Problem solve Get help with specific problems with your technologies, process and projects.

Detect and mitigate Java backdoors that enable botnet communication

Nick Lewis offers advice on detecting a particular strand of malware that utilizes a Java backdoor to enable botnet communication.

McAfee discovered a strand of malware that utilizes a Java backdoor for botnet communications. Does such an attack differ from executable files that have served as backdoors in the past? And how can enterprises go about detecting this attack?

Ask the Expert

Do you have an enterprise threat question for Nick Lewis? Submit it now via email! (All questions are anonymous.)

In order for malware to be easily controlled remotely, it must open a backdoor for communication. As McAfee notes in its blog post about the JV/BackDoor-FAZY malware, using a Java applet as the backdoor for botnet communication functionality is not exploiting a vulnerability in Java itself or even necessarily in the underlying operating system; it utilizes Java as an infection vector because Java is so common and used on multiple platforms. This specific malware first executes on the local system and then runs the Java applet with the Java Runtime Environment (JRE). This attack is unique because of the malware kit used and the potential for multi-platform attacks utilizing the "write once, exploit everywhere" nature of the JRE.

Enterprises can detect these types of attacks with antimalware software by monitoring the network for botnet communications or monitoring processes executed on the local system. Some antimalware vendors, like McAfee noted in its blog, have detection included for this malware.

Additionally, a network tool such as an intrusion prevention system, network-based malware-detection tool, firewall or NetFlow collector could identify the malware communication on the network by analyzing the network fingerprints or by detecting communication with known botnet controllers. This could be a matter of detecting any IP connection to a known botnet controller, or new outbound connections to a particular IP. While monitoring executed processes on local enterprise systems would require significant effort and might have a high false-positive rate, organizations that have a list of known good Java applets used by a tightly controlled JRE could detect unknown Java applets being executed by the JRE and therefore mitigate the risks of the malware.

This was last published in March 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

 Update all installations of Java on every Mac, Windows or Linux computer