Log in

View Full Version : Java Malware question.


charlie
May 24th, 2010, 15:05
Hi guys,
I've noticed that some of the recent java malware are using invalid constant pool in their file.
Some of the constant pool types used include 52,54,64 etc. These are not defined in the
java file format. Is this deliberate trick used by malware authors or are they corrupt samples.
Anyone else noitced this behaviour before. Unfortunately i haven't got the sample to upload :-( .
Also any java malware repositories/source you can share with me.

Thanks
Charlie

OHPen
May 24th, 2010, 19:13
Hi charlie,

usually if we talk about the J2SE runtime classfiles with an unknow constant pool entry will be not accepted by the virtual machine and therefore such an classfile can not be loaded. But i also saw some modified class files which are optimized for J2ME virtual machines. The to due fact that J2ME applications must be small to save resources also the vm is a lightweigth one. If could be that that for example the check for invalid constant pool types is simply missing to get a better performance on the mobile device while running java applications.
if you have a mobile device where you can run java applications simply try it. you will get a message if the vm is not loading the class.
Anyway if the vm is loading the class for whatever reason the author of this malware is probably using the cp entry to hide his payload. a decompiler which usually do not show invalid cp entries will not show anything. you could check that too if you decompile the code of the class and take a look at the methods. if there is reflection used on the own class the author is probably using this trick.

hope that helps you,
regards,
OHPen

charlie
May 25th, 2010, 15:53
Thanks for the reply OHOpen, that was really helpful.

>a decompiler which usually do not show invalid cp entries
I was planning to write a parser for java to generate raw bytes for methods, strings etc. When i look at the Java spec , based on the CP type we read the unsignedInt ,Short, Doube etc . I was wondering how a decompiler or a J2ME trace this and parse the java file. Is there any popular open source java parser which does this (sorry about being lazy, i tried search the way 'JAD' decompiler works but no success :-) ) .

Charlie

OHPen
May 26th, 2010, 05:50
It is pretty easy to scan a class file for not defined cp entries. dumping the entries is will be also no problem because of the general structure of the cp entry wrapper. but what do you want to do with the dumped constant pool if you don't know how to decode it ? For sure a tool can automatically dump all invalid entries but the further analysis of the loader of the entries is needed.

two year ago i had the same problem like you have. i needed a good class library and a fitting license for it, to use it for commercial purposes. Most of the libraries i found were pretty blown, too much functionality implemented i didn't need and some of them have bad licenses, so commercial use was prohibited.
thats why i wrote a own class file library for reading, writing and manipulating. usually this is the best way, but it is a lot of work. i wrote it in c platform independent with support for windows, linux and macosx. took me 1 year to get a real stable version of it.

if i were you try asm framework, or bcel. both are free. dunno if the source is supplied but i think so.

regards,
OHPen

charlie
May 26th, 2010, 15:06
>but what do you want to do with the dumped constant pool if you don't know how to decode it ?
Basically i'm trying to write a tool which scans all the class files and generates hex bytes for important methods in the class file. It works fine for files with proper CP entries but it doesn't for the invalid ones, i'll go through the frame works you've suggested and also see how the java built in parser does it and see how i can tackle this.

Thanks for all your inputs

charlie