Java.Trojan.Downloader.OpenConnection.AI is a malicious Java
applet that downloads and executes arbitrary files. In the wild, it can
be found as a Java archive. The malicious HTML passes the encrypted URL
of the file to download and execute as the parameter a to the applet. The applet uses the CVE-2010-0840 exploit to bypass the Java sandbox.
The JAR file contains four class files in the bpac package:
- KAVS.class;
- a$1.class;
- a.class - the applet;
- b.class - the URL decrypter.
The applet starts out by generating a random name for the executable under the system temporary directory. The name is made up entirely of random digits and has the extension ".exe" appended.
Next, it checks whether the operating system is Windows, by searching for the string Windows in the os.name system property.
If the OS checks out, the applet downloads the file and executes it with a call to Runtime#exec.
The code is somewhat obfuscated, for example, the names of the system properties java.io.tmpdir and os.name appear reversed.
We have observed two variants of the decrypter:
-
One performs a series of single-character replacements on the URL, then appends
the string "?i=1". -
The other one is a bit more complex, it assumes the URL isn’t
encrypted at all, and duplicates some of the applet’s code. It downloads
the file at the given URL, assumes it’s a PE executable and checks the Characteristics field of the IMAGE_FILE_HEADER for 0x2000, i.e., IMAGE_FILE_DLL.
It generates a random name made up of digits for the executable, under the system temporary directory, it appends the proper extension taking into account whether the file is a DLL or an EXE. If it’s an EXE, it executes it with a call to Runtime#exec, just like the applet does, if it’s a DLL, it registers it using regsvr32.
No comments:
Post a Comment