The Latest in IT Security

New SDK, Old tricks – SillyDl repackaged!

04
Aug
2011

Routine processing of our large volume collections has unearthed a sample that seems noteworthy to be mentioned. Digging deeper revealed it was indeed a simple variant descending from a very old and familiar family of Java based Trojans [Java/SillyDl]

Intricacies of its execution

This sample's payload is same as what the age old downloader agents are known to do.  By Design, It downloads additional malware executables from distribution sites on the internet and proceeds to trigger their installation routines. Implemented as an applet, a better and easy understanding of this malware component can be gained through the output of instrumented standalone version of this applet shown in  Fig 1.

Fig.1: Instrumented output

So far, everything seems to be simple and very old behaviour. So Why did it need attention?

The sample is created using the updated SDK[ Java Development Kit version 7] recently made available a week ago. Being among the first of the samples to be created using this updated development environment is what primarily intrigued us. Note:JDK7 is the latest major version released a week ago and it is the first major release since JDK6 five years ago.

At this stage there are no JDK7 specific APIs (or) new features introduced in JDK7 are used in this malware. It is simply compiled using JDK7.

This fact suggests that the malware author may not have intentionally used JDK7; however we can expect samples created using new features introduced in JDK7 anytime sooner.
There is a side effect of the usage of the latest JDK to create malware. Naturally, a Java-class created using a higher version of JDK cannot be executed by a lower version Java Virtual Machine. Hence this sample will not run in the machines that are still using the older version of JDK  (and generally there will be plenty of machines still using older versions of JVM).

Fig.2 is a screenshot of the Runtime errors encountered while we tried to load this applet in a system that was running JDK6.

Fig.2: Runtime error message from JRE 1.6

This sample is detected as "Java/SillyDlJava.AT". Though this malware does not use any new features of the updated SDK, it will be interesting to watch out for this trend.
 

Leave a reply


Categories

FRIDAY, OCTOBER 30, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments