Encrypted string initialization
Posted on 01/29/2014 11:05:37 AM PST by ShadowAce
Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.
To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.
String initialization and decryption is implemented in the static initializer code (<clinit>).
Encrypted string initialization
The algorithm is as follows: take the current index of an encrypted character in the string, calculate the remainder from its division by 5 and choose the current key depending on the result. Next, identify the decrypted character by performing module 2 bitwise addition with the key selected.
String decryption
For a specific case, the decryption algorithm looks as follows:
Python implementation of the decryption algorithm
When launched, the bot copies itself into the user’s home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:
The bot’s body contains an encrypted configuration file for the launchd service.
Decrypted configuration file for the launchd service
After launching and setting itself to run at system startup, the bot needs to report this to its owners. To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. The identifier is saved to the file jsuid.dat in the user’s home directory.
Contents of jsuid.dat
The bot is controlled via the IRC protocol. This leads us to one more curious feature of this malware – it uses the PircBot open framework to implement communication via IRC. The malware includes all the classes needed for the purpose.
After launching, the malware initiates connection to an IRC server.
Connecting to an IRC server
After successfully establishing a connection, the bot joins a predefined channel and waits for the attackers’ commands:
Joining an IRC channel
The bot is designed to conduct DDoS attacks from infected user machines.
The bot supports two flood types:
Which attack type is to be used is specified by an attacker in the IRC channel for zombie machines. In addition, the following parameters are specified:
Generating headers during an HTTP flood attack
The User-Agent value to be inserted into an HTTP request is selected randomly from a list stored in the bot’s body in encrypted form.
Decrypted list of User Agent values supported by the bot
When analyzing the malware, we detected an attempt to attack a bulk email service.
Command to launch an attack
Just Another Vulnerability Announcement
So.. does the malware this thing downloads work on Linux?
Yeah—Luckily, it’s an ancient version. Almost a year old.
According to the first sentence of the article, yes. :)
For Linux – /etc/init.d/
I guess I must have already given this shady java app root permissions. I have to stop doing that.
sudo find /home -name jsuid.dat
... will definitely tell you if it's been installed.
Rule #1. Don't run as root!
Rule #2. Require a passwd for sudo!
Rule #3. If you don't need java, don't install it!
What can be done about it?
From the looks of it, it appears to be really simple to remove.
How does it get root access without a password?
This appears to be a generic proof of concept example that’s been around for a couple of years designed to run on all three platforms. . . and requires a means of getting it onto each of them. A Trojan horse might do it. . . but requires the participation of a user with administrative access.
interesting
From the looks of it, it appears to be really simple to remove.
..or upgrade to a version newer than a year old. Something greater than 7u21. (I'm currently on 7u51).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.