New Java 0-day drive-by exploit

January 14, 2013

The Dell Sonicwall Threats research team received reports of a new 0-day exploit affecting Java 1.7 Update 9, 10 and possibly earlier versions of Java. It has been reported that this new exploit has already been integrated into the existing Blackhole Exploit Kit that is currently in use by cyber criminals. At the time of writing, this vulnerability is currently unpatched.

Infection cycle:

The infection occurs when visiting a malicious webpage that may look similar to the one below:

The webpage contains a malicious Blackhole Exploit script [Detected as GAV: Blacole.gen_26 (Exploit)]:

The script downloads additional jar files with class files containing GAV: Exploit.CVE-2013-0422 (Exploit)

From our analysis and sources we discovered 3 jar files that contain the Java exploit:

  • Counsel.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • Edit.jar [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]
  • UTTER-OFFEND.JAR [Detected as GAV: Exploit.CVE-2013-0422 (Exploit)]

The class file ewjvaiwebvhtuai124a.class containing the exploit contains more raw class file data which typically starts with CAFEBABE hexcode:

The class file contains instructions to download and execute a malicious executable: calc.exe:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Exploit.CVE-2013-0422 (Exploit)
  • GAV: Blacole.gen_26 (Exploit)
  • GAV: CoolEK.Java.1 (Exploit)