2. Update: Back Story
• Intrusion resulting in major monetary loss
• System with keylogger and unknown trojan
• Java drive-by identified:
• 52b989e6-783fc81c.jar
– MD5: ee18509d07bf591c73bd30091080e034
3. Update: Java IDX results
IDX file: JAR52b989e6-783fc81c2.idx (IDX File Version 6.03)
[*] Section 2 (Download History) found:
URL: http://173.224.71.132:8080/content/Qai.jar
IP: 173.224.71.132
<null>: HTTP/1.1 200 OK
content-length: 14869
last-modified: Thu, 15 Mar 2012 14:39:44 GMT
content-type: application/java-archive
date: Thu, 15 Mar 2012 18:55:12 GMT
server: nginx
deploy-request-content-type: application/x-java-archive
[*] Section 3 (Jar Manifest) found:
[*] Section 4 (Code Signer) found:
[*] Found: Data block. Length: 4
Data: Hex: 00000000
[*] Found: Data block. Length: 3
Data: 0 Hex: 300d0a
This “Section 4” data
appears to be a
pattern indicative of a
BlackHole download.
16. And consult the Java bible…
http://docs.oracle.com/javase/specs
17. This is better…
http://en.wikipedia.org/wiki/Java_bytec
ode_instruction_listings
Mnemonic
Opcode
(in hex)
Other bytes
Stack
[before]→[after]
Description
aaload 32 arrayref, index → value load onto the stack a reference from an array
aastore 53 arrayref, index, value → store into a reference in an array
aconst_null 01 → null push a null reference onto the stack
aload 19 1: index → objectref
load a reference onto the stack from a local
variable #index
23. FLASH, a-ah, King of the Impossible
• Same concept applies to all JIT runtimes
– e.g. Flash ActionScript
• CVE-2012-0779
– Sourced from Contagio
– Contains custom DoSWF encryption
– Adobe SWF Investigator to disassemble
– …
– Profit!
24. Update: AndroChef
• AndroChef: Commercial (shareware) Java
Decompiler
• http://www.neshkov.com/ac_decompiler.html
• Decompiles sample just fine
– But where’s the fun in that?