[teraflop]

The applet itself is pretty straightforward: it downloads the real payload, called "AdobeUpdate-Setup1.84.exe", from g2f.nl/0lczsoo and then runs it. By default, applets don't have permission to access the local filesystem or start processes, but this one has a digital signature which means the user is prompted to give it elevated permissions.

[TazeTSchnitzel]

Ah, that explains why it could get away with "Runtime.getRuntime().exec(str9);".

Now, the thing is, I don't think the forum user mentioned clicking anything. However, it's possible they've stolen the signature from something else, which that person has previously chosen to "Always Accept"? (I don't know if Java lets you do that)

[teraflop]

Since I don't have an mtgox account, and I have a fair degree of confidence that the code posted can't possibly escape the Java sandbox, I decided to live dangerously and try loading the page.

Here's the warning screen that comes up when you load it: http://i.imgur.com/sXDoFLt.png Note the self-signed certificate from "North Sumatra".

Gotta say, I have no sympathy for someone who clicks through that warning screen and then complains that their credentials got stolen.

[trotsky]

Usually these exploit kits will use useragent and the reported plugins to decide what versions of the page to send. If this is a pro job if you were running an exploitable version of java (which a majority of people tend to be) it would push an applet that used an exploit to load its stage 2. But if it decides it doesn't have an exploit for you it takes a different approach like scareware or prompt to run etc.

[obilgic]

Ops :/ today I just clicked through that screen to run the bitcoin miner i downloaded from bitminter.com. Because I did not realize that, this is a warning from java, really confusing.

[TazeTSchnitzel]

Well, you had downloaded an application and you were fairly sure of its purpose, I can't blame you there.

[pokoleo]

I'm pretty skeptical, so this isn't good enough for me.

[gphil]

I think this may have been possible due to the purported Java exploit mentioned in the post:

"I then discovered that the site is loaded with a java script which, based on an initial analysis by my java programmer friend, is a 0 day java exploit with a cross site injection attack, which automatically started."

[tomjen3]

It also means that we can find out who made it by looking at the signature.

Unless there is somewhere you can buy a java signature with bitcoins.

[teraflop]

The certificate is self-signed, which narrows it down to "somebody capable of downloading a copy of the JDK".

[amalag]

How did that executable transfer his bitcoins?

[dolphenstein]

It didn't. "AdobeUpdate-Setup1.84.exe" is the executable that did the damage.

[amalag]

Yes, I understand the java applet executed the next file. How did the "AdobeUpdate-Setup1.84.exe" executable do the transfer?

[jacquesm]

If it has file access permissions it can scan for wallet.dat in a few likely locations and then simply upload that file to a server, then delete the original and you're pretty sure that you'll have time enough to register a transaction with the bitcoin network.

[phormula]

bitcoins were not stolen from a local wallet, rather they were withdrawn from his mtgox account to the thief's address.

[jacquesm]

Ah, yes of course a mtgox balance would be at risk as well. I'd definitely check to see if my wallet had not been ripped as well.

[amalag]

OK thank you. So is the wallet.dat related to MtGox at all or is it just a standard bitcoin wallet file used by the standard clients?

[ghshephard]

It's a Bitcoin concept. It's where your actual bitcoins are stored.

https://en.bitcoin.it/wiki/Securing_your_wallet