McAfee discovered a strand of malware that utilizes a Java backdoor for botnet communications. Does such an attack...
differ from executable files that have served as backdoors in the past? And how can enterprises go about detecting this attack?
Ask the Expert
Do you have an enterprise threat question for Nick Lewis? Submit it now via email! (All questions are anonymous.)
In order for malware to be easily controlled remotely, it must open a backdoor for communication. As McAfee notes in its blog post about the JV/BackDoor-FAZY malware, using a Java applet as the backdoor for botnet communication functionality is not exploiting a vulnerability in Java itself or even necessarily in the underlying operating system; it utilizes Java as an infection vector because Java is so common and used on multiple platforms. This specific malware first executes on the local system and then runs the Java applet with the Java Runtime Environment (JRE). This attack is unique because of the malware kit used and the potential for multi-platform attacks utilizing the "write once, exploit everywhere" nature of the JRE.
Enterprises can detect these types of attacks with antimalware software by monitoring the network for botnet communications or monitoring processes executed on the local system. Some antimalware vendors, like McAfee noted in its blog, have detection included for this malware.
Additionally, a network tool such as an intrusion prevention system, network-based malware-detection tool, firewall or NetFlow collector could identify the malware communication on the network by analyzing the network fingerprints or by detecting communication with known botnet controllers. This could be a matter of detecting any IP connection to a known botnet controller, or new outbound connections to a particular IP. While monitoring executed processes on local enterprise systems would require significant effort and might have a high false-positive rate, organizations that have a list of known good Java applets used by a tightly controlled JRE could detect unknown Java applets being executed by the JRE and therefore mitigate the risks of the malware.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Malware is increasingly using DNS tunnels to aid in data exfiltration. Expert Nick Lewis explains how the attacks work and how best to defend against...continue reading
Researchers warned about the rise of a new cross-site scripting flaw involving same-origin policy. Expert Nick Lewis explains the vulnerability and ...continue reading
Malware authors are adopting software wrapping to hide malicious code and avoid detection. Expert Nick Lewis explains how to defend against the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.