Windows 7

Posted By: Larry Seltzer

Bots and botnets have been around for a long time. There's some innovation in the programming form, but the large majority are Windows executables in PE (Portable Executable) format.

Cisco's security blog has started a series studying one new attempt they discovered to break out of the Windows-only mold: A bot written in Java.

The sample they study comes as a normal Java JAR file, as it would have to, and this is immediately a weakness compared to native bots, which usually come disguised by a variety of programs called "packers". Cisco's sample showed no attempt at all at obfuscation: It actually included the source code and the project file for Eclipse, a Java development platform. Malware analysis doesn't get any easier than this.

Craig Williams, the author of the post, speculates that the author chose Java thinking that AV programs might not be able to parse Java byte code (the executable format for Java), but a true Java bot should, depending on the features it uses, be able to run on more than just Windows as well, for what it's worth, but Williams says that this particular bot can only install itself on Windows systems. A Java bot might also run into problems, depending on what it does; if it tries to write to the file system, for example, it would need to be trusted, and that's not so easy to do.

This leaves a whole host of open questions: what does it do, how does it do it, and so on. Tune in next week, or whenever Williams writes part 2 of this series, to find out.