Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Java Drive By Download Attack

image
THREATLABZ
December 13, 2011 - 2 min read

Recently I blogged about how attackers are forcing users to download fake codecs to spread malicious content. I’ve also encountered across another drive by download attack vector, which uses Java applets to execute downloaded malicious content on the victim’s machine. Download and execution of malicious content happens without user interaction. Let’s take look at a screen-shot of the malicious URL “hxxp://www.nicholaspettas.com/”,

Image

 

As you can see, when a user visits the website the browser requests user permission to execute the Java applet code. Here is the HTML source of the page:

Image

 

When the user allows the applet code to run by clicking on “run” button, the browser downloads the “Client.jar” file from “hxxp://www.nicholaspettas.com/Client.jar”. Let’s take look at the Wireshark captures, which show the network activity performed during this process:

Image

 

The downloaded JAR file contains “Client.class”, which is executed by the JRE. An argument to the “Client.class” file is passed with the location of the malicious .exe residing on “hxxp://dl.dropbox.com/u/31332834/server_crypt.exe”. It’s interesting to see that the malicious exe file is uploaded on www.dropbox.com. The file “server_crypt.exe” is then downloaded by the above applet code and executed on the victim’s machine.

Image

 

Decompiling “Client.class” reveals the Java code, which you can read to better understand how it downloads the file and executes it. Let’s have look at piece of decompiled java code, which executes the downloaded file.

Image

 

Virustotal Reports:
Client.jar - 27 AV vendors on Virustotal reports it as “Trojan Downloader”.
server_crypt.exe - 16 AV vendors reports as “Trojan”

ThreatExpert Report:
server_crypt.exe – Indicated highest severity level for this threat.

Beware of drive by download attacks.

Pradeep

 

 

 

 

 

 

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
TOITOIN Trojan
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.