Recently, Kaspersky Lab has detected another cross-platform Java-Bot, capable of infecting computers running Windows, Mac OS X, and Linux that has Java Runtime Environment installed.
Last year, Zoltan Balazs – CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.
According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.
CVE-2013-2465 description says:
An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.
It uses the following methods to start it based on the target operating system:
- For Windows – HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Mac OS – the standard Mac OS service launch is used
- For Linux – /etc/init.d/
The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult. It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.
The botnet executable contains an encrypted configuration file for the Mac OS ‘launchd service‘. It also encrypts internal working methodology of malware.
The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server.
The Botnet supports HTTP, UDP
protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.
Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle’s Java website. The next scheduled security update for Java is on 14 April 2014.