Unruy is a family of trojan downloaders and unsolicited advertisement "providers" and although you might not have heard about it, it also is an infection vector for a rather prevalent family of rogues: Trojan:Win32/Fakespypro.

Recently we discovered a variant of Win32/Unruy, namely TrojanDownloader:Win32/Unruy.D (6120ac9c363c6da7cd7f8bed4edd314f0d3d8f4e), that is actively using the Java vulnerability discussed in CVE-2010-0094. The vulnerability exploits a flaw in the deserialization of RMIConnectionImpl objects. This flaw allows remote attackers to call, without proper sandboxing, system-level Java functions via the ClassLoader of a constructor that is being deserialized.

Infection can occur when a user visits a webpage that hosts a malicious Java applet. If the user’s browser runs a vulnerable version of the Java Runtime Environment (up to version 6 update 18), exploitation may be successful and malware may be installed.

We are currently detecting malicious applets that exploit this vulnerability as Exploit:Java/CVE-2010-0094.A and the bundled Java downloader component as Trojan:Java/Rowindal.A.

A security update for this vulnerability has been available since March 2010 and we suggest you apply it as soon as possible, if you haven’t already.

As good practice, we advise every user to always update their programs as well as their operating systems. We also advise users not to open files whose origins they don't trust.

Marian Radu
MMPC Dublin