Trojan “Rodricter” exploits a 0-day in JRE

Posted: September 6, 2012 in Vulnerability News
Tags: , , ,

Malware Trojan HorseWhen a system compromise Trojan.Rodricter virus exploits a vulnerability CVE-2012-4681.

The company “Doctor Web” reports on the distribution of malware Trojan.Rodricter, which at breaking the system exploits a vulnerability CVE-2012-4681 in the JRE. Recall that on 26 August, the company FireEye, Atif Mushtaq announced the active exploitation of this vulnerability. The expert also noted that in the near future to exploit vulnerabilities in Java will become widely available, and the attackers are very actively using it. Total overnight company Rapid 7 introduced a module exploit platform Metasploit. This module exploits a vulnerability in JRE for the latest versions of browsers Mozilla Firefox, Internet Explorer, and Safari on platforms Linux, Windows and Macintosh. Owner of Oracle JRE took 4 days to release an update that will eliminate this vulnerability.

Discovered experts antivirus company malware distributed via web-sites on which to make changes to the file. Htaccess. In the case of appeal to the compromised sites specially crafted script redirects the user to a third-party site that is an attempt to use two vulnerabilities – CVE-2012-1723 and CVE-2012-4681, depending on which version of the JRE installed on the system.

With the successful operation of Java-applet decrypts the file class, and then are downloaded exe file, obtained from “Doctor Web” name Trojan.Rodricter.21.

After starting the program dropper Rodricter searches for the presence of antivirus and debuggers. The program also tries to gain escalated privileges, which exploit the vulnerability of the operating system.

Furthermore, depending on the availability of sufficient privileges, the Trojan saves your primary component, and infects one of the standard Windows drivers to hide the main unit on the infected system, obtaining in this way, the rootkit functionality.

The virus can successfully change the settings of browsers Microsoft Internet Explorer and Mozilla Firefox. So, it adds an additional browser plug-in search engine, and replaces User-Agent and configure the default search engine.

The main module Trojan.Rodricter.21 saved in a temporary folder, and it is intended to substitute user traffic. An attacker can intercept network packets and reveal confidential user data, which are transmitted in non-encrypted data transmission.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s