I first thought it was a 0 day
Successfull path to Epic Fail in that tweet :) |
but it's a Self-Generated fake cert signed applet requesting for privileged access that I spotted in Popads Exploit Kit. So pure Social Engineering.
No infection without user interaction but sneaky :
Class name in that "0day" |
Which lead too :
Social Engineering in the class name of that jar |
jre1.7u15 downloading PE |
$ jarsigner -verify -verbose -certs [jarname].jar
s 157 Fri Feb 22 19:35:40 CET 2013 META-INF/MANIFEST.MF
X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
[certificate will expire on 5/23/13 11:08 AM]
[CertPath not validated: null]
278 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.SF
1040 Fri Feb 22 19:35:40 CET 2013 META-INF/TOMCAT.RSA
sm 2726 Fri Feb 22 19:35:14 CET 2013 Urgent_Java_Security_Update.class
X.509, CN=Microsoft Corporation, OU=Microsoft Corporation, O=Microsoft Corporation, L=New York, ST=NY, C=US
[certificate will expire on 5/23/13 11:08 AM]
[CertPath not validated: null]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose signer certificate will expire within six months.
This jar contains entries whose certificate chain is not validated.
------------------------------------------
Files : http://goo.gl/NVlnM (OwnCloud)