RECENT JAVA EXPLOITATION TRENDS AND MALWARE presented at BlackHat USA 2012

by Jeong wook Oh,

Tags: Exploitation Java

Summary : "We are seeing more and more Java vulnerabilities exploited in the wild. While it might surprise many users, and even some people in the industry, to hear that Java is currently a major vector for malware propagation, attackers haven't forgotten that it is still installed and used on a huge number of systems and devices, including those running Microsoft Windows, Mac OSX and different flavors of Unix. Since Java supports multiple platforms, one Java vulnerability can sometimes lead to exploitation on multiple platforms.
Java vulnerabilities are often about evading the sandbox. With sandbox evasion vulnerabilities, the exploitation is much easier and multi-platform attacks are feasible - all those security measures against memory corruption issues won't help. The widely-exploited CVE-2012-0507 vulnerability, for example, was a sandbox breach. We saw active Mac OSX system breaches using this vulnerability, and before that, the vulnerability was used for widespread infection of Windows systems. The cost of writing multi-platform exploits is relatively low and the success rate of exploitation is high.
As we can see, Java vulnerabilities have become more and more popular. However, there is a lack of knowledge on how exploitation of these vulnerabilities actually works. Many Java vulnerabilities result in a sandbox breach, but the way the breach happens is quite a complex process. In this presentation, we will look at some recent Java vulnerabilities and show where these vulnerabilities occur. We will also show you how the exploitation happens and how the bad guys adapt them to use in their arsenal. Of course, Java exploits and malware are written in Java. That opens up an easy way for the attackers to obfuscate and hide their exploits inside complicated logic and code. On the other hand, it means a hard life for security researchers. We are also going to show you an example of an exploit that was obfuscated and modified in a way that made analysis and detection difficult. We share Java debugging techniques and our experience in dealing with these problems."