Saturday, August 19, 2017
Home / Malware / New Java malware to bypass sandbox in Blackhole

New Java malware to bypass sandbox in Blackhole

Blackhole is like most other malware and exploit packs, it spreads over iframe and it executes a downloaded payload.  ESET Threat blog in this post, but now there is a brand new used vulnerability : CVE-2012-0507. CVE-2012-0507 is an interesting vulnerability found in the Java AtomicReferenceArray class implementation, which wasn’t checking properly whether the array was of an appropriate Object[] type.  A malicious Java applet could use this flaw to bypass Java sandbox restrictions in order to execute malicious code outside of sandbox.

The blackhole infection starts with a classic iFrame like in this picture below:
This image has been resized. Click this bar to view the full image. The original image is sized 500x173px.

The infection goes on following these steps:

Java malware are becoming day by day more and more popular, the reason is Java bugs are pretty common nowadays and and because java is “platform independent” meaning that the attacker needs to write only one exploit  for all systems including Linux, Mac and Windows.  Not one exploit for each attacked platform like and executables.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …