Cross-Platform Java Malware Used In DDoS Attacks

Kaspersky finds malware targeting unnamed bulk email service

A piece of Java malware has been uncovered with the ability to run on Windows, Mac and Linux. It is designed to help carry out distributed denial of service (DDoS) attacks as part of a botnet.

Such cross-platform malware means the malware authors only have to write code once to cover all bases.

The HEUR:Backdoor.Java.Agent.a malware used a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier to infect users.

java-flaw1Java botnet strikes

It copied itself into the user’s home directory, setting itself up to run at startup and protecting itself from detection with some smart encryption techniques.

“To make analysing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants,” explained Anton Ivanov, Kaspersky Lab Expert, in a blog post.

“Zelix generates a different key for each class, which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.”

The bots can be used together for DDoS attacks over either the HTTP or UDP protocols. It is controlled over the IRC protocol, whilst using the PircBot, a Java framework for writing IRC bots quickly and easily.

Attackers have the option to select the address of the target machine, the port number, the DDoS duration and the number of threads to be used. A unique bot identifier is generated on each user machine so the botnet’s owners have total control over their malicious network.

At least one target of the botnet was a bulk email service, said Ivanov.

What do you know about online security? Try our quiz and find out!