[secObs]

Here it is the new java 0 day jar used by Blackhole. Exploit download Zbot.

Both files in attachment.

Jar: 483b40f21a9e97f0dc6c88a21fddc1ec
Zeus: f0e4b2c0e73d20cc535834b0d7faa6c2

[WawaSeb]

Hello,

Here's decrypted source : http://pastebin.com/raw.php?i=cUG2ayjh
Hope it's not already included in this topic.

[WawaSeb]

Hello,

Here's decrypted source : http://pastebin.com/raw.php?i=cUG2ayjh
Hope it's not already included in this topic.

Interesting analysis : https://partners.immunityinc.com/idocs/ ... alysis.pdf

[p4r4n0id]

This is predicting trouble, any chances we can get an sample of what is being dropper/jar ?

EDIT:

Kafeine did full disclore, I have added his files here

JoeBox analysis for UTTER-OFFEND.exe (MD5: 237f8ffc0c24191c5bb7bd9099802ee4)

http://joe4security.blogspot.ch/2013/01 ... nical.html

p4r4n0id

[Xylitol]

Silent jdb, cve 2013-0422 from Adwind Web Fake 1.4 (hackforums.net/showthread.php?tid=3128940)
https://www.virustotal.com/file/10f09d0 ... 358106689/ > 0/46

Code: Select all

https://rstforums.com/forum/63344-java-0day-cve-2013-0422-1-7u10.rst

also just saw this pdf 0day:

Code: Select all

https://damagelab.org/index.php?showtopic=23552&st=0

[360Tencent]

http://eromang.zataz.com/2013/01/15/wat ... abilities/

1.zip

pw:infected
(80.61 KiB) Downloaded 98 times

hxxp://www.kandroid.org/board/data/m/

[Cody Johnston]

Looks like there is still some holes in Java 7 Update 11:

http://seclists.org/fulldisclosure/2013/Jan/142

[secObs]

@EKwatcher has spotted Cool EK using CVE-2013-0431.

It drops reveton and isn't heavely obfuscated.

Detection 2/45
https://www.virustotal.com/en/file/c..d9c/analysis/

MD5: 97ad65a3458e4d8551e4bc0ff4a8f97c
SHA-1: 98c61c132a918766c7565a719274fdefab33f7ff

[Mr52]

Hi, I'm looking for particular sample of
0day Java Sample listed here http://blog.fireeye.com/research/2013/0 ... day-2.html
with sha256 ae3cf092e35c83958f527ab7ac7b21ac1b11772a91aaacd8ae69a91baaa7d0ae
Sample names
sample.jar
jar_cache4445970813497302613.tmp
sample.dat

Thank you.

[Squirl]

I'm just working on obtaining the Jar - in the meantime, here's the payload after a successful exploit.