McAfee Labs learned today that a malicious Java applet was being linked through a Facebook application.
Users don’t have to install the Facebook app on their profiles to be be exposed to this threat. On browsing to a specific Facebook application page displayed in an Eastern European language, the page connects to a malicious site that hosts a signed Java applet that claims to be “Sun_Microsystems_Java_Security_Update_6” and is published by “Sun Java MicroSystems.”
The only indication of suspicious activity is the fact that the digital signature cannot be verified by a trusted source. The warning also requests permission from the user to run the applet.
This social engineering technique is becoming common on malicious sites, as the warning allows the publisher to be spoofed when unverified, and it does not highlight the risk implications by allowing the applet to run. Only when the user clicks on “More Information” can we read the fine print that explains that “security restrictions normally provided by Java” will not be applied.
Java has built-in security that restricts Java applets that are usually run in web browsers from executing code outside of the virtual machine, such as downloading and executing an EXE file.
In this case, when the user clicks Run, the Java applet downloads an arbitrary executable from a URL passed as a parameter on the website. It then saves and executes it as “NortonAV.exe” from the local user profile folder. When run on Windows, this could be in the “C:\Documents and Settings\[username]” (for Windows XP/2000) or “C:\Users\[username]” (for Windows Vista/7) folders.
The downloaded trojan payload is a password stealer which search for passwords stored on the user’s machine. It then sends a password log to an e-mail account on gmail.com over an encrypted SMTP/TLS connection.
The websites which were hosting the applet and payload is rated high risk by McAfee GTI Web Reputation. The applet and the downloaded trojan is being detected as Generic PWS.tk!dldr and Generic PWS.tk respectively in the Beta DATs, and will be included in the 6165 DATs.