It was the same time last year that Java faced one of the most critical periods in its history since its launch. The hackers had at that time used a vulnerability which was called ‘Zero Day Exploit’ to hack into Java based software. These exploits were so potent that they commanded a price of $5000 per exploit in the underground websites and forum. Consequently Oracle came out with a string of patches to fix this vulnerability. However one of the patches released by Oracle called CVE-2013-2465 released in June 2013 to fix the critical vulnerability, itself seems to have an exploit !!!
The Researchers have discovered that a botnet malware uses this exploit to infect computers running on running all major operating systems Windows, Mac OS X, and Linux provided these have Oracle’s Java software framework installed and running. And as Java framework is used almost everywhere and by everybody, the infection has been described as a major one. Secondly the malware in itself is a cross platform version which uses the Zelix Klassmaster obfuscator to prevent it from being reverse engineered by whitehat and competing blackhat hackers. The name of this malware is Heur:Backdoor.Java.Agent.a. Besides obfuscating bytecode, Zelix encrypts some of the inner workings of the malware making it impossible to detect, cure or reverse engineer.
All machines which have the Java version 7 u21 and earlier are likely to be infected by this botnet. Once the bot has infected a computer, it copies itself to the autostart directory of its respective platform to ensure it runs whenever the infected machine is booted. Once booted, the malware then makes the compromised computers report to an Internet relay chat channel that acts as a command and control server. The hackers may then use this IRC channel to remotely control the hacked/compromised computer. As said above, because of its cross platforming feature, this malware is termed as doubly dangerous.
The hackers use this botnet to specifically conduct a Distributed Denial of Service (DDoS) attacks on targets of their choice. This is done by the hackers by issuing necessary commands over the IRC channel. The specified IRC channel allows the hackers to specify the IP address, port number, intensity, and duration of attacks. The malware is written entirely in Java, allowing it to run on Windows OS X and Linux machines. For added flexibility and more manoeuvrability to the hackers, the bot has also been incorporated with PircBot, an IRC programming interface based on Java.
The working of this botnet malware is so designed that the victim of the DDoS attack as well as the attacker (compromised PC) are both unaware of the actual criminal behind the attack. This also make it difficult for the webmaster, security analysts and white hackers employed by the victim to monitor their websites, to reach the source of actual attacker.
