Java botnet hits Mac, Linux and Windows machines

CYBER CROOKS are once again targeting Java users, but this time taking advantage of the cross-platform design to threaten Linux and Mac users, Kaspersky researchers have claimed.
The malware is a functioning botnet written entirely in Java and is capable of infecting computers running Windows, Mac OS X and Linux that have Oracle's Java software framework installed.
Once infected, a computer that has been compromised by the Java based malware - most likely through a malware hosting website - is pulled into a botnet and then controlled to launch distributed denial of service (DDoS) attacks against other websites to knock them offline.
Kaspersky detected this threat as HEUR:Backdoor.Java.Agent.a, while the infection vector is CVE-2013-2465, an integer overflow bug in Oracle Java SE 7 Update 21 and earlier, Jave SE 6 Update 45 and earlier, Java SE 5.0 Update 45 and earlier, and OpenJDK 7.
"To make analysing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator," Kaspersky said in a blog post.
"In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class - which means that in order to decrypt all the strings in the application, you have to analyse all the classes in order to find the decryption keys."
Oracle's disclosure of the bug upon patching it in June 2013 described it as "easily exploitable" as it can be exploited from within sandboxed Java or Java Web Start applets and then used in drive-by attacks.
When launched, the bot copies itself into the user's home directory and sets itself to run at system startup. Depending on the operating system on which the bot has been launched, the following methods are used for adding it to autostart programs:

• For Windows it will hide in KEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
• Under Mac OS X, the standard Mac OS X service launchd is used.
• In Linux it will use /etc/init.d/.

"After launching and setting itself to run at system startup, the bot needs to report this to its owners," Kaspersky explained. "To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. The identifier is saved to the file jsuid.dat in the user's home directory."
The malware will then initiate a connection to an Internet Relay Chat (IRC) server. After successfully establishing a connection, the bot joins a predefined channel and waits for the attackers' commands.
According to Kaspersky, one of the targets on the receiving end of a DDoS attack might be an unnamed bulk email service.