A few weeks ago McAfee Labs received samples of a Java dropper malware that can decrypt its payload on a specific computer or network. After an investigation, we discovered that the payload is also locked to run only on a specific machine.
This threat uses interesting techniques to ensure it can run only on the target computer. This method also makes it very hard to analyze.
The .jar files contained two class files: web.class and stream.class.
Stream.class was a binary file. Web.class was obfuscated using Allatori Obfuscator Version 4.4, which makes it hard to decompile the Java class. We used a Java disassembler to read the Java byte code. After decoding the string (by reassembling the Java byte code to print to terminal), it was clear what the dropper was doing.
The dropper was getting the machine’s Internet IP address by surfing to http://checkip.dyndns.com and then using the IP to generate a decryption key to decrypt stream.class and execute it and delete the jar.
Because we were able to get one of the IPs, we could decrypt stream.class. The decrypted payload was a packed executable. After unpacking it, we got another obfuscated executable; it contained a DLL and two encrypted binaries.
The DLL was obfuscated. Every string was encrypted with a different key and algorithm (this technique returns with the other payloads). The DLL opened two ports in the Windows firewall: UDP 1900 and TCP 2869.
The first encrypted file was a well-known adware: SanctionedMedia. But it might be a decoy for researchers and malware automation systems.
The second file is a packed DLL. After unpacking we get another packed DLL that contains an encrypted payload. This payload can be decrypted only using a key that is machine specific.
The machine-specific key is generated using the system directory’s creation timestamp and the volume serial number for the partition containing the system directory.
We didn’t have the info to generate the key but we did obtain one unpacked sample.
This DLL was packed using a modified version of UPX. This executable was obfuscated like the firewall DLL–with every string encrypted with a different key and algorithm.
This threat was specific to a single machine, so it’s not something you need to worry about. Nonetheless, here’s our advice for avoiding this type of attack:
- Always keep your personal firewall on
- Exercise caution when opening file attachments from an unknown or suspicious source
- Browse websites cautiously and avoid browsing to unknown sites
- Keep your antimalware software up to date and consider employing application whitelisting
- Apply the latest security patches for Windows and third-party applications, including these popular targets: Internet Explorer, Microsoft Office, Adobe Reader, Flash Player, Java, and QuickTime