Exp/20120507-A is a detection for Java files designed to exploit the CVE-2012-0507 vulnerability.
This vulnerability exploits a logical flaw in the Java ‘AtomicReferenceArray’ object that fails to properly sandbox the Java Runtime Environment (JRE). This means that even a Java applet, delivered in an untrusted web page, can call system level Java functions that can be used to execute malicious code. Because this vulnerability is a JRE logical flaw, and does not rely on memory corruption, shellcode or data execution, it can be exploited very consistently.
This vulnerability is found in Java versions (up to and including) version 7 update 2, version 6 update 30, and version 5 update 33. For Windows and Linux you can update Java from java.com. For OS X, use Apple's Software Update.
This exploit has been seen to be used heavily in Blackhole Exploit Kits v1.2.3.
This exploit shot to prominence in April 2012, when it was used to sneak malware onto Mac OS X computers worldwide. This led to the appearance of a very large botnet involving hundreds of thousands of infected Macs.
You can read about the timeline of the Mac botnet which appeared in April 2012, primarily due to the use of this exploit against OS X users, on Sophos's Naked Security site:
Examples of Exp/20120507-A include:
Example 1
File Information
- Size
- 5.7K
- SHA-1
- 00346a85de0fba281ddb5a10861545e782dca13c
- MD5
- 6a12459744f399fcd57d5aa13bcaf946
- CRC-32
- 02b8ba74
- File type
- application/octet-stream
- First seen
- 2012-04-03
Example 2
File Information
- Size
- 9.7K
- SHA-1
- 0099565d19c25ad6d0c89ee60bc0e190e3fcba96
- MD5
- 1fa9e56fc004d01c9bc58450a7207472
- CRC-32
- de5bdaf7
- File type
- application/zip
- First seen
- 2012-04-01
Example 3
File Information
- Size
- 9.6K
- SHA-1
- 01217d3e1af00f707e62d10d8cf5280bad52760d
- MD5
- 686e656b0bb662debbd66fd4af526a7b
- CRC-32
- 027a7bf7
- File type
- application/zip
- First seen
- 2012-04-01