One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a Java vulnerability. While such exploits are not rare, this particular exploit targeted a vulnerability that was published in December 2008 by iDefense, and a reliable exploit became publicly available couple of months ago, in April this year.

However, it took some time for the bad guys to start using this exploit in their attack kits. The vulnerability exists in Java JRE release 6, in update versions lower than 13 and release 5, update versions lower than 18.

The vulnerability exists in the Pack200 compression method, which is used to compress Jar files. The compression method is called when reading a Pack200 compressed file – the exploit creates an Applet which downloads a special crafted Pack200 compressed file. It's interesting how the attackers completely copied the publicly available exploit (they even used the same file names!), so they end up using an HTML file that creates the Applet, which further calls a PHP script called e.php that is needed to correctly set the Content-Encoding header:

<?php

$fp = fopen('e.pack.gz', 'rb');

header('Content-Encoding: pack200-gzip');

fpassthru($fp);
exit;

?>

The Applet contains shellcode, which gets executed if the vulnerability is successfully exploited – as you can guess it downloads a Trojan which, luckily, has *some* detection (VT link) with some major names still missing it.
After checking the malicious web site, it became obvious that the exploit has been integrated with an attack kit, so we can expect this to become more common now.

Finally, I'd like to remind every to double check that you have the latest Java installed on your machine (and those older versions removed). Also, don't forget about those nice addons such as NoScript which can limit your exposure by allowing Java or JavaScript to execute only on trusted web sites and not by default.

--
Bojan