I’m sorry for the few posts in the last weeks, but I was quite busy. Today I am going to analyze another interesting JAVA malware.
Our target is a jar, md5: 38f083169319d0141532db992d295448. The jar contains one class: AppletX. After using a java decompiler on our target, we will get the AppletX class code.
I will report only the relevant parts. Let’s go..
At this point the malware proceeds by exploiting a vulnerability located into getSoundBank method [CVE-2009-3867] to execute malicious code on the victim system. It retrieves the parameters: sc and np (meaningful names) and then it uses the following spray method in order to place the shellcode:
This method is the heart or engine(if you prefer) of the malware. I have underlined the value of the variable i, since I have found another variant of this malware md5: 52586e8a85188a0ada59294650c91362, that only changes the value of i to an higher value.
This malware is another good reason to turn off all java* contents while browsing the web. As always feedbacks and comments are welcome.
I hope you have enjoyed this post.
See you soon ;]