web malware exploit kits attack vulnerabilities described in CVE-2010-0094, CVE-2010-0840 and CVE-2011-3544 Java Runtime Environment vulnerabilities (among other techniques), which fall under our Java/OpenConnection family detections.

When new updates to exploit kits are released, it’s not uncommon to see a spike in the exploits used for malicious purposes. This is just one of the many things we watch for while monitoring our detections.

These particular Java exploits are patched, but in the event a Java-user doesn’t update a vulnerable version, or remove older versions of Java, they can be exploited by these attacks. As such, we recommend you update your version of Java, and remove older versions to thwart such attacks.


–Oleg Petrovsky & Jasmine Sesso