Home / malwarePDF  

TrojanDownloader:Java/Rexec.B


First posted on 06 October 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Java/Rexec.B is also known as Trojan-Downloader.Java.Agent.hi (Kaspersky), Java.Downloader.89 (Dr.Web), Mal/JavaKC-A (Sophos).

Explanation :

TrojanDownloader:Java/Rexec.B is a trojan Java applet that could allow the downloading and execution of arbitrary files.
Top

TrojanDownloader:Java/Rexec.B is a trojan Java applet that could allow the downloading and execution of arbitrary files. Installation TrojanDownloader:Java/Rexec.B may be invoked by a malicious website as a Java .JAR archive. The applet is invoked from an HTML page by referencing the "a0ee3d65141.class" stored in the .JAR file. In the wild, we have observed the .JAR file containing malicious files that are all detected as TrojanDownloader:Java/Rexec.B:

  • a0ee3d65141.class
  • a4cb9b1a8a5.class
  • aa79d1019d8.class
    • as well as the following clean helper class files:
  • ab5601d4848.class
  • ab16db71cdc.class
  • a66d578f084.class
  • af439f03798.class
  • ae28546890f.class
    • and a file containing the serialized host file named:
  • a6a7a760c0e
    • TrojanDownloader:Java/Rexec.B employs a number of techniques to obfuscate the code, including but not limited to:
  • Using a substitution cipher to decode the passed in host file.
  • Inserting junk commands amongst the malicious code in an attempt to make the file more difficult to analyze and detect.
  • Serializing the host name in a MarshalledObject to hide it from plain view.
    • Payload Downloads arbitrary files The malicious HTML feeds "a0ee3d65141.class" the encoded host of the file to download by supplying a parameter named "game_id" in the invocation of the class. This host is then decrypted using a substitution cipher. If the host is not supplied, TrojanDownloader:Java/Rexec.B uses 127.0.0.1 as the host. The file name is then read in and deserialized from the MarshelledObject named a6a7a760c0e. The downloaded file is saved in the affected user's temp directory as "google.exe" and run using the Java Runtime.exec() function. The remainder of the files are used to help elevate the running privileges of the downloader.

    Analysis by Michael Johnson

    Last update 06 October 2010

     

    TOP

    Malware :

    Family: