[Emerging-Sigs] Another unknown exploit kit

Chris Wakelin c.d.wakelin at reading.ac.uk
Sun Oct 9 18:44:34 EDT 2011

On 09/10/2011 17:48, Martin Holste wrote:
> Great intel, thanks.  Any pattern to the payloads it's serving, or is
> it your usual pay-per-install grab bag?

This weekend, it's the same payload, it seems, but I bet they're getting
paid for it!

> On Sun, Oct 9, 2011 at 10:25 AM, Chris Wakelin
> <c.d.wakelin at reading.ac.uk> wrote:
>> 3) Java exploit JAR file from /dl/jsm.php, more obfuscated Java, which
>> downloads a data file from /dl/jsm_text.php that then gets loaded into
>> the Java MIDI sequencer (presumably an exploit). However, I can't see
>> how this generates a download URL.

Looking into this, it appears to be an exploit for CVE-2010-0842.
Googling has found an analysis of something very similar at
http://www.inreverse.net/?p=1610 (the Java listed is almost line for
line the same as in the "shena.class" and "kiwiw.class" files in the
jsm.php JAR and the downloaded file starts the same way for the first
140 bytes or so).

I'm not very experienced at finding and deciphering shellcode, but I'm
guessing the download URL is encoded somewhere in the file. The file
varies by a few bytes between the different downloads I have. I'll let
you know if I manage to decipher it!


Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

More information about the Emerging-sigs mailing list