The multi-talented bot, which can carry out DDoS via either HTTP or UDP flood attacks, was discovered by Zoltan Balazs, CTO at MRG Effitas, and shared with Kaspersky Lab for analysis. The firm uncovered that it makes use a vulnerability (CVE-2013-2465) found in Java 7 u21 and earlier, as well as on different versions of Java 6 and 5, which allows attackers to bypass the Java sandbox. Oracle patched the vulnerability last June but clearly, plenty of machines have yet to be updated.
The targets appear to be large: when analyzing the malware, Kaspersky detected an attempt to attack a bulk email service.
Kaspersky Lab expert Anton Ivanov said in an analysis that after infecting the victim, the bot copies itself into the user’s home directory and sets itself to run at system startup. To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. And after successfully establishing a connection, the bot joins a predefined channel and waits for the attackers’ commands, which include the address of the computer to be attacked, port number, attack duration, number of threads to be used in the attack, and the generating headers during an HTTP flood attack.
The botnet uses IRC to communicate with its command-and-control server. “This leads us to one more curious feature of this malware – it uses the PircBot open framework to implement communication via IRC,” Ivanov said said. “The malware includes all the classes needed for the purpose.”
The bug is stealthy, too: “To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator,” he explained. “In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.”
Kaspersky Lab detects the malware as HEUR:Backdoor.Java.Agent.a. Users should update Java ASAP to avoid infection.