These days botnets are all over the news. In simple terms, a botnet is a group of computers networked together, running a piece of malicious software that allows them to be controlled by a remote attacker.<\/p>\n
A major target for most of the malware is still Windows, but the growing market of Mac OS X, Linux and Smartphones, is also giving a solid reason to cyber criminals to focus.<\/p>\n
Recently, Kaspersky Lab has detected another cross-platform Java-Bot, capable of infecting computers running Windows, Mac OS X, and Linux that has Java Runtime Environment installed.<\/p>\n
Last year, Zoltan Balazs – CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.<\/p>\n
According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.
\nCVE-2013-2465 description says:<\/p>\n
Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.<\/p>\n
It uses the following methods to start it based on the target operating system:<\/p>\n
The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult.\u00a0 It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.<\/p>\n
The botnet executable contains an encrypted configuration file for the Mac OS ‘launchd service’. It also encrypts internal working methodology of malware.<\/p>\n
The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server.<\/p>\n
The Botnet supports HTTP, UDP protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.<\/p>\n
Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle’s Java website. The next scheduled security update for Java is on 14 April 2014.<\/p>\n