Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.
String initialization and decryption is implemented in the static initializer code (<clinit>).
The algorithm is as follows: take the current index of an encrypted character in the string, calculate the remainder from its division by 5 and choose the current key depending on the result. Next, identify the decrypted character by performing module 2 bitwise addition with the key selected.
For a specific case, the decryption algorithm looks as follows:
When launched, the bot copies itself into the user’s home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:
The bot’s body contains an encrypted configuration file for the launchd service.
After launching and setting itself to run at system startup, the bot needs to report this to its owners. To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. The identifier is saved to the file jsuid.dat in the user’s home directory.
The bot is controlled via the IRC protocol. This leads us to one more curious feature of this malware – it uses the PircBot open framework to implement communication via IRC. The malware includes all the classes needed for the purpose.
After launching, the malware initiates connection to an IRC server.
After successfully establishing a connection, the bot joins a predefined channel and waits for the attackers’ commands:
The bot is designed to conduct DDoS attacks from infected user machines.
The bot supports two flood types:
Which attack type is to be used is specified by an attacker in the IRC channel for zombie machines. In addition, the following parameters are specified:
The User-Agent value to be inserted into an HTTP request is selected randomly from a list stored in the bot’s body in encrypted form.
When analyzing the malware, we detected an attempt to attack a bulk email service.
Kaspersky Lab detects this malware as HEUR:Backdoor.Java.Agent.a.
We would like to thank Zoltan Balazs, CTO at MRG Effitas, for sharing a sample of the malware with us.