Cross-Platform Java Bot Used for DDoS Attacks

Researchers at Kaspersky Lab have analyzed a malicious Java application that turned out to be a cross-platform bot used for DDoS attacks.

Java-related security issues have remained relatively quiet during the past few months, especially after a rocky start to 2013 seemingly had one Java flaw after another in the news.

Things might be starting to ramp up again with the discovery of a cross-platform Java-based botnet.

Researchers at Kaspersky Lab’s Global Research and Analysis Team reported today their analysis of HEUR:Backdoor.Java.Agent.a, a malicious Java application that infects machines for the purpose of building a DDoS botnet.

The botnet communicates over IRC and can carry out distributed denial of service attacks using either HTTP or UDP flood attacks.

Researcher Anton Ivanov said today that the malicious Java application is capable of running on Windows, Linux and Mac OS X machines, and that the malware exploits a patched Java vulnerability, CVE-2013-2465.

The vulnerability is found in Java 7 u21 and earlier, as well as on different versions of Java 6 and 5. An exploit could allow an attacker to remotely run code on compromised machines through a bypass of the Java sandbox leading to disruption of service and information disclosure. The bug was patched as part of Oracle’s June 2013 Critical Patch Update.

Ivanov said one of the more notable features of the bot sample he analyzed as its use of the PircBot open framework for communication over IRC.

“The malware includes all the [Java] classes needed for the purpose,” Ivanov said. PircBot is a Java-based framework used to write IRC bots.

A passage on the Jibble website which hosts PircBot says: “PircBot allows you to perform a variety of fun tasks on IRC, but it is also used for more serious applications by the US Navy, the US Air Force, the CIA (unconfirmed), several national defence agencies, and inside the Azureus bittorrent client. But don’t let that put you off – it’s still easy to use!”

Once the bot infects a machine and launches, it copies itself into the autostart directories for the various platforms it supports, giving it persistence at startup for each. It then establishes a backdoor connection to the attackers and generates a unique identifier for each machine it compromises. Ivanov said it then connects to an IRC server and joins a channel that is predefined in the bot, awaiting commands.

The attacker uses this channel to specify not only whether it should use an HTTP or UDP flood attack, but also specifies a number of parameters for an attack, including the target’s IP address, port number over which the attack is carried out, attack duration, and how many threads are to be used in the attack, Ivanov said.

Complicating matters for researchers, the botnet uses the Zelix Klassmaster obfuscator.

“In addition to obfuscating bytecode, Zelix encrypts string constants,” Ivanov said. “Zelix generates a different [encryption] key for each class—which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.”

This is not the first time Kaspersky researchers have run into a Java exploit for CVE-2013-2465. A Java exploit called new.jar that as part of the NetTraveler espionage campaign also went after this particular Java vulnerability, dropping a backdoor onto victimized machines.

NetTraveler was publicly disclosed in June and another update was provided in September. The malware targeted diplomats, activists, government agencies and the scientific research community. The first version unveiled by Kaspersky researchers targeted Microsoft Office vulnerabilities; a second wave targeted this Java vulnerability. The NetTraveler attackers used watering hole attacks, compromising Uyghur-related websites to drop malware on machines that steals Office document files, as well as design documents done on Corel Draw or AutoCAD files.

Suggested articles