That was fast (4 days after patch). After CVE-2013-0634 (flash), it's now CVE-2013-1493 (last know vulnerability up to jre17u15 - jre16u41) that reach Cool Exploit Kit (from Reveton distributor - btw this ransomware seems to be clothed again with what i called the Winter II design)
Credits first :
Will Metcalf from Emerging Threats for the "path" part of the landing.
Michael Shierl for confirming (and giving more clues) that it looks like CVE-2013-1493.
Chris Wakelin for additional tips
I will update here integration in other exploit kits
Cool EK (2013-03-08):
jre17u15:
.png) |
| CVE-2013-1493 successful path in Cool EK (jre17u15) 2013-03-08 |
jre16u41:
.png) |
| CVE-2013-1493 successfull path in Cool EK (jre16u41) 2013-03-08 |
GET http://retrempercircum[...].glamorizesports.com/world/bright_rural_mutter.html
200 OK (text/html)
GET http://retrempercircum[...].glamorizesports.com/world/rug-magistrate.jar
200 OK (application/java-archive) a3410c876ed4bb477c153b19eb396f42
GET http://retrempercircum[...].glamorizesports.com/world/improved_violently_section.swf
404 Not Found (text/html)
GET http://[...]/world/getnn.jpg
200 OK (application/x-msdownload) e343845066df8c271b5ac095f2d44183
Out of scope Reveton
.png) |
| Security in jre17u>10 Want to get infected ? follow the bubble |
For java 1.6...things are differents
<edit1: 11/03/13>
Sibhost :
It's now also part of Sibhost.
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843
200 OK (text/html)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream) c1e430c2bfa13e33915eb69ae2d068b3
POST http://[...].bestonlinecourse.net/vs3Mpr1V3t843?page=1
200 OK (text/html)
GET http://rqwkp.com/xo-cq[...]qejau-bleh[...]ngj-oxbf[...]fz-clzv_g[...]ypr-jpnobwor[...]gux.php
200 OK (application/octet-stream) <-- This is the call home from the ransomware pushed...which is, as you quite surely already know, Urausy (which is sharing Infrastructure with Sibhost EKaas)
Out of scope : Decoded Urausy : fe6562c5d5ba8d04d94f887feef4554d
</edit1>
Files:
Cool EK: a3410c876ed4bb477c153b19eb396f42 - 037160d1fc08d1643382233049944246
Sibhost : c1e430c2bfa13e33915eb69ae2d068b3
(nothing more for now)
Reading :
YAJ0: Yet Another Java Zero-Day - 2013-02-28 - Darien Kindlund and Yichong Lin - FireEye Blog
CVE-2013-1493 - Mittre
Latest Java Zero-Day Shares Connections with Bit9 Security Incident - 2013-03-01 - Symantec
.png) |
| In jre16 (no comment) |
<edit1: 11/03/13>
Sibhost :
It's now also part of Sibhost.
 |
| CVE-2013-1493 successfull path in Sibhost |
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843
200 OK (text/html)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream)
GET http://[...].bestonlinecourse.net/vs3Mpr1V3t843.zip
200 OK (application/octet-stream) c1e430c2bfa13e33915eb69ae2d068b3
 |
| Urausy and CVE-2013-1493 in the Jar |
200 OK (text/html)
GET http://rqwkp.com/xo-cq[...]qejau-bleh[...]ngj-oxbf[...]fz-clzv_g[...]ypr-jpnobwor[...]gux.php
200 OK (application/octet-stream) <-- This is the call home from the ransomware pushed...which is, as you quite surely already know, Urausy (which is sharing Infrastructure with Sibhost EKaas)
Out of scope : Decoded Urausy : fe6562c5d5ba8d04d94f887feef4554d
</edit1>
Files:
Cool EK: a3410c876ed4bb477c153b19eb396f42 - 037160d1fc08d1643382233049944246
Sibhost : c1e430c2bfa13e33915eb69ae2d068b3
(nothing more for now)
Reading :
YAJ0: Yet Another Java Zero-Day - 2013-02-28 - Darien Kindlund and Yichong Lin - FireEye Blog
CVE-2013-1493 - Mittre
Latest Java Zero-Day Shares Connections with Bit9 Security Incident - 2013-03-01 - Symantec