JAVA Sound Malware

Hello guys,

I’m sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.

Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX.  After using a java decompiler on our target, we will get the AppletX class code.

I will report only the relevant parts. Let’s go..

Firstly, the malware tries to discover the operating system in use by using System.getProperty(“”), then it fills str1 according to the O.S. in use.

At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:

As we can see, this function simply converts the parameters into hex and then it calls the real spray method:

This method is the heart or engine(if you prefer) of the malware. I have underlined the value of the variable i, since I have found another variant of this malware md5: 52586e8a85188a0ada59294650c91362, that only changes the value of i to an higher value.

This malware is another good reason to turn off all java* contents while browsing the web. As always feedbacks and comments are welcome.

I hope you have enjoyed this post.
See you soon ;]


1 Response to “JAVA Sound Malware”

  1. 1 Bobo March 18, 2010 at 9:25 am

    DJ Java Decompiler can be a very handy development tool when you need to analize Java class files.. It is a must have so as to understand the contents of java binary file. With DJ Java Decompiler a .class file is an open book as .java file:

Comments are currently closed.


%d bloggers like this: