My folks used to work with Java code, for many different reasons we often prefer Java rather then other languages and knowing Java vulnerabilities, for sure, helps developers in doing their job. Blackhole is like most other malware, it spreads over iframe and it executes a downloaded payload. ESET Threat blog in this post explains its execution in a colloquial but pretty complete way, a good reading. But what is interesting about this malware (at least for me) is the brand new used vulnerability : CVE-2012-0507 . CVE-2012-0507 describes an interesting vulnerability found in the Java AtomicReferenceArray class implementation, which wasn’t checking properly whether the array was of an appropriate Object type. A malicious Java applet could use this flaw to bypass Java sandbox restrictions in order to execute malicious code outside of sandbox.
The blackhole infection starts with a classic iFrame like the following one:
David Harley did a great job in decompile the java code and in describing its workflow. Basically the java executable is built over 3 main functions:
- Init(). The malicious Java applet builds the object AtomicReferenceArray ( the vulnerable one) for the execution of malicious Java code outside the sandbox.
- Work(). This method builds the code of a class which executes outside the sandbox.
- DownloadAndExec(). This function downloads a malicious executable file to %TEMP%dsh89gyu
.exe and executes it. Which happens to be a Win32/TrojanDownloader.Carberp.AH. In order to bypass detections by security software, the attackers changed the encryption algorithm and string obfuscation for the payload class executed outside the sandbox
Java malware are becoming day by day more and more spread over the net, on one hand because Java bugs are pretty common nowadays and on the other hand because java is "platform independent" by meaning that the attacker needs to write only one exploit overall and not one exploit for each attacked platform. I am very fascinating about java exploiting, and I totally think that CVE-2012-0507 is remarkable example to show while explaining java vulnerabilities and Blackhole a great example of java malware.