Security risk management: Kaspersky Labs identify cross-platform Java Bot used for DDoS attacks

Throughout much of 2013 Oracle and its programming language, Java, was rarely out of the news. However, since its Critical Patch Update (CPU) release in October 2013, things have remained relatively quiet. Until now, that is. Unfortunately Java-related security issues are once again making the headlines. Kaspersky Labs, have recently discovered more botnet malware designed to contaminate computers with Windows, Linux or Mac OS X operating systems:  devices which run Oracle’s Java software.

Kaspersky Labs Global Research and Analysis Team’s report – HEUR: Backdoor.Java.Agent.a – identified a malicious Java application that infects machines for the purpose of building a DDoS botnet.  The malware programme primarily exploits CVE-2013-2465, a critical Java vulnerability that Oracle patched in June. The vulnerability is found in Java 7 u21 and earlier, as well as on different versions of Java 6 and 5. An exploit could allow an attacker to remotely run code on compromised machines through a bypass of the Java sandbox leading to disruption of service and information disclosure. The bug was patched as part of Oracle’s June 2013 Critical Patch Update.

The latest botnet is designed to conduct distributed denial-of-service attacks on targets of the attackers’ choice. Commands issued in the IRC (Internet relay chat) channel using either HTTP or UDP flood attacks allow the attackers to specify the IP address, port number, intensity, and duration of attacks. Once the bot has infected a computer, it copies itself to the auto start directory of its respective platform to ensure it runs whenever the machine is turned on: compromised computers then report to an Internet relay chat channel that acts as a command and control server.

Kaspersky Labs researcher, Anton Ivanov, explained that the malicious malware was written entirely in Java allowing it to run on Windows, Linux and Mac OS X machines, and that the malware exploited a patched Java vulnerability, CVE-2013-2465. He added that further complications of the bot sample he analysed were the use of the PircBot open framework for communication over IRC and the Zelix Klassmaster obfuscator, which made it harder to detect and examine.

“In addition to obfuscating bytecode, Zelix encrypts string constants,” Ivanov said. “Zelix generates a different [encryption] key for each class which means that in order to decrypt all the strings in the application, you have to analyse all the classes in order to find the decryption keys.”

This is not the first time Kaspersky researchers have run into a Java exploit for CVE-2013-2465. A Java exploit called new.jar, part of the NetTraveler espionage campaign targeting this particular Java vulnerability, was identified in 2013. NetTraveler was publicly disclosed in June and another update was provided in September. The malware targeted diplomats, activists, government agencies and the scientific research community. The first version unveiled by Kaspersky researchers targeted Microsoft Office vulnerabilities; a second wave targeted this Java vulnerability. The NetTraveler attackers used watering hole attacks, compromising Uyghur-related websites to drop malware on machines stealing Office document files, as well as design documents done on Corel Draw or AutoCAD files.

If your business needs help with security reviews, penetration testing or web security solutions, please call Krypsys on 01273 044072 or email [email protected].