Malware, Network Security, Vulnerability Management

Black Hat: Most Java malware exploits “type confusion” vulnerability

A security researcher walked through some of themethods used by Flashback malware to highlight the different types of Javavulnerabilities developers are exploiting. 

Java malware targets certain types of vulnerabilities, and "type confusion" isthe most common class being exploited, Jeong Wook (Matt) Oh, a Microsoftresearcher, told attendees Thursday at the Black Hat conference in Las Vegas.

Type confusion refers to when a Java application is tricked intothinking an object is something else. Other categories of common Java vulnerabilitiesinclude logic errors, memory corruption, and argument injection, Oh said. 

Type safety, or the checks performed to ensure the data typesare being treated correctly, is the most essential element of Java security, Ohsaid. If a safety check fails for any reason, it leads to type confusion.Oh likened it to identity theft in the real world.

 “If one person can steal another person's identity, this canlead to exploitation of the person and the resources the person has access to,”he said.

Type confusion is a well-known problem and one of the majorvulnerability groups currently being exploited in Java, which is one of the most common exploits affecting organizations. The Flashbackmalware that wreaked havoc earlier this spring on hundreds of thousands of Mac computers exploited a type confusionvulnerability with an "AtomicReferenceArray" element. 

“This vulnerability is currently the number one vector fordrive-by exploits,” Oh told attendees.

Java malware is highly portable, as the technology is multi-platform, allowing all applications, even malicious ones, to automatically run under multiple operating systems. Considering that Oracle brags that more than 1.1 billion desktops run the software, developing Java malware makes a lot of sense from a developer standpoint, Oh said.

There are ways to analyze Java code to determine whether isit malicious, and Oh outlined some tools in his presentation.

Disassemblers such as IDA are used to show bytecode level instructions andconstant tables when the binary has been manipulated and can't be decompiled,Oh said. If it can be decompiled, then decompilers such as JD-GUI and JAD aregood tools to generate source code from Java binaries. Debuggers such asEclipse and Netbeans can also be used to step through the source code to figureout what each line of code is actually doing.

However, Java malware is often obfuscated, a method by whichcode is made complex to make it difficult to decompile. Instrumentation tools,such as BCEL and ACM, are useful, as they allow researchers to profile the codeinstead of trying to go through obfuscated code, he said.




Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.