Malware Exploits Java Plugin Vulnerability

Introduction

I am very paranoid when it comes to browsing and computer use. Since I use my laptop a lot for online banking and other important accounts, I need to ensure that I don’t have any viruses, spyware or malware in my system. So I take the following precautions to keep my laptop safe,

  • I bought a genuine copy of Windows 7 professional edition and I have put the system on full auto update mode. This means that whenever Microsoft patches a security vulnerability, my system automatically downloads and installs it.
  • I have Microsoft Security Essentials anti-virus installed on my system. The virus definitions are also auto updated and hence my system is protected against all the nasty viruses that are newly released into the wild. Microsoft Security Essentials is so good that I think there is no future for paid anti-virus software.
  • I don’t download anything from suspicious web sites. When I need to download something to try it out, I usually do that on  a separate Windows virtual machine running on Virtualbox which I can discard later.
  • Even when I download an executable from trusted sites, I always scan the executable using Microsoft Security Essentials to ensure that no compromised executable is run on the system.
  • I have the auto play/auto run in Windows 7 disabled for all disks including pen drives. This saves me accidental execution of viruses from infected pen drives.
  • I have enabled User Account Control (Located in Control Panel => User Accounts => Change User Account Control Settings) in Windows 7 and configured it to always notify me whenever programs try to make a change to the system or if any windows settings are changed. This again prevents accidental execution of viruses.
  • I use Google Chrome for all browsing needs. Chrome seems to be the safest browser and was the first browser to adopt silent auto updates keeping the browser secure.
  • I run a "full virus scan" every week using Microsoft Security Essentials. This has been a lifesaver many times in the past!

All these precautions kept me free of viruses till last week when I got hit by the nasty Simda.A virus. Simda.A virus is a Trojan which provides backdoor access to the infected system. It also steals passwords and other system information. Usually in order to infect a system, the user of the system should run an infected executable. However I was very certain that I hadn’t run a suspicious executable file.

Viruses Exploiting Java Plugin Vulnerability

Last week I was browsing websites using Chrome browser and I noticed a rectangular large advertisement on the bottom right of the browser. The reason why I noticed this was because the ads were appearing on sites which historically had no advertisements. Also identical ads were appearing in almost all websites I accessed except for a few such as google.com. The browser status bar indicated that the ad was being served from ib.adnxs.com domain. A quick search on the Google indicated that this could be due to a virus.

I immediately ran a full virus scan using Microsoft Security Essentials. It found infection of the dangerous Simda.A virus (see screenshot below). The first entry in the list is about an Adware named OpenCandy bundled with Mirc and Free Download Manager. It is not as nasty as Simda.A, but it is better to stay away from Mirc and Free Download Manager.

Simda.A in Java Applet

What caught my attention was the infected file for Simda.A which is a downloaded applet stored in Java’s temporary cache. Java applets run in a sandbox and hence has no ability to alter the system. But somehow this applet was able to bypass the sandbox and had altered my system and my browser behavior. The only way it can do that is by exploiting vulnerabilities in the Java browser plugin.

This seemed surprising to me since I was using Chrome browser which keeps itself auto updated and hence chances of a known vulnerability in the browser is extremely low. Then I realized that the auto update may not be enabled for the Java plugin itself!

In Chrome it is possible to see all the installed plugins from Settings => Show Advanced Settings => Privacy(Content Settings) => Disable individual plug-ins. In my case, Chrome indicated that I have a vulnerable Java plugin installed (6.0.260.3) and Chrome even gave an option to update the plugin!

Disabling Plugins in Chrome

I think Google should modify Chrome to show this warning during browser startup or at least there should be an option to display this warning in the browser window itself.

I installed the critical update and noted that all the other plugins were up to date. I also changed the plugin execution property from "automatically run" to "click to play". This ensures that the Java plugin would be run only after explicit approval and hence I can deny Java applet execution when I visit "suspicious" websites.

Hosts File Attack (Pharming Attack)

This is how my machine was infected with the ad generating malware,

  • I accessed a Web site which had a malicious Java applet hosted
  • The Java applet used the compromised Java plugin to bypass the sandbox
  • Applet made changes to the system so that ads are delivered in my browser whenever I accessed a Website

I was wondering what changes were made by the virus. Initially I thought the virus had changed the Chrome executable, however the advertisements were appearing even when I used Mozilla Firefox! Another interesting thing I noticed was that ads were NOT shown in ALL websites.

Then I looked at how the ads were delivered on the browser using the Firebug Firefox plugin. To my utter surprise the nasty ads were rendered by JavaScript files hosted on www.google-analytics.com! Immediately I guessed that my hosts file was modified by the Virus.

Whenever we access a website using its domain name, it is translated into a physical IP address using DNS system. Using the "hosts" file you can override the DNS system there by pointing a domain name to another IP address of your choice. So in this case, the virus modified the "hosts" file to point www.google-analytics.com to an IP address which served malicious JavaScript files.

On Windows systems, the hosts file is usually located in C:\Windows\System32\drivers\etc folder. I got another surprise when I found that the hosts file was missing in this folder. The file was marked as hidden and I had to enable "show protected system files" and "show hidden files" options in Windows explorer to access the file. When I initially opened the hosts file in notepad, I couldn’t find any overriding lines in it. Then I noticed a scrollbar on the notepad and realized that the virus had created a lot of newlines before adding the additional entries! This way someone who casually inspects hosts file won’t realize the domain hijacking! The following entries were added by the virus in the hosts file,

69.10.57.36 www.google-analytics.com.
69.10.57.36 ad-emea.doubleclick.net.
69.10.57.36 www.statcounter.com.
108.163.215.51 www.google-analytics.com.
108.163.215.51 ad-emea.doubleclick.net.
108.163.215.51 www.statcounter.com.

By hijacking the domain mapping, the virus effectively hijacked all the websites which used tracking code from Google Analytics, DoubleClick or StatCounter! This also explained why ads were not shown in some of the sites I accessed. It is a really cunning modus-operandi,

  • User accesses a Website which uses Google Analytics, DoubleClick or StatCounter for visitor tracking
  • Since hosts file was modified, the requests to tracking JavaScript files went to malicious IP addresses
  • The modified JavaScript files loaded popup ads on the browser

I removed the spurious entries from hosts file and tried to save it, but couldn’t save it because the file was marked as read only. When I tried to change the read only attribute, I got an access denied page. The virus was cunning enough to hide the hosts file, change it to a read only file and then remove permissions from all accounts! So restoring hosts file required the following steps,

  • Youtube when "click to run" is enabled on ChromeLogin as administrator and then change the permissions of the file
  • Uncheck the hidden and read only attributes
  • Remove the nasty domain mapping lines and save the file

Conclusion

I now realized that it is very important keep browser plugins (Java, Flash etc.) up to date. Better still, you should change all the plugins to "click to run", so that you can explicitly run plugins when you are comfortable running them on the Web page you are accessing.

The Afterword – Asianet ISP Acting Like a Virus?

While I was writing this article, I came across reports from people that they are seeing ads even when their computer was virus free. The hosts file was intact and none of the anti-viruses showed any infection. It turns out that the ads were served by the ISP (Asianet Dataline) by modifying the original content served by the Web server. They inject JavaScript into the page being rendered. This is very nasty as the JavaScript has complete access to your data such as your banking account. It also interferes with your browsing experience as even sites which has no ads will suddenly display ads. 

Suppose you call your friend over the phone and someone at the exchange snoops into your conversation and then talks to you in  your friend’s voice? What Asianet is doing is very similar and should be illegal.

Asianet broadband JavaScript injection would probably qualify as some kind of middleman attack and I recommend you stay away from their service. Unfortunately India is yet to have an explicit law on "net neutrality" and until then things like this is an unethical but legally untested practice. I hope someone goes to court soon to set a legal precedent on this in favor of net neutrality.

A temporary solution against Asianet ad injection is to modify the hosts file itself! Add the following line in your hosts file so that all requests to the ad server actually goes nowhere.

127.0.0.1 streamride.net ui.streamride.net

Best solution would be to cancel your Asianet broadband account and switch to an alternate provider.

Online References

Click here to get latest site updates delivered to your email. You need to confirm subscription by clicking on the link sent by feedburner to your email address.


June 8, 2012 | Posted in Technology Tips 3 Comments » | By Jayson Joseph

3 Comments to “Malware Exploits Java Plugin Vulnerability”

  1. Szymon Wojcik Says:

    I got the same symptoms but Microsoft Security Essentials reports the worm as Exploit:JS/Blacole.HA and Exploit:Java/CVE-2012-0507.CG/
    Hosts file replacement (xcopy /m /h /r/ o hosts.bak hosts in elevated command prompt) solved the issue.

  2. Erik Bax Says:

    Thanks Jayson, after 4 days of wrestling with this unexpected infection (paid anti-virus, fully updated Windows 7) I finally found your article and it did the trick.

    I have a few questions though:

    1/ my Java was up to date. Could the freshly installed JavaFX… have been the bearer o the infection for me? Because I was truly amazed I had a virus after (as it happened) only a week ago I did a clean recovery (complete reinstall) of my PC. Anti-virus installed and up-to-date. Windows 7 fully updated. Then had to update JavaFX… (Java prompted me for this). And know, looking back in informed hindsight, I remember after that I suddenly noticed 4 mysterious ‘CVE-1889′ programs appearing in my Installed Programs list. Thought nothing much of them and just deleted them. But about that time the annoying lower-right-corner pop-up ads began to appear. Spent days surfing to find a cleaning solution. To no avail. My AV program found nothing … until yesterday (delayed virus definitions probably). Cleaned it but the pop-ups remained. Then stumbled upon your article. Cleared the hosts file etc.

    Arrogant bastards, by the way: boldly referring to CVE-2012-1889 exploit, probably!

    2/ how am I to set the standard security privileges for the hosts file? Because I noticed that besides the -r, +h, +s, +a settings, access was denied (of course) through letting only Privileged Users to read it. So I allowed Administrators full control and could thus edit the file etc. etc. Now: should I delete the Privileged Users and for instances grant SYSTEM full control or Administrators or ???

    I want to do this just to be sure: could there be a hidden user created by the virus (still) which is member of Privileged Users. How can I see who a members of that group?

    Erik Bax
    Netherlands

  3. Cuba Says:

    Wow, thanks for the explanation.
    I had solved the problem after many hours of investigation by putting into my hosts file this line:
    127.0.0.1 google-analytics.com
    But it was driving me crazy thinking I had a virus that Security Essentials and Malwarebytes were not finding. You have set my mind at ease.
    I did not even realize those six lines were there way down at the bottom of the file.

Leave a Comment