Firing the roast - Java is heating up again

Kurt Baumgartner Kaspersky Lab

With the recent explosion in prevalence of both client-side Java exploitation and Android malware development, Java/Dalvik malcode analysis has become more important than even a year ago. Java-related malcode can target a variety of components and embody a variety of functionality: exploitation of the Java runtime environment or the web browser plug-in, exploitation of the Android OS, or run as obfuscated standalone code. A variety of debugging, instrumentation and decompiling tools all individually have their own strengths and weaknesses for Java malcode analysis. For writing CVE-2010-0840 exploits, the usual compilers are dismissed and class file bytecode is manually created. In turn, how are the usual tools affected and how does that effect our malcode analysis? At the same time, vendors describe Droid malcode as becoming more complex - is it because of complexity of functionality, implementation, or obfuscation and encryption? What tools do analysts find useful for reversing these packages and why? Why aren't public sandboxes and toolsets handling Java malcode runtime analysis and reporting?

This paper examines and categorizes the types of Java malcode in the wild over the past year, its prevalence, the obfuscation and anti-reversing techniques embedded in it, the Java components affected and the best tools to tackle these challenges.