RDN/Generic Downloader.x!bu

This page shows details and results of our analysis on the malware RDN/Generic Downloader.x!bu

Overview

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • Microsoft   - Trojandownloader:java/openstream.ak
  • Ikarus        - JAVA. Agent
  • Avira          -  Java/Agent.GL


Minimum DAT

7011 (2013-03-11)

Updated DAT

7083 (2013-05-22)

Minimum Engine

5400.1158

File Length

Varies

Description Added

2013-03-06

Description Modified

2013-05-21

Malware Proliferation

Characteristics

---------- Updated on May 21, 2013 -------

Aliases

  • Fortinet         -    Java/Agent.NGC!tr.dldr
  • Symantec    -    Trojan.Maljava
  • Avira             -    Java/Dldr.Themod.HK.2
RDN/Generic Downloader.x!bu” is detection for the class file. The class is used to connect internet and to download the payload.
 
RDN/Generic Downloader.x!bu” is a detection which is used by attacker to bypass the Java sandbox restriction and execute arbitrary code.

The Vulnerability triggering class file is called by another class file which acts as a loader to exploit the vulnerability in the JRE. Once it is exploited the loader class file will call another class file that downloads the payload and execute it.

When a user visits a website that has a vulnerable version of Java, security checks may be bypassed and allowed to execute the arbitrary code to download and execute a malicious program using a specified URL passed from the malicious website.

The following is the code which opens the connection to download the payload.





---------- Updated on May 21, 2013 -------

RDN/Generic Downloader.x!bu” is a detection which is used by attacker to bypass the Java sandbox restriction and download the payloads. It is a java applet that attempts to download and execute files from a malicious website.

Once the Trojan applet run on a vulnerable computer, the applet will then start download and executes the arbitrary malicious files from a remote website.

The ClassLoaderRepository method used in the class file is to keep the list of ClassLoaders registered in a Server. The ClassLoaderRepository methods are used to load classes using the registered ClassLoaders. The Privileged Action Class is used for security-sensitive operations within the run method of an object.

When a user visits a website that has a vulnerable version of Java, security checks may be bypassed and allowed to execute the arbitrary code to download and execute a malicious program.

Symptoms

  • The exploit may downloads arbitrary files
  • This exploits attempts to download and execute additional malware to the infected system.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Variants