Pricey crime kit adds ‘McRAT’ Java zero-day four days after patch

In less than one week, the high-priced commercial exploit kit known as “Cool” has added an exploit for the Java zero-day flaw affecting Web browser plugins that Oracle patched last Tuesday.

The makers of Cool may have illustrated why it costs $10,000 per month to rent compared with last year’s most prevalent exploit kit, Blackhole, which goes for less than a tenth of the price.

French security researcher Kafeine discovered Cool added an exploit for Java flaw CVE-2013-1493 this weekend, just four days after Oracle delivered a fix for Java SE 7 Update 15 and Java SE 6 Update 41 in Web browsers.

Oracle patched the flaw because attackers were using it in targeted campaigns to install the McRAT Trojan, but the inclusion of the attack code in Cool will help install the widely-distributed threat, Reveton, the malware behind fake law enforcement fines and lock screens plaguing PCs across the globe.

An exploit for the Java flaw was expected, but the speed of its inclusion in Cool is remarkable because working attack code for the flaw has yet to be included in the Metasploit exploit database, which usually precedes the inclusion of exploits in dozens of crime kits like Cool.

“For almost all CVEs after disclosure, if it’s not in Metasploit, it [takes] around month. After Metasploit it's a matter of days,” Kafeine told CSO Australia.

“So in this case, four to five days to update [an exploit kit] is a really short timeframe,” said the researcher.

Java remains a favourite amongst exploit kit vendors, since there are regular flaws affecting the browser plugin, the plugin is enabled on billions of PCs, and patching is often not immediate.

In mid-February several exploit kits including Cool added an attack for Java flaw CVE-2013-0431 affecting Java 7 Update 11 that Oracle patched on February 1.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityJava zero-dayMcRATOracle

More about CSOOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts