Cross-Platform Java bot found

Kaspersky Lab has described a bot written entirely in Java which can run on Windows, Mac or Linux. Even the infection method is cross-platform.

It's the holy grail of malware: A truly cross-platform bot that can run on any system. Well, almost any. Kaspersky Lab has come across a functioning bot written entirely in Java, and which works on Windows, Mac OS and Linux. Kaspersky detects this threat as HEUR:Backdoor.Java.Agent.a and its authors went to some trouble to make it work on multiple platforms.

The infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. Oracle's own disclosure of the bug upon patching it (in June 2013) describes it as "Easily exploitable". It can be exploited from within sandboxed Java or Java Web Start applets, so it can be used in drive-by attacks. The bot has provisions for setting itself up to run at boot time on Windows, Mac or Linux.

The bytecode and string constants of the bot are encrypted using the Zelix Klassmaster obfuscator. Kaspersky describes the method in detail.

The bot is controlled over IRC using the PircBot Java IRC Bot open framework. It is designed largely to perform DDOS attacks, flooding targets using either HTTP or UDP, as specified over the IRC channel. The attack command to the bot also specifies the IP address and port of the target, the duration of the attack and the number of attack threads to launch. The bot contains a list of User-Agent strings, selected randomly, to be used in HTTP floods.

As appealing as this approach sounds for the larger pool of attack targets, Kaspersky provides no information to indicate that it is widespread. Attackers should be able to adapt it to use newer, or even unpatched vulnerabilities as attack vectors.