Java drives new cross-platform DDoS bot malware

News by Steve Gold

"This is more proof that the Apple Mac is nowhere near as resilient to attacks as people think it is" - Nigel Stanley, Incoming Thought analyst

Although relatively commonplace these days, most DDoS attack malware tends be platform-specific in nature. Now a researcher has discovered a new nasty - a DDoS botnet that can infect Windows and Mac OS-X environments, as well as Linux systems that have the Java software framework installed.

The common factor to this attack vector is, of course, that old security chestnut, Java - and according to Anton Ivanov, a researcher with Kaspersky Lab, the cross-platform malware - known as a cross-platform java-bot - exploits a critical Java exploit (CVE-2013-2465) which Oracle patched last summer.

Ivanov says that the botnet is fully remote controlled using Internet Relay Chat (IRC) channels, allowing cybercriminals to launch DDoS attacks from an infected machine or server - and controlling the IP addresses to be attacked, their port numbers and code being inserted.

Ironically, the botnet even uses PIRCBot, the Java-based IRC programming interface, suggesting that the hackers have a good understanding of the Java programming language.

Nigel Stanley, CEO and analyst with Incoming Thought told that the multi-platform aspect of the malware is interesting from a technical perspective, but the key takeout is that computer users should not be running Java on their machines without some degree of lockdown or control.

"It's very revealing that this exploit was patched last June – this raises the question as to how many companies patch their Java implementation. Not that many, I'll wager," he said, adding that the additional take-out is that it is more proof that the Apple Mac is nowhere near as resilient to attacks as people think it is.

Graham Cluley, another veteran security researcher, said that the arrival of the Java-driven attack vector in the cybercriminal weapons arsenal is a timely reminder - for all computer users - that they need to think carefully about whether they should have Java enabled in their Web browser.

"Java has been so bedevilled with vulnerabilities and security holes - it's become the Swiss Cheese of the security world," he said, adding that if you do not need the facility on your desktop - and most people do not - it should disabled in your browser.

"If you do really need Java in your browser, for goodness sake make sure that you keep it up to date with the latest patches," he concluded.

Barry Shteiman, Director of Security Strategy with security vendor Imperva, meanwhile, said that, whilst DDoS attacks coming from botnets have been around for a while now, the choice of Java in this malware makes it more modern and trendy.

“Over the past year we have seen many samples of malware with different capabilities - some with DDoS abilities and automation through an IRC command and control," he explained, adding that the choice of Java in this case does make the malware piece more modern.

"Java is multi-platform and therefore will allow the malware to run on more platforms. It may also use the fact that hackers are very focused on Java now for vulnerability research, so there is a likelihood that the malware can evolve with new ways to exploit and onboard a system," he said.

“DDoS attacks coming from botnets have been around for a while now. They are the weapon of choice, as they are both easy to construct - and also very effective," he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews