English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeBlogResearchOctober 21 2011Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware

Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware

Kurt Baumgartner
Kaspersky Lab Expert
Posted October 21, 22:48  GMT
Tags: Oracle, Microsoft Windows, Social Networks, Apple MacOS, Botnets, DDoS, Sun Java, Linux, SunOS / Solaris, Microsoft
0.4
 

At Virus Bulletin 2011, we presented on the exploding level of delivered Java exploits this year with "Firing the roast - Java is heating up again". We examined CVE-2010-0840 exploitation in detail, along with variants of its most common implementation on the web and some tools and tips for analysis. Microsoft’s security team presented findings for 2011 that mirrored ours in relation to Java exploit prevalence on the web – it is #1! At the same time, aside from the recent, well-known BEAST Java implementation, it is striking that it has been very uncommon to see Java backdoors, Trojans and spyware. But that lack of Java malware variety is beginning to change. My colleague, malware analyst Roman Unucheck, identified a new Java bot with some interesting characteristics that we named "Backdoor.Java.Racac".

Our "Backdoor.Java.Racac" detection is delivered to the field, but no one shows a detection on Virustotal at this point (another upload would remedy that). What makes this fresh Java sample interesting is its contemporary functionality set:

  1. Mobile Twitter Communications

  2. Effective encryption implementation – algorithms include private and public key use, cipher block chaining
  3. Exhaustive list of DDoS capabilities – HTTP Flooder, UDP Flooders, Raw Socket Flooder along with exhaustive SOCKS proxy capabilities to hide the true source of the bot infection
  4. Geolocation tracking and reporting
  5. Download and execute arbitrary code
  6. Ability to identify automated analysis tools and kill itself to delay family detection
  7. Proper AWT implementation of cross platform screenshotting
  8. Full cross platform portability – runs on Windows, Linux, Apple OS X
  9. Etc

This object oriented code is well developed and its style clear. The jar file itself is only 131 kb, which makes this java bot a size comparable to other common bots and RATs infecting victim systems. With samples like these, we can expect to see more java malware than the usual list of Java exploits that we’ve seen in 2011. We will be posting soon with more, unusual, and recent Java malware.


Comments

If you would like to comment on this article you must first
login



Print
Bookmark and Share
Share

Related Links

Virus Bulletin 2011 - Firing the roast, Java is heating up again

Analysis

The anatomy of Flashfake. Part 1
DDoS attacks in H2 2011
DDoS attacks in Q2 2011
Heads of the Hydra. Malware for Network Devices
The ‘Advertising’ Botnet

Blog

Update to "DNSChanger - Cleaning Up 4 Million Infected Hosts"
OS X Mass Exploitation - Why Now?
New Version of OSX.SabPub & Confirmed Mac APT attacks
SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link
Patch Tuesday April 2012 - Patching Multiple Web Based Client Side and Spearphishing Exposures

Alerts

Windows Meta File Vulnerability
Net-Worm.Win32.Mytob, critical Windows vulnerabilities

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search