Earlier this week, the security community learned that CVE-2012-4681, a recent Java-based zero-day vulnerability, is being leveraged to attack client machines, and fear it will cause large-scale infections soon. The vulnerability was reportedly discovered about four months ago, but iust became public knowledge last Sunday.
What does OpenDNS know about this exploit?
- So far we have collected over 200 different domains.
- These domains are hosted on 26 different server IP addresses.
- These servers are located in 7 different countries: Russia (6 locations), US (11 locations), UK (1 location), Germany (3 locations), Luxembourg (2 locations), Hong Kong, and Romania.
- One server IP in Romania hosts over 80 domains involved with this exploit.
- These domain names all seem to be registered via changeip.com and are likely dynamic DNS domains.
At the time of writing of this blog, the OpenDNS research team has observed DNS queries to only 23 domains from the 200+ domains identified in the wild. You may observe the traffic spiking in the last few days in the figure below. The remaining domains are not showing any traffic yet, but this may rapidly change as users unknowingly visit these infected domains and their machines will in turn get compromised.
- Using the Maltego visualization tool, we can quickly see how many domain names share common IPs, netblocks, ASNs & locations.
- The image below is an abstraction. Please click it to see details for each element (5206 x 6319 pixel image).
A more detailed view can be seen in the figure below. Click on the image for a larger view.
Are you protected against this exploit?
- YES, if you’re currently using OpenDNS to resolve your DNS requests.
- Not using OpenDNS yet? Simply create a free account, choose your router or computer and follow the step-by-step instructions.
- We are collaborating with other security vendors, which are tracking the domains and IPs of malicious servers hosting these exploits.
- Domains and IPs associated with this threat are included in our malware category and are being updated as new sites come online.
Is there anything you can do to further protect your devices?
- Yes, you should manually install the latest patch from http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html published by Oracle on August 30th.
- However, Mac OSX v10.6 and earlier only receives Java updates directly from Apple.
- Back in April, cybercriminals exploited a months-long lag between Oracle’s patch and Apple’s implementation of this patch. It was coined “Flashback” malware and an estimated 600,000 Macs were infected.