McAfee discovered a strand of malware that utilizes a Java backdoor for botnet communications. Does such an attack...
differ from executable files that have served as backdoors in the past? And how can enterprises go about detecting this attack?
Ask the Expert
Do you have an enterprise threat question for Nick Lewis? Submit it now via email! (All questions are anonymous.)
In order for malware to be easily controlled remotely, it must open a backdoor for communication. As McAfee notes in its blog post about the JV/BackDoor-FAZY malware, using a Java applet as the backdoor for botnet communication functionality is not exploiting a vulnerability in Java itself or even necessarily in the underlying operating system; it utilizes Java as an infection vector because Java is so common and used on multiple platforms. This specific malware first executes on the local system and then runs the Java applet with the Java Runtime Environment (JRE). This attack is unique because of the malware kit used and the potential for multi-platform attacks utilizing the "write once, exploit everywhere" nature of the JRE.
Enterprises can detect these types of attacks with antimalware software by monitoring the network for botnet communications or monitoring processes executed on the local system. Some antimalware vendors, like McAfee noted in its blog, have detection included for this malware.
Additionally, a network tool such as an intrusion prevention system, network-based malware-detection tool, firewall or NetFlow collector could identify the malware communication on the network by analyzing the network fingerprints or by detecting communication with known botnet controllers. This could be a matter of detecting any IP connection to a known botnet controller, or new outbound connections to a particular IP. While monitoring executed processes on local enterprise systems would require significant effort and might have a high false-positive rate, organizations that have a list of known good Java applets used by a tightly controlled JRE could detect unknown Java applets being executed by the JRE and therefore mitigate the risks of the malware.
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.