Java Bot Software Could Signal New Vector For Malware Authors

Flexible programming language offers some advantages for cybercriminals, researchers say

Dark Reading Staff, Dark Reading

May 10, 2011

4 Min Read

Pity today's cybercriminal. Sure, attackers can get by focusing on Windows -- but with the increasing market share of Mac OS X and the proliferation of smartphones, one operating system platform just doesn't seem like enough anymore.

Little wonder, then, that one enterprising group has started selling bot software based on the write-once-read-anywhere Java programming platform. Last week, McAfee published details of the software, dubbed Incognito, which the company's customers have encountered in the wild. The bot software is fairly standard fare, but the majority of its components are written in Java.

The move is likely a reaction to the increase in smartphones, such as Apple's iPhone and those running numerous versions of Google's Android operating system. Combined with Apple's expanding share of the personal computer market -- accounting for approximately one of every six computers in many nations -- this new trend makes a Windows-only approach less appealing for profiteers and criminals.

"It is a tablet world right now; it is a mobile world right now," says David Marcus, director of security research and communications for McAfee. "And that's where the bad guys are going to go because that is where the good guys are going. So this is about portable code."

Java is most famous for its goal of "write once, run anywhere." With an expanding number of important platforms, malware developers could be delving into the possibilities of Java-based programs, Marcus says.

Incognito does not forge much new ground in terms of functionality. The bot software uses available Java libraries to allow an attacker to view an infected machine screen via screen capture and control the mouse and keyboard. In addition, the bot software can play video and MP3 files, as well as capture images from a compromised system's webcam.

Because it's a relative rarity, Java-based malware could have success evading detection, said Carlos Castillo, a McAfee malware researcher who analyzed Incognito, in an email interview.

"Stand-alone Java malware could be successful for targeted attacks because there is not much Java malware detected in the wild that we are seeing today," Castillo says.

Incognito is not the first time malware developers have used Java. Nearly a decade ago, attackers used a Java applet, Sentinel, to help portscan other computers for specific vulnerabilities and another, AntiURL, to launch denial-of-service attacks on websites.

Java-based malware is most useful for creating applets that can remotely take actions on the attacker's behalf, rather than stealing data from the victim's PC. For example, for the attacker to take control of an infected PC using Incognito, the victim must be fooled into allowing the remote software to communicate.

"Java has a pretty robust sandboxing technology, so any code is still being executed inside the Java runtime and the Java sandbox," says Gunter Ollmann, vice president of research for network protection firm Damballa. "It is much more difficult to break out of the sandbox and take control of the computer itself."

Ollmann expects Java trojans to still have utility for attackers, but not in the same way as many other bot programs. Using a victim's computer as part of a denial-of-service botnet is one possibility; another is using compromised computers to fuel affiliate-based scams.

"It could be used as a way to advance click fraud or other online fraud, where the code is executing on the computer and impersonating a user from that IP address," Ollmann says. "The bad guys can then monetize those automated actions for their benefit."

There are drawbacks to Java: System differences make the portability problematic on some operating systems. Moreover, Java usage appears to be declining, to 77 percent of systems, according to one estimate based on browsers.

Many security professionals argue that the decline of Java, which has been compromised in the past, is good for security. While sandboxing enhances Java's security, updating the software has been difficult -- leaving behind vulnerable versions on many systems, says Chester Wisniewski, senior security adviser for antivirus firm Sophos.

"I'm personally on an anti-Java tirade," he says. "It's time to take Java off your darn computer."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights