McAfee’s labs discovered a new malware nowhere; the malware is basically found to be a Java dropper that decrypts consisting payload on a dedicated system or network. A further study resulted in a strange fact; that the payload for this Java dropper malware is locked to run on a specific machine. That directly means, the malware is designed to work on a dominating machine & hence the dropper is not capable of working over any other machine apart from the one it is locked for.
For ensuring that the execution of programs is done on the targeted computer only, the malware runs several techniques in itself. That typical behavior makes it hard to analyze this threat. Being a .jar file, it contains two major classes; i.e. web.class & stream.class respectively.
The two classes of Java dropper file have their specific roles:-
- Stream.class :- This is a binary file used in any Java program. The binary file is used for I/O functions. Their basic action in a program include; sending data to a stream or receiving data from a stream.
- Web.class :- Here the class is obfuscated using 4.4 version of the Allatori Obfuscator. This step makes the de-compilation of Java class more complex.
At McAfee Labs a Java disassembler was used to read the Byte Code of this dropper program written in Java Language. The decoding program made a clear vision of what the dropper was doing with systems. A call to http://checkip.dyndns.com , helped the dropper in retaining targeted machine’s IP address over the network. As soon as the dropper gets successful in fetching the IP address of the machine, a decryption key is generated for decrypting the stream.class ; after that, a simple execution and deletion of jar file.
McAfee stated that the threat was dedicated to a single targeted machine and hence it’s not a situation to get worried about. Still few advices have been shared:-
- Enable your personal firewall & always keep it ON
- Beware while opening attachments from unknown sources
- Browse safe over the WEB
- Stay protected with an up-to-date anti malware software.