Published January 18, 2013
For anyone rushing to patch their Java software after the discovery of last week's critical flaw, a word of caution: There's a malware injector going around pretending to be a Java update.
"The use of fake software updates is an old social-engineering tactic," said Trend Micro fraud analyst Paul Pajares in a company blog posting.
The bogus Java patch appears as a pop-up calling itself "javaupdate11" and can be found lurking on corrupted websites.
It's basically a drive-by download that installs a "backdoor" on Windows PCs. The backdoor then lets online criminals add anything they want.
After the initial backdoor installation, Trend Micro observed the installation of a keylogger, which criminals, spies and suspicious spouses use to steal passwords.
There was also a failed attempt to install a form of ransomware, malware that encrypts user files and then demands money for continued access.
The phony patch doesn't actually take advantage of the Java vulnerability it purports to fix, although plenty of other browser-based malware does. Of course, it doesn't patch the vulnerability either.
Trend Micro recommends going directly to the Oracle website to download the real Java update.
We recommend always patching Java, which runs on Macs and Linux machines as well as Windows PCs, because some offline applications do need Java to run properly.
But it's best to disable all Java plug-ins in Web browsers. This latest hole was patched, but the supply of Java vulnerabilities never seems to end, and there's already word of a new zero-day Java exploit circulating in criminal chat rooms.