I've read more recently about Java-based malware that can infect any computer -- Mac, Windows or Linux -- that...
is running Java. How does it work? Is it possible to limit the risk this malware poses while keeping Java installed?
The first priority of most malware authors is to make the most money possible from their attacks without getting caught. Being able to target as many computers as possible has a direct correlation with the money the attacker is able to make. Performing an attack on a computer regardless of its OS, be it Windows, Linux or Mac, will help attackers target the widest base possible. Because Java, much like Adobe Flash or Reader, can run on all of these platforms, it could potentially be used to attack any or all of them. This is part of the "write once, run anywhere" concept in which developers can easily add support for additional operating systems as long as the Java Runtime Environment (JRE) is available. This further demonstrates that malware authors are adopting professional software development practices.
Kaspersky Lab wrote a blog post about a new variant of malware it analyzed -- HEUR:Backdoor.Java.Agent.a -- that is a multi-platform Java-based malware. While it currently only has distributed denial-of-service capabilities, this could be seen as a sign that the author is using it to expand into a more comprehensive attack.
The malware exploits a vulnerability in the JRE CVE-2013-2465 to escape the Java sandbox and execute the code on the local system. The malware then copies itself to the autorun location for Windows, Mac or Linux so it will restart when the system reboots. While the malware currently uses IRC for the command and control (which can be blocked at the network level), future versions of the malware could include a more elaborate C&C that is not so easy to block. The best ways to limit this risk is by ensuring that locally logged in users are not logged in as administrators and by keeping the JRE up to date. By not logging in as an admin, it is more difficult for an attacker to gain admin access without exploiting a vulnerability in an installed piece of software (like the JRE). Keeping the JRE up to date will minimize the chances of an exploit gaining administrative access.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)
Related Q&A from Nick Lewis
As the Angler exploit kit evolves and adopts new functionality, it's becoming harder to detect and defend against. Enterprise threats expert Nick ...continue reading
A proof-of-concept attack on Apple's Siri allowed researchers to steal data from iOS. Learn more about the iStegSiri attack and how to defend against...continue reading
A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.