Piecing the malware puzzle – Exploring a spike in exploit activity

by Guest Post on March 21, 2012 · 0 comments

in AntiVirus

In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity.

While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant — TrojanDownloader:Java/OpenConnection.PK. Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further.

A signature for this threat was introduced on February 22, 2012, and spiked to 7.5k reports on the first day. In the following days, the daily report volume fluctuated between 7.8k and 5k reports a day (this kind of spike is not entirely expected for this kind of threat, and such a peak is not very common), until on 28th February the volume started to subside and broke through 5k support, plateauing around 2.5k reports a day, as shown in the figure below:

Figure 1 – daily report volume of Java/OpenConnection.PK

Looking at prevalent reported samples of TrojanDownloader:Java/OpenConnection.PK, we see that there’s no clear leader in the volume per sample distribution. A long tail spike in the distribution may point out a file of interest; however in this case, the top range numbers were quite flat and didn’t appear in any way skewed, as shown in the graph below:

Top 10 samples

Figure 2 – top 10 Java/OpenConnection.PK samples

Closer examination confirmed all of the top reported files to be malware, detected legitimately.

The detected TrojanDownloader:Java/OpenConnection.PK class file contains mangled strings and variables which suggests that its code was generated by a machine or an obfuscation tool. In other words, it could be a product of one of the Java exploit toolkits, an obfuscation tool, or both.

Some of most prevalent toolkits around today are Blackhole and Phoenix. This particular threat, however, does not seem to be associated with either Blackhole or Phoenix, indicating that possibly another (less-utilized) expolit kit was used. A reminder that there are exploit kits out there that, while not as popular, are still causing users a considerable amount of pain.

What we know is that currently, most of the popular web malware exploit kits attack vulnerabilities described in CVE-2010-0094, CVE-2010-0840 and CVE-2011-3544 Java Runtime Environment vulnerabilities (among other techniques), which fall under our Java/OpenConnection family detections.

When new updates to exploit kits are released, it’s not uncommon to see a spike in the exploits used for malicious purposes. This is just one of the many things we watch for while monitoring our detections.

These particular Java exploits are patched, but in the event a Java-user doesn’t update a vulnerable version, or remove older versions of Java, they can be exploited by these attacks. As such, we recommend you update your version of Java, and remove older versions to thwart such attacks.

 

–Oleg Petrovsky & Jasmine Sesso


Microsoft Malware Protection Center

Leave a Comment

Previous post:

Next post: