Java Becomes Target for Crimeware

Author:  Katie Campbell
Institution:  University of Florida

Hackers maintaining the competing crimeware products Blackhole and Nuclear Pack announced the addition of a new exploit targeting a previously unknown security hole in Java.

According to KrebsonSecurity – a blog maintained by investigative journalist Brian Krebs – the creator of Blackhole, using the nickname “Paunch,” announced on Jan. 9 his exploit kit would be the first to include the weapon against Java. The maker of Nuclear Pack made a similar announcement soon after. Both crimeware creators claimed the security hole exists in all versions of Java 7, including the latest update.

Milton Smith, Java security lead at Oracle Corp. – the company that owns Java – held a conference call with Java User Group leaders a few weeks after various attacks exploiting Java were revealed, causing panic and concern over Oracle’s next move.

“No amount of talking or smoothing over is going to make anybody happy,” Smith said during the call. “We have to fix Java.”

Java is a programming language and computing platform used to power programs like utilities, games and business applications. Some websites require it to run interactive applications. According to Oracle Corp., the software runs on more than 850 million personal computers and billions of devices, including mobile devices.

The Java exploit could be stitched into websites and activated by users. Hackers could then use Java software to seize control over Windows PCs.

Oracle quickly responded to the threat with a patch to fix the vulnerability in Java. However, less than 24 hours after the patch was released, users on the “Underweb” – an internet underground meant for illegal activities – began selling an exploit for a different and still-unpatched vulnerability using Web browsers through Java software.

According to KrebsonSecurity, one administrator for an exclusive cybercrime forum posted a message selling a new exploit, promising “weaponized and source code versions,” to two buyers. The cost: starting at $5,000 each. The thread containing the offer was later deleted from the forum, indicating the seller found two buyers willing to pay.

These announcements by crimeware syndicates caused widespread panic as Java users, and general computer users, sought answers concerning their level of vulnerability.

On most PCs, Java includes a browser plug-in, which is used in exploit packs stitched into targeted websites requiring Java. Researchers at Carnegie Mellon University‘s CERT have said disabling the Java browser plug-in will essentially prevent exploitation.

Krebs warned users to keep in mind that any website could act as a potential base for these exploit packs.

“Exploit packs can be just as easily stitched into porn sites as they can be inserted into legitimate, hacked Web sites,” he said. “All it takes is for the attackers to be able to insert one line of code into a compromised Web site.”

This science feature article was written under the guidance of JYI Science Writing Mentor Robert Aboukhalil.