We have discovered the exploit on several websites and traced its tracks. One of the sites on which we found it belongs to an Albanian TV station.
The attacker had access to the web server and the source code of the infected website, because the exploit was not integrated through forwarding but planted directly in the source code in the form of a Java applet. G Data scanners detect this applet as Java:CVE-2012-0507-EM [Trj].
If the exploit is successful, an IRC bot is downloaded onto the vulnerable computer, which then waits for commands from the bot master. G Data scanners show this to be Trojan.Generic.KDV.712954. This file is stored on a hacked blog based on Wordpress. The blogger most likely has no knowledge of this (yet) but has now been informed by us.
It is as yet unclear whether the attackers are pursuing a certain goal with the hijacked computers. Of course, it offers the usual capabilities: sending spam, DoS or DDoS attacks etc.
Prepared for a multi-platform attack
In the source code of the exploit, the experts found preparations for supplying malicious code for other platforms such as Mac or Linux.
Before the payload is downloaded to the vulnerable computer, the exploit checks with which system it is dealing. Currently, malicious files are only downloaded if the system is a Windows system. However, exception handling for other systems has already been implemented and attackers can quickly activate this and then load malicious files for the other platforms.
The analyses continue ...
We advise users of Java 7 to disable Java in the web browser or to download the newest Java Update (currently Java 7 Update 7, released 30 August 2012): www.java.com/en/download/
For background information on this vulnerability and to find out how you can protect yourself by disabling Java in the browser, please take a look at our previous publications:
G Data SecurityBlog (EN): CVE-2012-4681 – A Java 0-day is going to hit big time