Few days back Java zero day was in news. It made it place into metasploit as well as into exploit kits like Blackhole. Here’s a quick analysis of how the attack surfaced and came into action. As seen in earlier attacks, javascript in the html exploit page here is heavily obsufucated. An interesting thing to note is that on loading the exploit page, the browser doesn’t crashes. Earlier we have seen in exploits how browsers crash and code execution takes place. A normal java loading option is seen during the execution.
Java loading in the exploit page
The malicious Java applet is downloaded.If your system is not vulnerable or is patched, the attack stops. From the user perspective, it is impossible to tell if the attack was successful or not. If the exploit is successful, it downloads and executes a malicious binary, which calls to another domain or IP xxx.xxx.xxx.xxx
Captured request. Malicious files can be seen
The exe analysis reveals the clear story behind the attack. The file details are as follow:
File: hi.exe Size: 16896
MD5: 4A55BF1448262BF71707EEF7FC168F7D
The execution of this file has the follwoing aftermath:
[+] It deletes legitimate Portable Media Serial Number Service MsPMSNSv.dll from C:\WINDOWS\System32
[+] It copies a malicious dll file named mspmsnsv.dll to C\WINDOWS\system32
[+] “Portable Media Serial Number Service” (WmdmPmSN in the registry) is found to be running.
The exploit has been successfully added in Metasploit. Till date, no patch is available. It is advised to all users to avoid downgrading their java version.
