By Dancho Danchev
Just as we anticipated on numerous occassions in our series of blog posts exploring the emerging DIY (do it yourself) trend within the cybercrime ecosystem, novice cybercriminals continue attempting to steal market share from market leaders, in order for them to either gain credibility within a particular cybercrime-friendly community, or secure a revenue stream.
Throughout 2012, we’ve witnessed the emergence of both, publicly obtainable, and commercially available, DIY unsigned Java applet generators. Largely relying on social engineering thanks to their built-in feature allowing them to “clone” any given Web site, these tools remain a popular attack vector in the arsenal of the less sophisticated cybercriminal, looking for ways to build his very own botnet.
In this post, I’ll profile one of the most recently released DIY tools.
Sample screenshot of the tool’s builder:
Second screenshot of the tool’s builder in action:
The tool allows a novice cybercriminal to create a “clone” of any given Web site. Just enter the exact URL of the malicious binary to be used, the page where the user will be redirected once he’s compromised and the tool does the rest. The tool also includes the ability to choose a custom file name.
Since it’s available for free, the DIY tool profiled in this post is an average cybercriminal’s attempt to earn credibility within the ecosystem, which he’d later on probably monetize by releasing a commercial version of the tool. In its current form, the tool looks like the job of less technically sophisticated cybercriminal, compared to the author of the malicious Java applet distribution platform that we profiled in January, 2013.
Although experienced users would never trust an unsigned Java applet, it’s worth emphasizing on the risks associated with executing such an applet.
- Security tip: Just because an application or a Java applet is signed, it doesn’t necessarily mean that it’s not malicious.
According to Oracle, unsigned Java applets can perform the following actions on a user’s host:
- They can make network connections to the host they came from
- They can easily display HTML documents using the showDocument method of the java.applet.AppletContext class
- They can invoke public methods of other applets on the same page
- Applets that are loaded from the local file system (from a directory in the user’s CLASSPATH) have none of the restrictions that applets loaded over the network do
- They can read secure system properties. See System Properties for a list of secure system properties
- They can open, read, and save files on the client
- They can access the shared system-wide clipboard
- They can access printing functions
- They can store data on the client, decide how applets should be downloaded and cached, and much more. See JNLP API for more information about developing applets by using the JNLP API
Things can get even worse considering the fact that, a huge percentage of end users would consider any kind of Java applet, whether signed or not, an obstacle on their way to gain access to, for instance, free adult content, or a few hundred dollars entry bonus in a bogus online casino. There are numerous clever social engineering techinques one could leverage to create additional scenariors capable of exploiting users.
We’ll continue monitoring this emerging underground trend, and post updates as soon as new products and services get released.