Exploit:Java/Blacole.EM

[RonH]

MSE nailed this trojan when it hit my pc yesterday ... or that's what it said it had done I have also run Malwarebytes which shows a clean pc.
In searching for information about this infection all I get is 'technical jargon' ... mumbo jumbo to me So, what does this Blacole do if it gets established ... can it compromise banking where for example, the bank utilise Java in their security account proceedures.
I would appreciate a laymans 'what is this' if that is possible.

[HansV]

According to Microsoft Malware Detection Center, this is a fairly recent piece of malware, and "Technical details are not currently available for this threat."
The AVIRA entry doesn't have much more info. Apparently it uses this security hole in Java.
I can't find any more easy-to-understand description, sorry.

[RonH]

Thanks Hans for trying. I found these pages during my search but they really did not 'provide answers'.
I guess the best is that MSE worked and removed the threat ... we have to trust don't we!
Enjoy the rest of Sunday.
Ron

[Argus]

Hans is quick, as usual.

It's quite recent, even though it seems like the vulnerability is of last year; could be because of variants of the same exploit. As you know when we see variants of, for example Blacole (in this case Java/Blacole), Blacole.AB, Blacole.AC etc. they usually don't write much about it. And thus it is often no use trying to track down information about a specific variant, even though I understand that that's what users are most likely to do when they get an AV alert. There could of course be important differences between the variants, so I wouldn't say it's no use.

As mentioned by Hans, and as you have found, it seems to be related to CVE-2011-3544.

When an exploit is found it's usually added to different packages that hackers use. When people are using un-patched versions of software it's then very easy to exploit such vulnerabilities. As mentioned at one page below (quoting MSFT), between 2010 and 2011 "between one-third and one-half of all exploits observed [by MSFT] in each quarter were Java exploits".

That's quite many...

The Blackhole exploit pack is one such package, which attempts to exploit different vulnerabilities. It's used, installed, on servers and exploits vulnerabilities in clients. Could be the Flash Player or Java etc.

Here is what MSFT's MPC has to say about Blackhole, though not that important in this specific case it helps understanding what Blacole.EM is. (There is a screen shot from the Blackhole exploit control panel at the page at F-Secure below.)

Back to this particular exploit, I don't know which pages you have looked at (since you didn't mention ), but for example the US National Vulnerability Database says:

"Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service".

For most of these exploits I wouldn't limit the damage to compromising other sites using Java, since they, if successful, many times can download other malware, as we shall see. It's just used to open the door.

Here are some pages from Brian Krebs' blog, with a little more reading, perhaps explaining the background a bit better than short entries in different virus encyclopaedias etc.:
http://krebsonsecurity.com/2011/11/new- ... loit-kits/
http://krebsonsecurity.com/2011/11/publ ... eat-level/

The CVE-2011-3544 vulnerability was also used in the hack of Amnesty International‘s homepage in the UK December last year.
http://krebsonsecurity.com/2011/12/amne ... a-exploit/

Apparently it went on and downloaded a key logger and who knows what.

F-Secure, in their "News from the Lab" blog, mentioned the CVE-2011-3544/Java Rhino vulnerability, around the same time as above, and also commented on the need and use of Java. As mentioned above by Krebs and MSFT, Java is under constant attack. (I mentioned the F-Secure post earlier here.)

For quite some time it seems like the OS or software such as Word or Excel isn't the main target; instead it's software such as Java, Flash and Adobe Reader. Thus it's important to keep these updated, but I'm sure you do that. And I see you already got that advice at MSFT.

[Argus]

Seeing these exploits being used is of course no fun, it does definitely put some weight behind advice to install the latest patches, as we see so often.

This week Kaspersky Lab wrote at their Virus Watch blog about a "fileless" bot, the malware doesn't come with a file in the first step, instead "it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process".

And it exploits the abovementioned Java vulnerability, (CVE-2011-3544).

So nothing on the HDD, at first. That must be very unusual; as they mention we saw it with for example the CodeRed Worm. After it has altered some settings in the OS, disabling UAC, it downloads a Trojan. At the moment it has targeted Russian users, but they say "we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries."

They conclude that, at the moment, exploits for the CVE-2011-3544 are very effective and "can be used to install a variety of malicious programs".

Thus, as mentioned above, it can be quite difficult to say what exploits for the CVE-2011-3544 does.

[RonH]

Thanks Argus for your very informative posts.

Having had a read of your various links I conclude that its back to 'snail mail' for me But how could we manage without our 'cuddly toys' in this modern age ... even old folk like me. So, I for one, will continue looking at the world on a screen but being very sure that I have all programmes etc as up-to-date as I can based on advice from MS and the various vendors. Secunia is also a good way of getting advice.

Your inputs will I am sure be of value to others on our forum.

Thanks again
Ron

[Argus]

Another short comment, this time from the ISC Diary, on why it's important to use software that are up to date (and especially software that are actively being exploited time after time); as most of us know, we can't trust antimalware software to catch everything.

It's the same vulnerability being exploited, mentioned above, that Oracle patched in October.

http://isc.sans.edu/diary/evilcode+class/12838" onclick="window.open(this.href);return false;

Sending fun.jar to Virustotal shows that only 10 of 43 anti-virus tools actually recognize the exploit code, whereas 27/43 recognize the d.exe malware file that the exploit currently downloads and runs.

[RonH]

I have had lots of helpful advice from our leaders so I would like to pass on my experiences with this exploit and maybe help other novices like myself.

Even though this exploit was removed by MSE it popped up 3 more times. Not knowing what was going on, I decided to remove Java completely from my pc (only had the latest update though which I don’t think is open to these exploits), removed temp files and reg files per CCleaner scans, reboot and reinstall a fresh Java from their download site. Scanned with Malwarebytes, nothing found, but my ext HD was not connected.

I then did a full MSE scan on pc and connected ext HD and the exploit popped up again! Again it was removed by MSE.

Could it be from previous Windows Backup files? I deleted all backup files off my ext HD and ran a full new Windows7 Backup. Another full MSE scan and it appears to have gone … must have been in my earlier backups so the monthly backup that I do must use prior info during the backup.

[HansV]

That does indeed make me think the threat lurked in a backup.

[RonH]

I am going mad its back!
Did a full scan on the Ext HD and got a hit which MSE then removed.
OK, better check the pc HD and there it was again ... though previously my last full scan found nothing.

These are screen shots:
1. The Ext HD (G)

Infection on Ext HD.JPG

2. The pc HD (C)

Infection on C Drive.JPG

Question: Its obviously getting to the ExtHD from my C drive which though 'cleaned' by MSE is clearly not for some reason. Can I go into LocalLow/Sun and delete the entire file or is this a problem? Should I first via Programmes, delete Java again? Or what else should I do? Would really appreciate your expertise on this.
Thanks Ron
Thanks again.

[Argus]

Hmm, I don't know but it seems like you have Java 6 Update 30, it isn't the latest.

There is a vulnerability, CVE-2012-0507, in old Java versions, among them 6 30, which is patched by the latest update from mid February, i.e. Version 6 Update 31, or 7 Update 3.

See: Oracle Java SE Critical Patch Update Advisory - February 2012

But if you downloaded earlier, you should have got version 6 update 31...

Though the 2012-0507 vulnerability seems to be linked to some other exploits, not the Blacole.EM, but one can't be sure about that, since there isn't much info. (In some rare cases it can also be false positives.)

I would clean the cache and uninstall.

[RonH]

Hei Argus.
When you say clean cache do you mean just delete the files in the deployment\cache of Sun\Java or can I simply delete all Sun files in LocalLow?
I have already uninstalled Java from Programmes (Windows 7) but all these other Java files are still on the pc so Sun\Java programme uninstall does not get rid of all associations. Don't really understand all of this so 'hold my hand please

Edit ... I guess I am asking if I can simply delete ALL SUN files that I find on my pc which theoretically should capture any other problems of Sun\Java? And then will I be able to install the latest Sun Java from their update page? My Programmes only showed the latest Java ...

2nd Edit. I worked out how to clear the Java Cache and then checked each of the many cache files to see if all files had been deleted. Guess what, in '30' the file that had the infection according to MSE scan was still there! So I deleted it. Anything else I should now do?

[Argus]

Hi Ron,
Here is one article at Java.com that explains how to use the Control Panel applet to delete temp files, clean the cache.
http://www.java.com/en/download/help/cache_virus.xml" onclick="window.open(this.href);return false;

But you probably know that, I just mentioned it as a reference in the thread; and you don't have Java installed at the moment.

Some background:
Local and LocalLow are folders in the user profile that doesn't roam, they are not synchronised when a user logs in. They often contain temporary or large files, things that shouldn't roam, can also contain for example mail folders. The structure with two, Local and LocalLow, was introduced with Vista.

LocalLow, as far as I know, is used by Internet Explorer when running in Protected Mode, and software such as Java and perhaps some Adobe software, extensions and similar; MSFT has created a special folder for files that have fewer permissions, they run at a "lower integrity level", on MSFT lingo "low integrity processes cannot gain write access to objects at higher integrity levels".

Since I don't know what else you have there, i.e. if possible to delete the whole Sun folder, I would say it's safe to delete anything in the cache folder, i.e. starting with "6.0" and anything in it, since it will be recreated when you install a new version.

Despite all your trouble with this; God påske!

[Argus]

Ah, I see you updated the post.
I think you are all clear now.

[RonH]

Og God Påske til deg.

Thanks Argus ... my grey hair is getting greyer!

Have reinstalled the latest Java and rechecked with MSE this morning and pc is at present clean.
But in looking through the Sun\Java files I see the following:

Infection on C Drive Java.JPG

Should I remove all these jre files ... they seem to be some kind of Java installer? Perhaps this is were the infection keeps reinstalling itself from.
Ron

[HansV]

You can remove jre1.6.0_26, jre1.6.0_26_x64, jre1.6.0_29, jre1.6.0_20_x64, and jre1.6.0_30. They belong to older versions and serve no purpose any more.
Leave jre1.6.0_31 - it's for the current version.

[RonH]

Done Hans, thanks.
So we shall see if at last I have nailed this troublesome exploit.
Now to celebrate Easter
Ron