When visiting a certain site I am experiencing the following.
Java icon appears on the tray.
In Comodo’s active connections I see the following:
http://wstaw.org/m/2011/03/06/aaa.JPG
in short, java.exe is connecting the the url 194.247.58.51
quick google search says its russian IP with malware inside, being related to the Phoenix Exploit Kit.
The Phoenix Exploit Kit is a good example of exploit packs used to exploit vulnerable software on computers of unsuspecting Internet users. Often, cybercriminals drive traffic to the exploit kit by compromising legitimate websites and inserting IFRAMEs that point to the exploit kit or by poisoning search engine results that take users to the exploit kit.When users land on a page injected with the exploit kit, it detects the version of the user’s Web browser and operating system and then attempts to exploit either the user’s browser or a browser plugin application
Java has become the leading exploit vector for a variety of exploit packs. In fact, the Phoenix Exploit Kit version 2.5 has been updated to include three additional Java exploits:
◦JAVA RMI
◦JAVA MIDI
◦JAVA SKYLINE
The administration panel Phoenix Exploit Kit 2.5 contains an option to switch modes, which changes the Java exploit delivered to users. It allows the administrator to choose between TC (CVE-2010-0840), RMI or MIDI. This indicates that exploits for Java have become very attractive to malware distributors.
more:
http://www.computersecurityarticles.info/antivirus/now-exploiting-phoenix-exploit-kit-version-2-5/
I would assume just visiting an infected site and seeing the java process start didn’t infect me yet?
I wonder if Comodo would be able to protect me from this exploit succesfully. A good start would be to somehow blacklist that IP so that connections to it are impossible or raise an alert (not sure if that’s possible).
And, I didn’t know in which section to post this, so it’s here. Apologies if that’s the wrong section for this post.
