ID: IRCNE2014022089
Date: 2013-02-01
According to "zdnet", it's the holy grail of malware: A truly cross-platform bot that can run on any system. Kaspersky Lab has come across a functioning bot written entirely in Java, and which works on Windows, Mac OS and Linux. Kaspersky detects this threat as HEUR:Backdoor.Java.Agent.a and its authors went to some trouble to make it work on multiple platforms.
The infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7. Oracle's own disclosure of the bug upon patching it (in June 2013) describes it as "Easily exploitable". It can be exploited from within sandboxed Java or Java Web Start applets, so it can be used in drive-by attacks. The bot has provisions for setting itself up to run at boot time on Windows, Mac or Linux.
The bot is controlled over IRC using the PircBot Java IRC Bot open framework. It is designed largely to perform DDOS attacks. The attack command to the bot also specifies the IP address and port of the target, the duration of the attack and the number of attack threads to launch. The bot contains a list of User-Agent strings, selected randomly.
Attackers should be able to adapt it to use newer, or even unpatched vulnerabilities as attack vectors.
- 2