{"id":27792,"date":"2013-08-02T01:38:59","date_gmt":"2013-08-02T08:38:59","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=27792"},"modified":"2025-06-02T03:06:34","modified_gmt":"2025-06-02T10:06:34","slug":"java-back-door-acts-as-bot","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/java-back-door-acts-as-bot\/","title":{"rendered":"Java Back Door Acts as Bot"},"content":{"rendered":"

The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary–a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection.<\/p>\n

This archive does not exploit any Java vulnerability. It was chosen as the infection vector because Java applications can run on multiple platforms with ease; thus this method widens the infection to a greater number of users. We have seen this type of attack in the past using executable files.<\/p>\n

\"Infection_Flow1\"<\/a><\/p>\n

The key to decrypt the config file was encrypted with Base 64<\/a> [see Figure 2]. Decoding it, we end up with the hex bytes. Further converting the hex bytes to ASCII, we get the decryption key [see Figure 3] to decrypt the config.dat file.<\/p>\n

\"Key\"<\/a><\/p>\n

Figure 2:\u00a0Base 64-encoded key file.<\/p>\n

\"Decryption_Key\"<\/a><\/p>\n

Figure 3: Decryption key to the “config.dat” file.<\/p>\n

\u00a0<\/em><\/p>\n

With the decryption key, we saw that the config.dat file is encrypted using the Triple-DES<\/a> algorithm. Executing the Triple-DES snippet gave us the plain config file, which holds the information about the backdoor connection. That data includes IP address, port number, operating system, mutex information, and password for the connection [see Figure 4].<\/p>\n

\"Plain_Config\"<\/a><\/p>\n

Figure 4: Plain config file.<\/p>\n

On execution, the JAR file opens the backdoor connection to the IP address and the port mentioned in the plain config file. Once the backdoor connection is made, the compromised user environment will act as the server and the attacker will be the client. The attacker can now take control of the victim’s system and can execute any commands. We found that these types of malicious JAR files can be built from a remote administration tool that is readily available online. Using the tool, anyone can build the malicious JAR package.<\/p>\n

\"Tool\"<\/a><\/p>\n

Figure 5: Server build dashboard.<\/p>\n

Figure 5 shows the dashboard to build the server binary, which is later sent to innocent users. The dashboard makes clear what a binary built using this tool can do. Here are some of the activities:<\/p>\n