Cross-Platform Java bot found

Cross-Platform Java bot found

Summary: Kaspersky Lab has described a bot written entirely in Java which can run on Windows, Mac or Linux. Even the infection method is cross-platform.

TOPICS: Security, Oracle

It's the holy grail of malware: A truly cross-platform bot that can run on any system. Well, almost any. Kaspersky Lab has come across a functioning bot written entirely in Java, and which works on Windows, Mac OS and Linux. Kaspersky detects this threat as HEUR:Backdoor.Java.Agent.a and its authors went to some trouble to make it work on multiple platforms.

The infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. Oracle's own disclosure of the bug upon patching it (in June 2013) describes it as "Easily exploitable". It can be exploited from within sandboxed Java or Java Web Start applets, so it can be used in drive-by attacks. The bot has provisions for setting itself up to run at boot time on Windows, Mac or Linux.

The bytecode and string constants of the bot are encrypted using the Zelix Klassmaster obfuscator. Kaspersky describes the method in detail.

The bot is controlled over IRC using the PircBot Java IRC Bot open framework. It is designed largely to perform DDOS attacks, flooding targets using either HTTP or UDP, as specified over the IRC channel. The attack command to the bot also specifies the IP address and port of the target, the duration of the attack and the number of attack threads to launch. The bot contains a list of User-Agent strings, selected randomly, to be used in HTTP floods.

As appealing as this approach sounds for the larger pool of attack targets, Kaspersky provides no information to indicate that it is widespread. Attackers should be able to adapt it to use newer, or even unpatched vulnerabilities as attack vectors.

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Great!

    The bot programmers should be strung up by their nuts!
  • Danger

    Are people who keep their software up to date safe, since the bug was patched last June? Even so, is it fair to assume such sophisticated writers could have other attack vectors in place by now?

    Is it even conceivable we will ever be safe from this kind of attack?
    • A year ago security firms stated it would take years to fix known issues

      With Java then they have to fix all the problems discovered after all the known problems plus new ones introduced.
  • It just means "Don't use the JVM"...

    So not that widespread... except maybe for Windows.
  • Java this Java that...not secure...bla...bla...bla.

    People always blaming Java. But aren't c/c++ software based programs(OS's and Applications) like windows, adobe creative suit, autocad, linux, corel, gimp, inkscape, MS Office, LibreOffice, firefox, chrome, etc... full of bugs and security holes that need to be fixed with patches?

    Why does Java always take the front stage but c/c++ does not? Almost all software development tools including Java were written in c/c++ and from scratch with assembly language.
    • oops, mistake.

      "Java were written in c/c++ and from scratch with assembly language."

      Oops, I meant, "Java were written in c/c++ and "NOT" from scratch in assembly language."
      • Plenty of .Net Exploits

        There is a reason why nearly every Patch Tuesday (Jan 2014 an exception) pushes 10 to 100 MB of .Net security patches. For some reason these never get the splashy headlines though.
    • Because

      it is multi-platform and it isn't Java the language that is the problem, it is the implementations of the runtime sandbox that are the problem.

      As dilettante said, .Net isn't immune, neither is Flash, which is probably a bigger headache than Java.

      Individual applications might also have problems (Office, Adobe CS etc.), but that isn't a platform.

      Also Java is by far the most widespread - it is in nearly all mobile phones, running on the telecommunications subsystem, it is in many cars, widespread in industry, it is on a lot of web servers, it runs on Windows, OS X and Linux.

      If you have an XP exploit, you can run it on a maximum of 400 million devices, Windows 8 exploit on a hundred million or so. Android and Windows (all versions) gets you "potentially" over a billion each, iOS several hundred million.

      So, how does Java stack up? Potentially several billion devices.

      Okay, to come back down to Earth, most of the exploits only affect a few percent of devices. But with a much bigger footprint, Java is a very tempting target.