Poison Ivy, a common backdoor Trojan that has been infecting computers from some time, is being injected by Chemical biz ‘Nitro’ hackers via the now much-vulnerable Java. Team Nitro, which was the culprit behind the last year’s industrial espionage attacks, is again using holes in Oracle’s Java software to install Poison Ivy on victims’ Windows machines. The same was detected by Symantec, which uncovered a string of cyber attack against 48 companies involved in chemical and military industries last year.
According to Symantec’s findings, the group uses malicious Java applet bypasses security checks to execute the Poison Ivy malware, and opens a backdoor on infected PCs to allow a remote malicious user to gain control of the system. Nitro attackers are sending out emails to their targets with direct links to Poison Ivy executables in early August 2012. Attackers spread malware simply by tricking users into visiting booby-trapped websites, where malicious code is loaded onto vulnerable computers without user interaction.
Another vulnerability is in the form of recent wave of attacks, which was discovered with the same command servers and components with the same file names as last year’s assault. In this attack, they acquired the Java zero-day exploits from a Chinese exploit pack known as Gondad or KaiXin (similar to Nitro’s attacks), and incorporated those into criminal operations using the BlackHole Exploit Kit. These exploits were introduced in Java 7.0, which means that all versions of Java 7 are vulnerable, while older Java 6 versions appear to be immune. So, we can understand that Mac OS X users, who apply the latest version of software applications, are more at risk of attack.
Therefore, dual vulnerability is detected in the most recent version of Java, in the form of zero-day exploit and Blackhole Exploit kit.
Sean Sullivan, a security adviser at F-Secure, commented: “The perpetual vulnerability machine that is Oracle’s Java Runtime Environment (JRE) has yet another highly exploitable vulnerability (CVE-2012-4681). And it’s being commoditised at this very moment. There being no latest patch against this, the only solution is to totally disable Java.”
And the best thing users can do to prevent the attack is to disable Java in web browsers, the most obvious attack route. For example, when you disable Java in Chrome, it’s still possible to enable the technology for a specific site that users trust. This is a useful exception for banking and other similar sites that require the use of Java.