Home / malwarePDF  

TrojanDownloader:Java/OpenConnection.PM


First posted on 10 December 2012.
Source: Microsoft

Aliases :

TrojanDownloader:Java/OpenConnection.PM is also known as Java/Exploit.CVE-2011-3544.BK (ESET), EXP/JAVA.Ternub.Gen (Avira), Troj/JavaDl-OG (Sophos), Exploit.Java_c.AJY (AVG), Trojan-Downloader.Java.OpenConnection (Ikarus), Trojan-Downloader.Java.OpenConnection.fe (Kaspersky).

Explanation :



TrojanDownloader:Java/OpenConnection.PM is an obfuscated Java applet that attempts to download and execute arbitrary files from a remote host. It is usually bundled with other malware that exploits the vulnerability described in CVE-2010-0840.

The vulnerability allows this malware to download and run arbitrary files. The trojan may also be encountered when visiting a compromised or malicious webpage with a vulnerable computer.

The following versions of Java are vulnerable to this exploit:

  • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux; Java SE
  • JDK 5.0 Update 23 and earlier for Solaris; Java SE
  • SDK 1.4.2_25 and earlier for Solaris; Java SE
  • JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux; Java for Business
  • JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux; Java for Business
  • SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux; Java for Business


Installation

TrojanDownloader:Java/OpenConnection.PM is usually bundled with other malware that exploits the vulnerability described in CVE-2010-0840. The trojan may also be encountered when visiting a compromised or malicious webpage with a vulnerable computer.

If TrojanDownloader:Java/OpenConnection.PM is run on a vulnerable computer, it may attempt to download and install arbitrary files which may be detected as malware.

Note that a number of legitimate websites could be compromised or unwillingly host a malicious applet through advertising frames which could redirect to or host a malicious Java applet.



Payload

Downloads and runs arbitrary files

TrojanDownloader:Java/OpenConnection.PM attempts to connect to a remote server, the address of which it obtains from the other malware or website that loaded the trojan on your computer.

The trojan may attempt to do the following:

  • Download a file from a remote website
  • Save the downloaded file to the %TEMP% folder
  • Run the downloaded file


The file that is downloaded and run could be any additional malware of the attacker's choice.

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the Temporary folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista, 7, and W8, the default location is "C:\Users\<user name>\AppData\Local\Temp".



Analysis by Jonathan San Jose

Last update 10 December 2012

 

TOP