Malware Poses As Phony Java Update

Security researchers detected the ransomware using the emergency Java security update, which fixes the widely publicized Java zero-day vulnerability. The malware was created by an unknown publisher, wrote Trend Micro's Paul Pajares on the company's blog.

"During our analysis, this ransomware locks users' screen and attempts to access specific sites to display its notification to users," Pajares said.

[Related: Oracle Rushes Out Java Security Patch ]

The malware attempts to connect to a phony Web page that likely would have notified the victim that their computer was infected with malware. Ransomware is often connected to rogue antivirus programs, an attempt by fraudsters to offer phony security software that would remove the program.

"However, the malware we analyzed failed to download the said notification, thus the user is possibly left with a blank page," Pajares said.

Security experts are urging Java users to apply the update from the proper source. Attackers are using malicious Java applets embedded in websites to infect victims' systems.

Most experts agree that consumers don't need to use Java and can disable it in the browser without impacting performance. But employees at many companies have it enabled because many corporate applications are made with the programming language. Some software security experts believe the programming language is getting a bad reputation because it is targeted frequently by cybercriminals.

Java has good, built-in security protections for writing software, said Jeff Doty, a Web security data analyst at security firm Blue Coat Systems. Coding mistakes in the virtual machine are the main cause of the problems, he said.

"Java is a great language for doing all sorts of stuff," Doty told CRN. "There are a lot of great enterprises that use server-side Java and they do it because of the nice assurances that the programming language gives them."

Additional protections mitigating the risk of future attacks targeting Java in the browser can be put in place by network administrators, according to the Java security advisory issued by the United States Computer Emergency Readiness Team (US-CERT). Rather than disabling Java in Web browsers, network administrators can restrict access to Java applets. "This may be accomplished by using proxy server rules, for example. Blocking or whitelisting Web requests to .jar and .class files can help to prevent Java from being used by untrusted sources," according to the US-CERT advisory.

PUBLISHED JAN. 18, 2013