Security researchers disclosed a new Java vulnerability yesterday. Kaffeine’s report is known to be the first alarm. A number of the most popular Web exploit tools, including BlackHole Exploit Kit (BH) and Cool Exploit Kit (Cool EK) are known to be including the latest Java exploit.
Four domains distributing this exploit were first disclosed in Kaffeine’s report.
(added today) lapy[.]pl
(added today) jtmtir[.]eu
The traffic to the above sites demonstrates a high spike for a single hour (06 am UTC time). We hypothesize that the hackers released and dumped the distribution links fast. They’ve quickly shifted to other undetected links to continue the infections. The traffic is in the volume of a few thousand requests, coming from ~2000 clients that are distributed in 70+ countries. These domains are registered with dynamic DNS services.
Noticing the distinct temporal request patterns of the involved domains, we mined our data (50+ billion daily DNS requests) to search for domains with similar patterns. We are surprised to see a few dozens of domains that are sharing the spike pattern. These domains share the same set of clients that were involved in the reported Java 0 day domains. Same as the reported domains, the domains we discovered are registered with dynamic DNS services. A few examples here.
There is no confirmed direct linkage found between our domains and the Java 0 day exploit. To be on the safe side, we’ve blocked access to these domains for our customers. We’ll closely follow the incidence, and be the first responder in protecting our customers.