Brazilian Coders Are Pioneering the First Cross-OS Malware Using JAR Files

An anonymous reader writes: Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows, Linux, Mac, and even Android from the same codebase, instead of relying on 4 different versions. Right now, only the malware dropper, a component used to infect computers with banking trojans, seems to have been coded in Java, but security experts expect a full-blown banking trojan to soon follow.

That's it, I'm switching to CP/M

[Anonymous Coward]

There's no Java for CP/M-Z80, so I'm safe from being target by cross platform malware [or being targeted by applications in general].

Re:

[Anonymous Coward]

But what if they wrote it in Turbo Pascal? You should get an 8085 just to be sure!

Re:

[cstdenis]

So much for write once, run anywhere.

So using Java exactly what it was designed for?

[Anonymous Coward]

Guess all those memories of viruses from the 80's containing executable code valid on multiple processors are all my fevered imagination. Who knew that the first cross-OS malware was definitely only being written now, in 2016, in Java.

Wait, no, just the dropper. Congrats guys, you've discovered a platform-independent way of opening a stream from somewhere on the internet and dumping it to a file. Definitely pushing the envelope of Java to do that, I mean it's not like it comes with any sockets or file API specifically designed for stuff like that.

Give me a break. I was hoping to hear about something actually creative, like PDF or jpeg with multiple exploits for common Windows/Mac/Linux viewers or decode libraries, that causes a jump into the appropriate shellcode for each platform depending on what it's viewed on. This story is a non-event.

Re:So using Java exactly what it was designed for?

[TheRaven64]

It is a bit of a stretch. There was a nice entry into the IOCC a few years ago that was a program that was valid as C program, a shell script, or a makefile. Running it as either a shell script or makefile would compile the C program, which would then print its output. There's been some interesting recent research involving isolating instructions that are NOPs on various architectures and writing exploit code that is a valid executable on both x86 and ARM (it doesn't have to be long, because you can encode a jump to the architecture-specific version in the portable code).

It's worth noting that this is even (almost) the official and documented way of writing a cross-architecture Windows binary: you have a little .NET stub that P/Invoke's the native binary for the architecture that it detects.

Re:

[MachineShedFred]

I was thinking exactly this. Glad to hear that only now are we seeing a 'cross-platform' malware, and that the untold numbers of Excel macro viruses, Outlook exploits, PDF exploits, Flash exploits, etc. don't count. Only when you use Java to do something it was actually designed to do (as you described) do you become 'the first cross-platform malware.'

"First Cross-OS Malware Using JAR Files"

[Anonymous Coward]

"First Cross-OS Malware Using JAR Files"

I used to have that one. It was developed by Sun, and called the Java plugin.

Re:

[ruir]

Best comment so far!

JAR capable of being deployed to Linux

[tetraverse]

How exactly does this JAR file get downloaded and executed on a Linux system, without enduser action.

Re:

[Anonymous Coward]

So many dell dracs so little time lol

Re:

[Ed Tice]

It may be the most deployed OS, but it's not the most-deployed end-user OS. If you are going to target Linux, using social engineering to install Malware may be very difficult. If you succeed, the person you targeted will most likely end up installing it on a Windows desktop even if they are the Linux admin. To attack infrastructure you use much different techniques.

Re:

[MrCoke]

"Press OK to enter our contest and win an iPhone 6/..."

Re:

[delt0r]

Or any other system for that matter. Or just a plain exe file or .sh on unix? STUPID USERS. As always. PEBCAK

Re:

[silentcoder]

>Dice employees used to be the lowest form of life

Used to be ?!??!?!

Re:

[KGIII]

Well, they've sold /. so, presumably, they've moved up a notch.

Re:

[silentcoder]

I think of it more as /. getting a shot of penicillin actually.

Java: write once

[Kartu]

"Java: write once, run anywhere"

Sorry, couldn't help.

First?

[Anonymous Coward]

I don't think so.

http://virus.wikidot.com/esperanto

Like linux users needed

[silentcoder]

another reason to uninstall java.

Re: Like linux users needed

[silentcoder]

And guaranteed to be 50 times as long as it should have been. Deep inside java was a functional, elegant and readable OO language trying to get out. Its name was python.

Re:

[jalet]

> In Java's case, your code is automatically portable and can execute on any OS that has a JRE installed (write once, run anywhere).

Thanks for the laugh !!!

Re:

[delt0r]

As long as you don't do *anything* it is portable. Use a tcp socket, open a window, Use threads... and BANG, no longer portable.

Re:

[GodelEscherBlecch]

In 10 years of developing combined J2EE/C++ systems on Windows and deploying them to Linux, I have seen precisely these differences running the same Java code in different operating systems:

1) FS calls tend to be faster in Linux

2) FS paths are different if you are too stupid to use the abstraction API properly

3) One time a math function returned a different value. Turned out it was in the Wolfram .so file, which they patched.

I know the hate bandwagon is a tempting position when you're not too bright

Re: Like linux users needed

[silentcoder]

I dont have a thousand other reasons not to install C support. Also, unlike java, C lets me run some actually usefull programs.

New slogan

[antifoidulus]

Write once, pwn everwhere!

First? My ass...

[evilviper]

2008: http://citeseerx.ist.psu.edu/v... [psu.edu]

2009: https://en.wikipedia.org/wiki/... [wikipedia.org]

2010: https://nakedsecurity.sophos.c... [sophos.com]

Look what some moron said about the same subject back in 2011:
http://www.developers.slashdot... [slashdot.org]

2012: https://www.intego.com/mac-sec... [intego.com]

2012: http://www.zdnet.com/article/c... [zdnet.com]

2012: http://www.infosecisland.com/b... [infosecisland.com]

etc., etc.

Re:

[gatkinso]

You'd think the OP never played Minecraft.

Smells like a difamatory campain to me...

[fbobraga]

I'm a Brazillian that works with IT, and it's the first time that I'm hearing something about it: it seems to me like a pretty bad-made SCAM :/ * I may be wrong, but I doubt it :P

Re:

[fbobraga]

Full of shit! * but the drinking water, for the Olympics in Rio, is very well drinkable (the Guanabara Bay is not a source of drinking water :P) * I live in Rio Claro / SP (not really very near of Guanabara Bay, thought...)

Re:

[KGIII]

En Inglés es "defamatory" y "campaign." Mí Español es malo, es muy mierda.

Re:

[KGIII]

Ah. No habla portugués! ;-)

Re: Smells like a difamatory campain to me...

[fbobraga]

I duobt it, sr. Anonymous Coward * You must know that Brazilian Constitution explicitly forbids anonymity, huh?

Qubes and virtualisation

[John Allsup]

This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life. Malware like this can work because it is given permission to work. There is no reason things need to be that way, except for laziness of programmers.

Re:

[tobiasly]

This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life.

When something that sounds great in a textbook never makes it to real life, there's usually a pretty good reason.

Odd editorial tone.

[sabbede]

It's written like a piece on an OSS project. When I got to the end, I was thinking, "Why are these researchers making malware?" Had to go back and re-read the first two words.

Hardly the first jar based malware

[gatkinso]

Download some Minecraft mods, take a peek inside.

All the more insidious because generally it is children installing said mods.

Re:

[cstdenis]

What mods are you referring to? The mod community seems to be pretty safe overall from what I've seen.

Macs? Really?

[U2xhc2hkb3QgU3Vja3M]

Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

Re:

[Anonymous Coward]

Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

Last time I checked neither do most other popular desktop operating systems. What's your point?

These people have never worked in web hosting

[mr_mischief]

There are plenty of malware packages in PHP, Perl, Python, and Ruby that will search for vulnerable web apps, infiltrate a hosting account, then set up web-accessible shells written in the same languages and continue on to find more vulnerable apps and accounts.

JAR? For Android? Really? Which Browser

[Cafe Alpha]

automatically converts and runs JRE files in Android?
I don't believe it.

If we assume they are written in Java...

[theendlessnow]

If we assume they are written in Java... then certainly we can do some profiling... just look for people with less hair.

Re:Does anyone actually install a JRE any more?

[Todd Knarr]

It wouldn't need to run as a browser plugin. The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application. I suspect a lot of people have it because Oracle's made deals to have it included on the manufacturer's images, and those people don't have a clue what Java is or how to remove it so that's a problem.

I am, however, surprised it took them this long to come up with this idea. It's fairly standard on Unix systems, that's how cross-platform scripting of all sorts is done.

Re:

[Anonymous Coward]

*cross-platform scripting* usually involves perl, sh or similar scripting language. There really is no need to use java for that. And no, it isn't standard at all. If I need java on a system for a new fancy software I always have to install it first. You get flash preinstalled more often than java.

It also isn't that hard to deploy a miniperl to provide a runtime on systems without built-in perl (aka windows).

Re:

[Todd Knarr]

Or in Ruby, or Python, or any number of other languages. Java's just another entry in the list here. Frankly I'd've expected the first cross-platform malware to be in Perl, and to have shown up at least 10 years ago. I'm not sure AV tools would even recognize a Perl program as malware...

Re:

[beakerMeep]

The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application.

If malware gains local application code execution, then the target user is pretty much farked anyways -- the language used is irrelevant.

Re:

[Anonymous Coward]

Ah, but if the malware needs a Java Runtime Enviroment then it can just install that, too. :)

The bigger question, though, is whether being the language of choice for writing malware is a plus or a minus for a language. I mean, let's say someone writes some very clever malware in C. Does that mean that C is a powerful and expressive language? Or does it mean that C is the devil?

Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

Re:Does anyone actually install a JRE any more?

[Anonymous Coward]

Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

Well, any reasonably skilled programmer have several deals with the devil, and for about half of them the devil feels he got the short end of the stick.

My comments are usually ascii pentagrams, but they only show with a tabsize of 4.

Re:

[Anonymous Coward]

tl;dr: nearly all banks require jre here.

As a Brazilian, i must say: a LOT of lazy coders rely on java for everything.

i am not bashing java, i meant relying on it for EVERYTHING.
(even on my cs graduation some teachers where promoting java as the only language you will ever use, forever)

to make things worse, they usually make very sloppy code, that even rely on older, vulnerable and discontinued jre versions.
(not kidding, the government is the main culprit and even run critical web stuff that still require i

Re:

[Flavianoep]

I wish our crackers were more patriotic. Last week, we learned about some malware that fails to work in computers located in Russia; why can't our malware coders create pieces of malware that *fail* when they find a JRE?

Re:

[Racemaniac]

Anyone interested in arduino for starters?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

That is why I hate the git that made Minecraft, after years of watching Java die on the desktop here comes this twirp that makes an insanely popular game in java and BAM! Piles of shitty Java installs cropping up everywhere.

How about just how fucking incompetent a game programmer he is? There are at least three clones of minecraft which are more technically competent. They don't punch your computer in the nuts half as hard. It's a good thing he got rich on minecraft because he sure didn't have a second chance

Re:

[delt0r]

Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

Re:

[drinkypoo]

Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

He wasn't the first to get the idea into a game, though. He was the first to make it popular. Sadly, popular and good are orthogonal axes on the chart.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Flavianoep]

Brazilians rely on JRE to process their income tax.

Re:

[KGIII]

You're kidding, right?

Re:

[randomErr]

I need it to play Minecraft. So yes, yes I do.

Re:

[AchilleTalon]

Almost every smart phone does. The browser thing is just irrelevant, you obviously do not understand anything about this ecosystem.

Re:

[LiENUS]

Almost every smart phone does.

Almost every smart phone, except for Android and iPhone where the JRE isn't available at all...

Re:

[LiENUS]

They still have JVMs

No they don't. all of he "JVM" stuff for ios runs on the development machine and does static translation to native code.

(android even moved BACK to oracles and ditched Dalvik)

No they didn't. They ditched the harmony project and started using the openjdk libraries.
The VM itself is still dalvik only instead of going right from dalvik opcodes to native code it goes dalvik->llvm->native code.
Android does not and has never supported java bytecode. You must recompile java bytecode to dalvik bytecode on your development ahead of time. Just like if you want to us

Re:

[dougmc]

Does anyone actually install a JRE any more?

Yeah, I didn't think it was very many.

Yes, lots of people install JREs.

The browser plugin isn't used much anymore, but there's lots of applications that use Java on a desktop (and lots, lots more that use it on servers, but I'll leave them alone for now.)

Some ones that come to mind are Minecraft, Eclipse (and a bunch of other programming IDEs and tools), Roboforge, OpenOffice, Vuze, Runescape, FreeCol, JOSM, Genj ...

Re:

[JustAnotherOldGuy]

Hell, I haven't had Java installed in years, maybe a decade.

It was of limited use and screwed up other stuff, and it made my PC slow to a crawl.