Home / malware Java.Backdoor.ReverseBackdoor.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Java.Backdoor.ReverseBackdoor.A is also known as Backdoor:Java/ReverseBackdoor.
Explanation :
Java.Backdoor.ReverseBackdoor.A is an advanced IRC backdoor, written in the Java programming language. It allows the download and execution of other malware components, has autoupdate capability and supports an array of spamming commands. In the wild, it can be found as a JAR file, that contains 40 obfuscated class files. The JAR is wrapped into an .exe using jshrink (http://www.e-t.com/jshrink.html) to further obfuscate it. The .exe is downloaded and executed by a malicious applet, which asks the user's permission to circumvent the Java sandbox. The bot starts by reading its online configuration file, which includes the IRC server's host and port, the input and output channel names, and the nicknames of the botmasters. It forks a command and control thread, registers itself as an autorun, and finishes by dropping and executing syn.jar, to protect itself from deletion. The command and control thread executes commands given on the IRC channels by the botmasters. Some of the supported commands: .commands: list all available commands, including command usage and description.exit: terminate the bot.quit <message>: quit IRC server.join <channel>: join an IRC channel.part <channel>: part an IRC channel.nickprefix <prefix>: change nick to a random number prefixed by <prefix>.permnick <nick>: change to a permanent nick.msg <channel> <message>: send a message to an IRC channel.raw <line>: send raw IRC command.download <url> [dir]: download file to the infected system.system <command>: execute system command.httpflood <url> <threads> <delay> <connections>
.udpflood <host> <threads> <delay> <connections>
.sflood <host> <port> <threads> <delay> <connections>
.stopfloods
HTTP, UDP and arbitrary socket flood.getip [url]: get the IP address of the infected system.mkdir <dir>: make directory.cd <dir>: change current directory.ls: list the contents of the current directory.corrupt <file> [message]: truncate file or replace it with a message.update <url>: update the bot with the JAR at <url>.send <send> <file> <port>: upload file from the infected system.spam <server> <port> <channel> [password] <nick> <message> <times> <delay>
.stopspam
IRC flood.backdoor <host> <port>: create a reverse shell on the infected system, controlled by<host>.ircscript <url>: run IRC script at <url>Last update 21 November 2011
