Java array exploit is on rise nowadays. Microsoft has discussed about the details of this vulnerability at: http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx
The obfuscated script is present here - http://pastebin.com/nVQcmMsM
. The script deobfuscates to the following code as follows:
The URL's are designed to use no-ip or dynamic dns service. According to Wikipedia, "Dynamic DNS or DDNS is a method of updating, in real time, a Domain Name System (DNS) to point to a changing IP address on the Internet. This is used to provide a persistent domain name for a resource that may change location on the network."
We mapped the required IP and doing some behavioral analysis, a plugin detection script was found as present on the following lnk:
Obuscated Code - http://pastebin.com/rK0NaAMh.
Deobfuscated Plugin Detection code - http://pastebin.com/QxiXVRcG
The code fingerprints the browser for running different set of plugins. On finding the vulnerable version of Java plugin, the script downloads the malicious jar file running specific Java exploit.
The decompiled code is present here: http://pastebin.com/5FWMUEtP
Java exploits have become popular. We have also discussed earlier about top 5 Java exploits here: http://secniche.blogspot.com/2011/05/finest-5-java-exploit-on-fire.html
Java array indexing vulnerability is the new kid in the town. Refer vulnerability - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507