Zero Day Java Exploits(All Java Exploits goes here)

Forum for analysis and discussion about malware.

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Kafeine » Sat Mar 30, 2013 2:08 pm

Blaze wrote:CVE-2012-1723
Other one is unknown


Bart, looking at your file this looks like from Sweet Orange.
So chance are high that it's CVE-2013-0431 with Serialization.
Cf:

Code: Select all
   String str = "co00m.su000n.j000mx.mbe00anser00ver.MB00eanInst0ant00iat0or";
Kafeine
 
Posts: 105
Joined: Thu Jul 28, 2011 1:19 pm
Reputation point: 74

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby secObs » Sat Mar 30, 2013 11:03 pm

Kafeine wrote:
Blaze wrote:CVE-2012-1723
Other one is unknown


Bart, looking at your file this looks like from Sweet Orange.
So chance are high that it's CVE-2013-0431 with Serialization.
Cf:

Code: Select all
   String str = "co00m.su000n.j000mx.mbe00anser00ver.MB00eanInst0ant00iat0or";


Yes, it's CVE-2013-0431.

CVE-2013-0431 uses a vulnerability of the Introspector class.

Image

In attach:
- CVE-2013-0422 from Fiesta and Redkit
- CVE-2013-0431 from BlackHole and Sweet Orange
You do not have the required permissions to view the files attached to this post.
User avatar
secObs
 
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Reputation point: 22

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Blaze » Mon Apr 01, 2013 4:09 pm

Figured, thanks for the confirmation guys!
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby secObs » Fri Apr 05, 2013 9:58 pm

In attach:
- CVE-2013-1493 from Sibhost "Exploit Kit" with encoded Urausy inside.
- CVE-2013-0431 from Neutrino
You do not have the required permissions to view the files attached to this post.
User avatar
secObs
 
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Reputation point: 22

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Squirl » Tue Apr 09, 2013 10:47 am

From Blackhole
CVE 2013-0422

Jar and Executable in attached
You do not have the required permissions to view the files attached to this post.
User avatar
Squirl
 
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm
Reputation point: 14

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby secObs » Tue Apr 09, 2013 10:07 pm

Squirl wrote:From Blackhole
CVE 2013-0422

Jar and Executable in attached


This is CVE-2013-0431 not 0422, anyhow thank you for sharing.
User avatar
secObs
 
Posts: 25
Joined: Sun Mar 04, 2012 10:53 pm
Location: here, there and everywhere
Reputation point: 22

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Squirl » Wed Apr 10, 2013 8:42 am

Yep, you're quite right! Rushed my analysis a bit :?
User avatar
Squirl
 
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm
Reputation point: 14

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Squirl » Wed Apr 17, 2013 1:05 pm

RedKit exploiting 2013-0422 (VT confirms :) ) together with all payloads.
You do not have the required permissions to view the files attached to this post.
User avatar
Squirl
 
Posts: 15
Joined: Sun Apr 03, 2011 11:48 pm
Reputation point: 14

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby N3mes1s » Thu Apr 18, 2013 12:52 pm

CVE-2012-1723 dropped from redkit boston.html campaign

https://www.virustotal.com/en/file/0bf5 ... 366289246/
You do not have the required permissions to view the files attached to this post.
N3mes1s
 
Posts: 40
Joined: Wed Mar 09, 2011 5:17 pm
Reputation point: 5

Re: Zero Day Java Exploits(All Java Exploits goes here)

Postby Blaze » Fri May 03, 2013 3:26 pm

CVE-2013-1493 attached.
You do not have the required permissions to view the files attached to this post.
Follow me on Twitter: @bartblaze
User avatar
Blaze
 
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Reputation point: 71

PreviousNext

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests