Posté par: igor51 le janvier 14, 2013, 20:23:49
Just a quick note, it's only the second week of January, but early 2013 brings with it the first Java 0day mass exploit distribution of the year.
There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java 0day. These sites include weather sites, news sites, and of course, adult sites. A few obfuscated files are being delivered to victim systems with names like Stretch.jar, Edit.jar, UTTER-OFFEND.JAR, and more. The first appearance of the exploit's prevention in our KSN community seemed to be January 6th. But as we dig back further, we find related samples from mid-December. So, we have been preventing this 0day in particular for quite some time. At this point, it seems that the first instance of the particular 0day jar file contents ITW is 7550ce423b2981ad5d3aaa5691832aa6. Filenames for the class files remain the same until recently. It would be interesting to see an earlier instance.
Update (2012.01.10 3:30 p.m. MT) - Metasploit developers have added an exploit module targeting this vulnerability CVE-2013-0422.
Source: Java 0day Mass Exploit Distribution (http://www.securelist.com/en/blog/208194070/Java_0day_Mass_Exploit_Distribution)