Java Flaw Repair Email Camouflages Crafty New Malware Attack

NEWS ANALYSIS: The Java vulnerability that was announced in January is bad enough. But now there’s a new form of malware that pretends to be the update for Java that fixes it, but instead just adds more malware.

Back in January there was big news about a zero-day vulnerability in Java. This vulnerability would let the Bad Guys execute software on your computer, allowing them to (among other things) turn it into another zombie machine on a botnet. At the time, the recommendation was that users disable Java in their browsers.

As you might imagine, Oracle, the company that took responsibility for Java when it acquired Sun Microsystems, hurriedly worked on a fix. That fix is now available and you can download it. But the attention to the Java vulnerability has now led to a new approach to malware that pretends to be a fix for the vulnerability.

What happens is this. The new malware appears on your screen, and looks for the most part like the standard Java update window and requests permission to install an update. The Java logo is there, and if you’re not paying attention, it seems legitimate. But click to give permission and it will install malware instead of an update.

“The Java security update is a type of social engineering,” said Kevin Haley, director, Symantec Security Response. “It’s unrelated to the vulnerability; it’s just a way to get people to click on the attachment.”

Fortunately, if you have adequate security software it won’t be able to do anything even if you click to give it permission to perform the “update.” Unfortunately, there’s no way to know for sure that your security software caught it. Everything depends on exactly what kind of security software you’re running, and how recently it’s been updated. “You should consider yourself infected,” Haley said.

Haley noted that Symantec has a free security scanning service that can check for malware, and he said that many other security vendors have similar services. These products, which you download and install on your Windows machine, will give a complete malware scan, and alert you to any viruses or other malware. You can find similar scanning software at McAfee and Kaspersky among others.

Haley said that he wasn’t surprised at the appearance of the fake Java update. “There’s always been that when these zero day vulnerabilities become public,” Haley said. “It’s in the public domain, the bad guys all want to take advantage of it. There’s a race between patches and exploits.”

The problem has become much worse recently now that the hacking took kits have become commercialized. “These guys are competing to sell their toolkits to bad guys,” Haley said. “We’re seeing them out in the field quicker. You don’t have that lag time that there used to be before people start exploiting these vulnerabilities.”