At Virus Bulletin 2011, we presented on the exploding level of delivered Java exploits this year with "Firing the roast - Java is heating up again". We examined CVE-2010-0840 exploitation in detail, along with variants of its most common implementation on the web and some tools and tips for analysis. Microsoft’s security team presented findings for 2011 that mirrored ours in relation to Java exploit prevalence on the web – it is #1! At the same time, aside from the recent, well-known BEAST Java implementation, it is striking that it has been very uncommon to see Java backdoors, Trojans and spyware. But that lack of Java malware variety is beginning to change. My colleague, malware analyst Roman Unucheck, identified a new Java bot with some interesting characteristics that we named "Backdoor.Java.Racac".
Our "Backdoor.Java.Racac" detection is delivered to the field, but no one shows a detection on Virustotal at this point (another upload would remedy that). What makes this fresh Java sample interesting is its contemporary functionality set:
This object oriented code is well developed and its style clear. The jar file itself is only 131 kb, which makes this java bot a size comparable to other common bots and RATs infecting victim systems. With samples like these, we can expect to see more java malware than the usual list of Java exploits that we’ve seen in 2011. We will be posting soon with more, unusual, and recent Java malware.