Malware in a JAR: How Rogue Java Applications Compromise your Endpoints

© 2014 IBM Corporation

IBM Security

1© 2014 IBM Corporation

Malware in a JAR: How Rogue Java

Applications Compromise your Endpoints

Christopher Beier

Sr. Product Marketing Manager

IBM Security


IBM Security

2

Question:

Which end user application is most targeted and most exploits

by cybercriminals?

A. Adobe Acrobat

B. The Calculator

C. Browsers

D. Java

../../../Users/danat/Desktop/Demos/java_before_no_narration.mp4



IBM Security

3

JAVA vs. JavaScript

Java is a programming language and computing platform first released by

Sun Microsystems in 1995.

The JavaScript programming language, developed by Netscape, Inc., is not

part of the Java platform.

– JavaScript does not create applets or stand-alone applications. In its most

common form, JavaScript resides inside HTML documents, and can provide levels

of interactivity to web pages that are not achievable with simple HTML.

– Java creates applications that run in a virtual machine or browser while JavaScript

code is run on a browser only.

– Java code needs to be compiled while JavaScript code are all in text.

– They require different plug-ins.


IBM Security

4

The Stats According to the JAVA.com site

97% of Enterprise Desktops Run Java

89% of Desktops (or Computers) in the U.S. Run Java

9 Million Java Developers Worldwide

#1 Choice for Developers

#1 Development Platform

3 Billion Mobile Phones Run Java

100% of Blu-ray Disc Players Ship with Java

5 Billion Java Cards in Use

125 million TV devices run Java

5 of the Top 5 Original Equipment Manufacturers Ship Java ME


IBM Security

5

… combined with a presence

in every enterprise makes

Java the top target for

exploits.

explosive growth of Java vulnerabilities…


IBM Security

6


IBM Security

7


IBM Security

8

Two attack types…

Source IBM Xforce Research and Development


IBM Security

9

Malware written in Java code is

extremely difficult to detect and

therefore can remain

stealthy for longer periods of

time.

Malware in a JAR:

The JAR format uses ZIP

compression to store the data

in compact form.

Cyber-criminals are using Java-based malware to

infiltrate organizations established a long-term

presence.




IBM Security

10


IBM Security

11

The top 19 critical vulnerabilities (and affected software) in 2014 are:

•CVE-2014-0290 – Internet Explorer

•CVE-2014-0417 – Java

•CVE-2014-0525 – Adobe Acrobat/Reader

•CVE-2014-0536 – Adobe Flash

•CVE-2014-0559 – Adobe Flash


•CVE-2014-2401 – Java









•CVE-2014-0581 – Flash Player


•CVE-2014-8447 – Adobe Reader and Acrobat

•CVE-2014-6443 – Netis router

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0290






http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html









http://helpx.adobe.com/security/products/flash-player/apsb14-24.html

https://technet.microsoft.com/zh-cn/library/security/dn820091.aspx

http://helpx.adobe.com/security/products/reader/apsb14-28.html

http://blog.trendmicro.com/trendlabs-security-intelligence/netis-router-backdoor-patched-but-not-really/


IBM Security

12

Exploit chain disruption

Disrupt zero day attacks without prior knowledge of the exploit or vulnerability

• Correlate application state with post-exploit actions

• Apply allow / block controls across the exploit chain

Write files

Breach other programs

Alter registry

Other breachmethods

Monitor post-exploit

actions

Evaluate application

states

Exploit propagationApplication states

Indicators


IBM Security

13

Lockdown for Java

Monitor and control high risk Java application actions

• Malicious activity is blocked while legitimate Java applications are

allowed

• Trust for specific Java apps is granted by Trusteer / IT administrator

Monitor and control high-risk activities

Malicious appRogue Java app

bypasses Java’s

internal controls

e.g., Display, local calculation

Trusted app

Untrusted app

Allow low-risk activities

e.g., Write to file system, registry change

Trusted app

Untrusted app

Trusted app


IBM Security

14

IBM Security Trusteer Apex

KB to

create

icon

Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting

Advanced Threat Analysis and Turnkey Service

CredentialProtection

Exploit Chain Disruption

Malware Detection and

Mitigation

Malicious Communication

Prevention

Lockdownfor Java

Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud

• Prevent reuse on

non-corporate

sites

• Protect against

submission on

phishing sites

• Report on

credential usage

• Block anomalous

activity caused by

exploits

• Zero-day defense

by controlling

exploit chain

Mitigation of

massively

distributed APTs

• Cloud-based

detection of

known threats

• Block malware

communication

• Disrupt command

and control

• Protects against

data exfiltration

• Block high-risk

actions by

malicious Java

applications

• Administer the

trust level

reducing user

disruption

ADVANCED MULTI-LAYERED DEFENSE


IBM Security

15

IBM Intelligent Threat Protection

A dynamic, integrated system to disrupt the lifecycle of advanced attacks

and prevent loss

Open Integrations Global Threat Intelligence

Ready for IBM Security

Intelligence Ecosystem

IBM Security Network

Protection XGS

Smarter Prevention Security Intelligence

IBM Emergency

Response Services

Continuous Response

IBM X-Force

Threat Intelligence

• Leverage threat intelligencefrom multiple expert sources

• Prevent malware installation and disrupt malware communications

• Prevent remote network exploits and limit the use of risky web applications

• Discover and prioritize vulnerabilities

• Correlate enterprise-wide threats and detect suspicious behavior

• Retrace full attack activity, Search for breach indicators and guide defense hardening

• Assess impact and plan strategically and leverage experts to analyze data and contain threats

• Share security context across multiple products

• 100+ vendors, 400+ products

Trusteer Apex Endpoint

Malware Protection

IBM Security QRadar

Security Intelligence

IBM Security QRadar

Incident Forensics

IBM Guardium Data

Activity Monitoring

• Prevent remote network exploits and limit the use of risky web applications

IBM Endpoint Manager• Automate and manage continuous

security configuration policy compliance


IBM Security

16

Find out more…

And visit us on SecurityIntelligence.com

IBM X-Force Threat Intelligence Reportshttp://www.ibm.com/security/xforce/

Website

ibm.com/security/threat-protection/

YouTube

youtube.com/user/IBMSecuritySolutions

Twitter@ibmsecurity

IBM X-Force Security Insights Blog

www.SecurityIntelligence.com/x-force

http://www.ibm.com/security/xforce/

ibm.com/security/threat-protection/

youtube.com/user/IBMSecuritySolutions

https://twitter.com/IBMSecurity

http://www.securityintelligence.com/x-force

http://blogs.iss.net/

http://blogs.iss.net/


IBM Security

17

www.ibm.com/security

© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes

only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use

of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any

warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement

governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in

all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole

discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any

way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United

States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response

to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated

or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure

and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to

be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,

products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE

MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

Malware in a JAR: How Rogue Java Applications Compromise your Endpoints

Technology

Transcript of Malware in a JAR: How Rogue Java Applications Compromise your Endpoints