Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A question of class SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A question of class

Back in November, we covered the rampant re-emergence of Java Exploits that took advantage of the many unpatched Java VMs in use on home and university PCs. The situation has improved since, mainly because the need to patch Java to the latest version was well publicized. Anti-Virus, on the other hand, is still having a hard time detecting the ever-mutating exploits for CVE-2010-0840 and other bugs, so if your Java is not patched yet, make your computer a Christmas present and update to the latest JRE.

If you have proxy logs that keep track of your users' surfing, there are two easy ways to double-check on your perimeter anti-virus:

(1) egrep "bpac.*class" on the log. Six weeks after my initial diary, the bad guys are still friendly enough to compile their exploit into a JAR that uses a "bpac" subfolder. Yes, searching for a fixed string is pretty silly, but hey, it's for free, and just about as sophisticated and fancy as what your anti-virus does, anyway.

(2) egrep "\.class.?$" | sed 's/.*http:..//' | sort | uniq -c | sort -rn | more This should give you all the Java Class files that your users downloaded. Yes, it will be a friggin' long list, most likely, but the "sort" and "uniq" commands will at least group lines that appear more than once. Feed this file into whatever analysis method you are comfortable with, and whittle it down to exclude all the domains with "too many" hits, these are usually applets from benign sites. What is left, is worth a look.

Above commands assume that your proxy is clever enough to unpack JAR archives and log the contents separately. If this isn't the case .. well, then you have to search for JAR files. But it is harder to "guess" wrong from right by just looking at the JAR file names.

Once you become more familiar with the Java downloads in your log, you can get more fancy. The code that I'm running at a community college where I help out extracts all the class downloads as above under (2), but then removes all domains from where more than 50 different files have been downloaded, assuming that these are the Sourceforges of this world, from where our computer science students fetch sample code and (yes...) canned homework solutions.

While I was trying the above commands on the college's log file, lookie, a new bad site popped up:

bombino777. com/1/jljncqxreljs.jar/bpac/KAVS.class

Facing such a request, it is a good idea to carefully scrutinize any subsequent downloads that the same user workstation makes ... If the workstation's Java was patched, nothing happens. If not .. you'll likely see a download of an EXE, sailing in the disguise of a PHP or GIF.

If you have other clever and quick ways to isolate malicious JARS or CLASS files in your proxy log, please let us know!


373 Posts
ISC Handler
Dec 24th 2010
For organizations that cannot upgrade Sun Java across their client population for some reason, if they have IPSes in place they might consider blocking all Sun Java exploits currently commonly found in the wild. A list of this is at
In my experience .JAR files are often not detected by IDS/IPS gear as they cannot see enough of the file at one time to decode the .JAR (ZIP) and examine the contents. I have not experimented with it yet, but I expect efforts like Razorback might help.

3 Posts

Sign Up for Free or Log In to start participating in the conversation!