Cross-Platform Java bot found

Summary:Kaspersky Lab has described a bot written entirely in Java which can run on Windows, Mac or Linux. Even the infection method is cross-platform.

It's the holy grail of malware: A truly cross-platform bot that can run on any system. Well, almost any. Kaspersky Lab has come across a functioning bot written entirely in Java, and which works on Windows, Mac OS and Linux. Kaspersky detects this threat as HEUR:Backdoor.Java.Agent.a and its authors went to some trouble to make it work on multiple platforms.

The infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. Oracle's own disclosure of the bug upon patching it (in June 2013) describes it as "Easily exploitable". It can be exploited from within sandboxed Java or Java Web Start applets, so it can be used in drive-by attacks. The bot has provisions for setting itself up to run at boot time on Windows, Mac or Linux.

The bytecode and string constants of the bot are encrypted using the Zelix Klassmaster obfuscator. Kaspersky describes the method in detail.

The bot is controlled over IRC using the PircBot Java IRC Bot open framework. It is designed largely to perform DDOS attacks, flooding targets using either HTTP or UDP, as specified over the IRC channel. The attack command to the bot also specifies the IP address and port of the target, the duration of the attack and the number of attack threads to launch. The bot contains a list of User-Agent strings, selected randomly, to be used in HTTP floods.

As appealing as this approach sounds for the larger pool of attack targets, Kaspersky provides no information to indicate that it is widespread. Attackers should be able to adapt it to use newer, or even unpatched vulnerabilities as attack vectors.

Topics: Security, Oracle

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.