#BlackHat: Java malware exploits type confusion vulnerability

Powered by SC Magazine
 

Type confusion is the 'most essential' aspect of Java security.

View larger image View larger image View larger image

See all pictures here »

A security researcher has demonstrated some of the methods used by Flashback malware to highlight the different types of Java vulnerabilities developers are exploiting. 

Java malware targets certain types of vulnerabilities, and "type confusion" is the most common class being exploited, Jeong Wook (Matt) Oh, a Microsoft researcher, told attendees at the Black Hat conference in Las Vegas.

Type confusion refers to when a Java application is tricked into thinking an object is something else.

Black Hat 2012 coverage

Other categories of common Java vulnerabilities include logic errors, memory corruption, and argument injection.

Type safety, or the checks performed to ensure the data types are being treated correctly, is the most essential element of Java security according to Oh. If a safety check fails for any reason, it leads to type confusion. Oh likened it to identity theft in the real world.

 “If one person can steal another person's identity, this can lead to exploitation of the person and the resources the person has access to,” he said.

Type confusion is a well-known problem and one of the major vulnerability groups currently being exploited in Java, which is one of the most common exploits affecting organisations.

The Flashback malware that wreaked havoc earlier this spring on hundreds of thousands of Mac computers exploited a type confusion vulnerability with an "AtomicReferenceArray" element. 

“This vulnerability is currently the number one vector for drive-by exploits,” Oh told attendees.

Java malware is highly portable, as the technology is multi-platform, allowing all applications, even malicious ones, to automatically run under multiple operating systems.

Considering that Oracle brags that more than 1.1 billion desktops run the software, developing Java malware makes a lot of sense from a developer standpoint, Oh said.

There are ways to analyse Java code to determine whether is it malicious, and Oh outlined some tools in his presentation.

Disassemblers such as IDA are used to show bytecode level instructions and constant tables when the binary has been manipulated and can't be decompiled, Oh said.

If it can be decompiled, then decompilers such as JD-GUI and JAD are good tools to generate source code from Java binaries. Debuggers such as Eclipse and Netbeans can also be used to step through the source code to figure out what each line of code is actually doing.

However, Java malware is often obfuscated, a method by which code is made complex to make it difficult to decompile. Instrumentation tools, such as BCEL and ACM, are useful, as they allow researchers to profile the code instead of trying to go through obfuscated code, he said.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
What InfoSec can learn from the insurance industry
[Blog post] Another way data breach laws could help manage risk.
 
A ten-point plan for disrupting security
[Blog post] How can you defend the perimeter when it’s in the cloud?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  21%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1041

Vote