A security researcher walked through some of the methods used by Flashback malware to highlight the different types of Java vulnerabilities developers are exploiting.
What exactly is Flashback? Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications such as Skype. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction.
An earlier version of the Flashback Trojan's installer.Intego
When did it first appear? Flashback as we know it now appeared near the end of September last year,pretending to be an installer for Adobe's Flash, a widely used plug-in for streaming video and interactive applications that Apple no longer ships on its computers. The malware evolved to target the Java runtime on OS X, where users visiting malicious sites would then be prompted to install it on their machine in order to view Web content. More advanced versions would install quietly in the background with no password needed.
How did it infect so many computers? The simple answer is that the software was designed to do exactly that. In its initial incarnation, the malware looked very similar to Adobe's Flash installer. It didn't help that Apple hasn't shipped Flash on its computers for well over a year, arguably creating a pool of users more likely to run the installer in order to view popular Web sites that run on Flash. In its newer Java-related variants, the software could install itself without the user having to click on anything or provide it with a password.
Java malware targets certain types of vulnerabilities, and "type confusion" is the most common class being exploited, Jeong Wook (Matt) Oh, a Microsoft researcher, told attendees Thursday at the Black Hat conference in Las Vegas.
Type confusion refers to when a Java application is tricked into thinking an object is something else. Other categories of common Java vulnerabilities include logic errors, memory corruption, and argument injection, Oh said.
Type safety, or the checks performed to ensure the data types are being treated correctly, is the most essential element of Java security, Oh said. If a safety check fails for any reason, it leads to type confusion. Oh likened it to identity theft in the real world.
“If one person can steal another person's identity, this can lead to exploitation of the person and the resources the person has access to,” he said.
Type confusion is a well-known problem and one of the major vulnerability groups currently being exploited in Java, which is one of the most common exploits affecting organizations. The Flashback malware that wreaked havoc earlier this spring on hundreds of thousands of Mac computers exploited a type confusion vulnerability with an "AtomicReferenceArray" element.
“This vulnerability is currently the number one vector for drive-by exploits,” Oh told attendees.
Java malware is highly portable, as the technology is multi-platform, allowing all applications, even malicious ones, to automatically run under multiple operating systems. Considering that Oracle brags that more than 1.1 billion desktops run the software, developing Java malware makes a lot of sense from a developer standpoint, Oh said.
There are ways to analyze Java code to determine whether is it malicious, and Oh outlined some tools in his presentation.
Disassemblers such as IDA are used to show bytecode level instructions and constant tables when the binary has been manipulated and can't be decompiled, Oh said. If it can be decompiled, then decompilers such as JD-GUI and JAD are good tools to generate source code from Java binaries. Debuggers such as Eclipse and Netbeans can also be used to step through the source code to figure out what each line of code is actually doing.
However, Java malware is often obfuscated, a method by which code is made complex to make it difficult to decompile. Instrumentation tools, such as BCEL and ACM, are useful, as they allow researchers to profile the code instead of trying to go through obfuscated code, he said.