Researchers at Kaspersky labs have discovered a sample of malware that’s effective at infecting computers operating Windows, Mac OS X, and Linux which have Oracle’s Java software framework installed.
The cross-platform botnet is detected as HEUR:Backdoor.Java.Agent.a, which was given to it by a blog post on Kaspersky’s site. The malware takes hold of computers via an exploit CVE-2013-2465, a vital Java vulnerability which Oracle fixed in June. The security bug exists on Java 7 u21 and earlier. As soon as the bot has infected a computer, it duplicates itself to the autostart directory associated with its particular platform to be sure it runs anytime the device is turned on. The malware then reports to an Internet relay chat (IRC) channel that behaves as a command and control server where attackers can receive information and execute commands.
The botnet is made to carry out distributed denial-of-service (DDoS) attacks on servers. Instructions issued within the IRC channel enable the attackers to indicate the exact IP address, port number, strength, and time period of attacks. The malware is programmed completely in Java, allowing it to operate on Windows OS X and Linux machines. For additional versatility, the bot incorporates PircBot, an IRC programming interface based on Java. The malware authors also used Zelix Klassmaster obfuscator to make it more difficult to reverse engineer.
While Kaspersky was analyzing the malware, the bot masters initiated a DDoS attack on a mail server, you can view it in the picture below.
