{"id":9383,"date":"2013-03-02T11:10:01","date_gmt":"2013-03-02T17:10:01","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=9383"},"modified":"2013-03-02T11:12:29","modified_gmt":"2013-03-02T17:12:29","slug":"yet-another-java-zero-day","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=9383","title":{"rendered":"Yet Another Java Zero-Day"},"content":{"rendered":"<blockquote><p>The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM crash. When the McRAT successfully installs in the compromised endpoint as an EXE (MD5: 4d519bf53a8217adc4c15d15f0815993), it generates the following HTTP command and control traffic:<br \/>\n<code><br \/>\nPOST \/59788582 HTTP\/1.0<\/code><br \/>\n<code>Content-Length: 44<\/code><br \/>\n<code>Accept: text\/html,application\/xhtml+xml,application\/xml,*\/*<\/code><br \/>\n<code>User-Agent: Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident\/5.0)<\/code><br \/>\n<code>Host: 110.XXX.55.187<\/code><br \/>\n<code>Pragma: no-cache<\/code><\/p><\/blockquote>\n<p>via <a href=\"http:\/\/blog.fireeye.com\/research\/2013\/02\/yaj0-yet-another-java-zero-day-2.html\">Malware Intelligence Lab from FireEye &#8211; Research &amp; Analysis of Zero-Day &amp; Advanced Targeted Threats:YAJ0: Yet Another Java Zero-Day<\/a>.<\/p>\n<p>It should be possible to detect this using something like snort at the firewall\/gateway.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The exploit is not very reliable, as it tries to overwrite a big chunk of memory. As a result, in most cases, upon exploitation, we can still see the payload downloading, but it fails to execute and yields a JVM &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=9383\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[923,427,345],"class_list":["post-9383","post","type-post","status-publish","format-standard","hentry","category-pc-issues","tag-0day","tag-exploit","tag-java"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9383"}],"version-history":[{"count":8,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9383\/revisions"}],"predecessor-version":[{"id":9391,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9383\/revisions\/9391"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9383"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}