Oracle Java CVE-2013-2465 attacks spotted in the wild

November 1, 2013

Dell SonicWALL threat team has observed live malware exploiting CVE-2013-2465 in the wild. The vulnerability referred by CVE-2013-2465 is related to Incorrect image channel verification in Java Runtime Environment (JRE)'s 2D component in Oracle Java SE, and the vulnerable versions include Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. By exploiting the issue, an attacker can inject and execute arbitrary code remotely.

By exploiting this vulnerability, the observed malware executes the following steps:

a. Create a "mspaints.exe" file with the following codes:

b. Execute mspaints.exe

c. mspaints copies itself in system directory and deletes the first copy

d. connects to malicious webpage:

Dell SonicWALL has created the following IPS signatures to prevent attacks addressing this vulnerability:

  • 4539 Malformed Java Class File 8
  • 4547 Malformed Java Class File 9
  • 4662 Malformed Java Class File 11