G Data: Malware Targeting Java Vulnerabilities Dominate 2011

Top Quote 50 percent of Top 10 malware target Java security holes. End Quote
  • Durham, NC (1888PressRelease) April 22, 2011 - Online criminals are relying more heavily on Java security holes to distribute computer malware, according to research generated from G Data Security Labs. Not only has Java malware been on the rise since 2010, last month five of G Data's Top 10 malware programs targeted Java or Javascript. These unclosed security holes are playing a progressively larger role in the infection of Windows systems and have been gaining the attention of the security community.

    "The world of malware shifted last year as cybercriminals started targeting their attacks onto applications, in particular Java," said Ed Johnson, senior vice president of G Data Software. "To protect yourself, we recommend not disabling automatic Java updates and always loading all patches that are issued for Java."

    Security Labs also noted an increase in clickjacking, which is malware that tricks users into raising the rankings of infected sites on search engines and social networks. For example, the Trojan.JS.Clickjack.A generates Facebook "Likes" on primed sites, without the user noticing. G Data forecasts this type of malware to continue to be an issue for social networks and search engines in 2011.

    G Data's Top 10 Malware Programs

    Methodology For Ranking the G Data's Top 10
    The Malware Information Initiative (MII) relies on the power of the online community of G Data security customers. Participating individuals must have activated this function in their G Data program. Each time G Data's software fends off a malware attack, this event is anonymously reported to G Data Security Labs. The data is then statistically assessed by G Data Security Labs.

    Trojan.Wimad.Gen.1
    This Trojan pretends to be a normal .wma audio file, but can only be played after installing a special codec/decoder on Windows systems. If the file is run by the user, the attacker can install malware of any kind on the system. The infected audio file is mainly distributed via P2P networks.

    Java.Trojan.Downloader.OpenConnection.AI
    This Trojan downloader is located in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. Such files can be any type of malware. The downloader uses the CVE-2010-0840 vulnerability to circumvent the Java sandbox and thus be able to write data locally.

    Win32.Ramnit.N
    Win32.Ramnit.N is a standard file infector that infects executable files (.exe), dynamic libraries (.dll) and HTML files stored on the hard disk. After executing an infected .exe file or loading an infected .dll file, another .exe is copied to the computer. An autostart function is also created to launch the infected file upon each reboot. The infector connects to several servers via http or https. However the communication protocol deviates from the norm.

    The infector regularly scans every local folder on the hard disk and infects several, if not all, .exe, .dll and HTML files with a dropper. This copies the same file infector as the originally infected file. Infected HTML files contain a VB script that copies the infector when a user opens the website in an IE browser. However, from version 6.0, IE asks whether the script should really be run.

    Worm.Autorun.VHG
    This malware program is a worm that uses the autorun.inf function in Windows operating systems to distribute itself. It uses removable storage devices such as USB sticks or portable hard drives. It is an Internet and network worm and exploits the CVE-2008-4250 vulnerability.

    Trojan.AutorunINF.Gen
    This is generic recognition software that recognises known and unknown malicious autorun.inf files. Autorun.inf files are autostart files that are exploited as computer malware distribution mechanisms on USB devices, removable storage devices, CDs, and DVDs.

    Java.Trojan.Downloader.OpenConnection.AN
    This Trojan downloader is located in manipulated Java applets on websites. When the applet is downloaded, a URL is generated from the applet parameters. The downloader uses this to download a malicious executable file onto the user's computer and run it. Such files can be any type of malware. The downloader exploits the CVE-2010-0840 security hole to break out of the Java sandbox and write data to the system.

    JS:Redirector-EP [Trj]
    A redirector redirects website visitors to other targets. The redirect target is disguised using e.g. obfuscation technology in Javascript, so that the actual target URL is only constructed in the user's browser. The redirector itself does not compromise the user's system. However, it will redirect the user to potentially malicious websites without any user involvement and is therefore a popular means of disguising the source of the actual attack.

    Java:Agent-DM [Trj]
    This Java-based malware program is a download applet that tries to use a security hole (CVE-2010-0840) to circumvent the sandbox protection mechanism and download additional malware onto the computer. Once the applet has fooled the sandbox, it can directly download and run .exe files for example -- something a simple applet could not regularly do because the Java sandbox would prevent it.

    Trojan.JS.Clickjack.A
    Trojan.JS.Clickjack.A is disguised Javascript that has been incorporated into websites. As the name suggests, it uses clickjacking techniques to trick website visitors into clicking on dubious links/objects etc without them noticing. In the case of Trojan.JS.Clickjack.A, an invisible IFRAME is generated on the malicious website containing the standard Facebook "Like" button. The Javascript continually moves this IFRAME with the cursor position and when the user clicks on the site (the "Play" button displayed on a video site) he automatically and unknowingly clicks on the "Like" button and activates it.

    Java.Trojan.Exploit.Bytverify.N
    This threat exploits a security hole in the Java Bytecode Verifier and is located in manipulated Java applets on websites. By exploiting the security hole, malicious code can be executed. This malicious code can then for example start downloads of Trojan horses. Hence the attacker can take control of the victim's system.

    About G Data Software, Inc.

    Founded in 1985, G Data Software is one of the world's first antivirus providers, with offices and distribution in more than 80 countries worldwide. The company provides proven enterprise and consumer security solutions, including antivirus, anti-spyware, anti-phishing, and firewall software. In addition to products, G Data Software runs a world-class malware research lab, Security Labs, which monitors and analyzes current computing threats on a global basis, partnering with organizations, governments and nonprofits to fulfil a variety of needs. The company has recently established operations in North America, located in the heart of Research Triangle Park, North Carolina. For more information on G Data Software, its products, or Security Labs, visit www.gdata-software.com

    Press contacts

    G Data Software
    Eric Seymour / Aarti Shah
    Phone: 617-960-9856 / 9878
    Email: gdata ( @ ) marchpr dot com
    Web: www.gdata-software.com

    ###
space
space
  • FB Icon Twitter Icon In-Icon
Contact Information