Firing the roast - Java is heating up again presented at Virus Bulletin 2011

by Kurt Baumgartner (Kaspersky lab),

Tags: Security


Summary : "With the recent explosion in prevalence of both client-side Java exploitation and Android malware development, Java/Dalvik
malcode analysis has become more important than even a year ago. Java-related malcode can target a variety of components
and embody a variety of functionality: exploitation of the Java runtime environment or the web browser plug-in,
exploitation of the Android OS, or run as obfuscated standalone code. A variety of debugging, instrumentation and decompiling
tools all individually have their own strengths and weaknesses for Java malcode analysis. For writing CVE-2010-0840
exploits, the usual compilers are dismissed and class file bytecode is manually created. In turn, how are the usual tools
affected and how does that effect our malcode analysis? At the same time, vendors describe Droid malcode as becoming more
complex - is it because of complexity of functionality, implementation, or obfuscation and encryption? What tools do
analysts find useful for reversing these packages and why? Why aren't public sandboxes and toolsets handling Java malcode
runtime analysis and reporting?
This paper examines and categorizes the types of Java malcode in the wild over the past year, its prevalence, the
obfuscation and anti-reversing techniques embedded in it, the Java components affected and the best tools to tackle these