Firing the roast - Java is heating up again

Kurt Baumgartner Kaspersky Lab

With the recent explosion in prevalence of both client-side Java exploitation and Android malware development, Java/Dalvik malcode analysis has become more important than even a year ago. Java-related malcode can target a variety of components and embody a variety of functionality: exploitation of the Java runtime environment or the web browser plug-in, exploitation of the Android OS, or run as obfuscated standalone code. A variety of debugging, instrumentation and decompiling tools all individually have their own strengths and weaknesses for Java malcode analysis. For writing CVE-2010-0840 exploits, the usual compilers are dismissed and class file bytecode is manually created. In turn, how are the usual tools affected and how does that effect our malcode analysis? At the same time, vendors describe Droid malcode as becoming more complex - is it because of complexity of functionality, implementation, or obfuscation and encryption? What tools do analysts find useful for reversing these packages and why? Why aren't public sandboxes and toolsets handling Java malcode runtime analysis and reporting?

This paper examines and categorizes the types of Java malcode in the wild over the past year, its prevalence, the obfuscation and anti-reversing techniques embedded in it, the Java components affected and the best tools to tackle these challenges.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.