Gong Da Exploit Kit Boosts Java Attack Power With Latest Exploits

The latest Java vulnerability has been integrated into both Black Hole and Gong Da exploit kits, making it easier for cyber-criminals to launch attacks exploiting the flaw, a security researcher said.

The Gong Da exploit kit has been adding support for a number of Java vulnerabilities recently, and its latest iteration includes the remote code execution flaw in the Java Applet JAX Web services library, Eric Romang, a security researcher and founder of Zataz.com, wrote Sunday. The exploit, CVE-2012-5076, targets Java SE 7 Update 7 and earlier, and was patched by Oracle on Oct. 16 as part of Java SE 7 Update 9. However, Java 6 installations don’t have this vulnerability, regardless of whether the software is up-to-date or not, Jeong Wook (Matt) Oh, a researcher at Microsoft Malware Protection Center, wrote on the MMPC blog last week.

The Gong Da exploit kit also includes attacks for several other Java flaws, including CVE-2011-3544 (Oracle Java Rhino exploit), CVE-2012-4681 (the zero-day discovered in August), CVE-2012-0507, CVE-2012-1723, and CVE-2012-1889 (Microsoft XML Core Services). Gong Da has changed its list of targeted vulnerabilities recently. Previous versions supported Adobe Flash Player (CVE-2011-2140) and Windows Media (CVE-2012-0003) bugs, but these exploits don’t appear in the latest version of the toolkit anymore, Romang said.

“Recently, we have seen more and more Java malware and malware distributors using new vulnerabilities quicker than ever before,” Oh wrote.

Gong Da is the third exploit kit to integrate CVE-2012-5076 into its repertoire, following Cool Exploit Kit and Black Hole, Romang said.

Websites created using the Gong Da kit, which means “attack” in Chinese, chains several exploits together as part of its attack pattern. Most of the malware samples that actually exploit CVE-2012-5076 are bundled with other Java exploits to increase their attack coverage, Oh said. For example, attacks exploiting CVE-2012-5076 may be included in malware along with attacks for CVE-2012-1723, which can be used on both unpatched Java 6 and 7, Oh said.

Depending on the specific version of Java SE installed on the victim computer, Gong Da served up different .jpg image or .html files exploiting specific Java vulnerabilities, according to the control flow diagram on Romang’s post.

Romang came across the latest Gong Da exploit on a site whose domain was registered on Nov. 17. The index.html file on the site contains JavaScript obfuscated by the “JSXX VIP JS Obfuscator” tool and is difficult to detect, he said. Only eight out of 44 antivirus detectors on VirusTotal flagged the initial file as malicious, Romang said in his post three days ago. That number appears unchanged as of this writing.

As for the JAX-WS flaw, existing malware abuses the “package access problem” in the Java Runtime Environment, Microsoft’s Oh wrote. Package access is important because if trusted code is exposed to the user, it can be abused to break the Java security model, Oh said. For example, untrusted Java applets should not be able to access Oracle packages, such as Glassfish’s gmbal.

“Packages usually contain critical operations that should not be performed from untrusted code like unsigned Java applets,” Oh said.

Unsigned Java applets run inside a sandbox environment which is designed to restrict access to system resources like file and process operations. Malicious code with access to packages can create the user’s own class on the fly with escalated privileges, Oh wrote.

“From what we have seen in the last few months, we expect to see more and more exploits abusing this vulnerability,” Oh said. “So, users should be prepared for this threat.”

Update: Chinese Gang Targeting Defense Firms With IE Zero-Day

Update: Coordinated Cyber Attacks Hit Chemical and Defense Firms