10.5 Detecting Malicious Java Applets Detecting a malicious Java applet without an automated detection tool isn't easy unless you are a Java programmer.
To access the object list in Internet Explorer 5.x, choose Tools InternetOptions General Settings View Objects. You can then select an object and choose File Property to view specific object information. Figure 10-7 shows a list of Java and ActiveX objects stored in my Internet Explorer browser.
Figure 10-7. List of Java and ActiveX objects
The log records applet errors (as often produced with malicious code) and applet names and locations, but there are lots of caveats. First, it doesn't record everything. I've run lots of applets that don't appear in the log, but fortunately, every malicious applet I've run remotely does. Second, the log file captures only the Java traffic of the current session. Stop and restart the browser and a new log file is written over the previous log when the first applet is detected . You should rename your logs right after you close your browser. The Java Console can be viewed within your browser by choosing View Java Console or by typing in JAVASCRIPT: in the URL location and hitting Enter. Unlike the log file, this tool will reveal real-time happenings and events that will eventually be written to the log. It has a small menu of commands that can be used to see how many execution threads are running and how much memory the applet is taking up. Information you request through the Java Console will be recorded into the log file. Example 10-5 was produced in the Java log from Mark LuDue's AppletKiller, which is an applet that stops, and prevents , any other applets from running. I use the log to track Java activity when a client suspects an active content exploit. Unless you are a Java programmer, most of what is contained in the log will not make sense. In this example, the code phrases, AppletKiller and ThreadKiller, should be warning signs to anyone . Although it might sound like a neophyte recommendation, malicious mobile code often contains visible text strings that give away its true intent. Example 10-5. Java log results from AppletKillercom.ms.security.SecurityExceptionEx[ThreadKiller.killAllThreads]: Illegal ThreadGroup access. at com/ms/security/permissions/ThreadPermission.checkThreadGroup at com/ms/security/permissions/ThreadPermission.check at com/ms/security/PolicyEngine.shallowCheck at com/ms/security/PolicyEngine.checkCallersPermission at com/ms/security/StandardSecurityManager.chk at com/ms/security/StandardSecurityManager.checkAccess at java/lang/ThreadGroup.checkAccess at java/lang/ThreadGroup.getParent at ThreadKiller.killAllThreads at AppletKiller.run at java/lang/Thread.run
I can then point my browser to the exact location as referenced previously in the CODEBASE parameter. Sometimes relative location names are used and make it a bit harder to grab the code. But if done successfully, my browser's window will look a little funny as it now contains the executable code displayed as data. Using File Save As, I save the file to my local hard drive for further analysis. In this example, I would use a decompiler program to turn the byte code into readable source code. I then look for suspicious subroutines. I'm not a Java programming expert, but I can usually pick up a bit of what the code is doing just by browsing my way through. Subroutines that contain offensive language, names of death, the words, "kill" or "die," all arouse my suspicion. Be careful not to accidentally run the executable content that is now on your hard drive, as it may now be trusted. As I said at the beginning of this chapter, manually detecting malicious Java applets can be tough unless you know the Java programming language well. Removal is typically easier because there is not a lot you can do. You can either delete the offending code or start from scratch. |
Team-Fly |
Top |