alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Multi-platform Java-based malware: Reducing Java risks

A new variant of Java-based malware can execute regardless of the operating system used. Nick Lewis explains how to limit the threat.

I've read more recently about Java-based malware that can infect any computer -- Mac, Windows or Linux -- that is running Java. How does it work? Is it possible to limit the risk this malware poses while keeping Java installed?

The first priority of most malware authors is to make the most money possible from their attacks without getting caught. Being able to target as many computers as possible has a direct correlation with the money the attacker is able to make. Performing an attack on a computer regardless of its OS, be it Windows, Linux or Mac, will help attackers target the widest base possible. Because Java, much like Adobe Flash or Reader, can run on all of these platforms, it could potentially be used to attack any or all of them. This is part of the "write once, run anywhere" concept in which developers can easily add support for additional operating systems as long as the Java Runtime Environment (JRE) is available. This further demonstrates that malware authors are adopting professional software development practices.

Kaspersky Lab wrote a blog post about a new variant of malware it analyzed -- HEUR:Backdoor.Java.Agent.a -- that is a multi-platform Java-based malware. While it currently only has distributed denial-of-service capabilities, this could be seen as a sign that the author is using it to expand into a more comprehensive attack.

The malware exploits a vulnerability in the JRE CVE-2013-2465 to escape the Java sandbox and execute the code on the local system. The malware then copies itself to the autorun location for Windows, Mac or Linux so it will restart when the system reboots. While the malware currently uses IRC for the command and control (which can be blocked at the network level), future versions of the malware could include a more elaborate C&C that is not so easy to block. The best ways to limit this risk is by ensuring that locally logged in users are not logged in as administrators and by keeping the JRE up to date. By not logging in as an admin, it is more difficult for an attacker to gain admin access without exploiting a vulnerability in an installed piece of software (like the JRE). Keeping the JRE up to date will minimize the chances of an exploit gaining administrative access.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

This was last published in July 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.