A Cross-platform Java-bot

Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.

Initializing and decrypting strings

To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.

String initialization and decryption is implemented in the static initializer code (<clinit>).

Encrypted string initialization

The algorithm is as follows: take the current index of an encrypted character in the string, calculate the remainder from its division by 5 and choose the current key depending on the result. Next, identify the decrypted character by performing module 2 bitwise addition with the key selected.

String decryption

For a specific case, the decryption algorithm looks as follows:

Python implementation of the decryption algorithm

The launch

When launched, the bot copies itself into the user’s home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:

1. For Windows – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
2. Mac OS – the standard Mac OS service launchd is used
3. For Linux – /etc/init.d/

The bot’s body contains an encrypted configuration file for the launchd service.

Decrypted configuration file for the launchd service

After launching and setting itself to run at system startup, the bot needs to report this to its owners. To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. The identifier is saved to the file jsuid.dat in the user’s home directory.

Contents of jsuid.dat

Controlling the bot

The bot is controlled via the IRC protocol. This leads us to one more curious feature of this malware – it uses the PircBot open framework to implement communication via IRC. The malware includes all the classes needed for the purpose.

After launching, the malware initiates connection to an IRC server.

Connecting to an IRC server

After successfully establishing a connection, the bot joins a predefined channel and waits for the attackers’ commands:

Joining an IRC channel

Main functionality

The bot is designed to conduct DDoS attacks from infected user machines.

The bot supports two flood types:

• HTTP
• UDP

Which attack type is to be used is specified by an attacker in the IRC channel for zombie machines. In addition, the following parameters are specified:

• Address of the computer to be attacked
• Port number
• Attack duration
• Number of threads to be used in the attack

Generating headers during an HTTP flood attack

The User-Agent value to be inserted into an HTTP request is selected randomly from a list stored in the bot’s body in encrypted form.

Decrypted list of User Agent values supported by the bot

When analyzing the malware, we detected an attempt to attack a bulk email service.

Command to launch an attack

Kaspersky Lab detects this malware as HEUR:Backdoor.Java.Agent.a.

We would like to thank Zoltan Balazs, CTO at MRG Effitas, for sharing a sample of the malware with us.