RDN/Generic Exploit!1nc

This page shows details and results of our analysis on the malware RDN/Generic Exploit!1nc

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases-

  • Nod32        -    Java/TrojanDownloader.Agent.AK
  • Microsoft    -    Exploit:Java/CVE-2008-5353
  • Avira        -    EXP/JAVA.Loader.Gen


Minimum DAT

7056 (2013-04-25)

Updated DAT

7338 (2014-02-03)

Minimum Engine

5400.1158

File Length

[varies]

Description Added

2013-03-08

Description Modified

2014-02-04

Malware Proliferation

Characteristics

-------------------------Updated on Feb 4th 2014----------------------------------

Aliases:

  • Avast        -     Java:Agent-FYB
  • ESET-NOD32    -     Java/Exploit.Agent.QDY
Characteristics –

“RDN/Generic Exploit!1nc” is the detection for a Trojan contained within web pages.

This exploit may be encountered when visiting a compromised webpage that contains the malicious code.

When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.

The infection starts whenever user visits the compromised website hosted with the malicious .JAR files. When the page is visited by a user running vulnerable versions of Java, the malicious Java class runs and allows the execution of arbitrary code.

The malicious HTML passes the encrypted URL to the JAR file to download and execute the payload.

---------------------------------------------------------------------------------------------------------------

RDN/Generic Exploit!1nc
is a detection for  malicious JAR package file which tries to download a binary file from the remote site and execute the same.
 RDN/Generic Exploit!1nc uses cmd.exe to execute the payload which is downloaded from the remote site. The site is passed as an argument in the JAR package.

First it checks for the operating system installed followed by the permission set the user holds. When a feasible environment with the needed access is found, it downloads and executes the content from remote site.

Payload.class file holds the information about the site from where the payload has to be downloaded from and how it gets executed. Once downloaded, the payload will be stored in %temp% folder as <randomname>.exe

PayloadX$StreamConnector.class file puts together different modules and executes the content. We detect this file as RDN/Generic Exploit!1nc.

Symptoms

Presence of above mentioned activity.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants