Fake Java Update uses your PC in DDoS Offensive

Software patches, allegedly missing codecs and Flash Player or Java updates have been quite often used as baits in order to lure computer users into installing malware. We have recently come across this type of malware dissembling as a regular update to the Java platform. Closer investigation on the file revealed more than meets the eye: a carefully-crafted piece of malware that is extremely viral (i.e. spreads using an array of media) and can be used as a powerful tool to initiate distributed denial-of-service attacks.

This e-threat seems to be in-sync with the canvas of on-line attacks we’ve been witnessing lately, especially those attributed to the independent hacktivist groups, such as Anonymous or their spin-off (and now defunct) organization called LulzSec. Both groups made a habit of targeting a wide range of institutions, including companies and government organizations not as much for money but as part of their “Antisec” credo.

Backdoor.IRCBot.ADEQ is a Trojan disguised as a Java update. It is extremely “contagious”, as it can be downloaded from a multitude of locations, most of them being legit websites that have been infected by the tool.

The Trojan seems to have a dedicated infection technique for each PC user:  the malware can also spread via P2P shared folders, USB drives, Local Area Networks, MSN, or even send itself via e-mail messages, if the system has Outlook Express installed.

Backdoor.IRCBot.ADEQ uses private messages in order to communicate with its master, who sends the bot an assortment of commands, including the URL of a particular website the malware needs to flood. The crook can also transmit the Trojan precise instructions such as the hour, the exact time frame and the frequency of requests that need to be executed from the compromised PC.

On top of that, the bot proceeds to uninstalling other bots such as Cerberus, Blackshades, CyberGate, or OrgeneraL DDoS Bot Cryptosuite if found injected into winlogon.exe, csrss.exe and services.exe. This is an essential step for the bot to ensure that the user doesn’t suspect any malicious activity on the computer, as well as to ensure that all the other pieces of malware racing for network bandwidth won’t get it.

Plus, the bot also tries to prevent the user from noticing that the Trojan is constantly sending data to the Internet. It successfully adds itself to the list of authorized applications in the Windows Firewall, and tries to kill firewall alerts issued by antivirus solutions when they pop up.

This makes Backdoor.IRCBot.ADEQ an efficient DDoS tool to be used by an attacker to take down sites or hinder the activity of a particular company; this type of attack may translate into money loss and tremendous negative impact on professional credibility of a company/institution or newspaper company as latest events show.

In the recent security landscape, Anmonymous and LulzSec have launched a couple of DDoS attacks against high-profile institutions. While the open-source Low-Orbit Ion Cannon tools have played a role in orchestrating the incident, most of the power was provided by botnets, as most permanent members of the organization “herd” botnets ranging between 5 and 30,000 infected machines.

Botnets are universal tools of trade. They are highly-priced instruments that can do practically anything, from generating revenue through advertisement fraud, to providing tremendous amounts of bandwidth in DDoS attacks against governments. In most of the cases, these attacks can only be traced to the victim’s computer.

A company might also get blackmailed and asked to pay a specific amount of money, or their servers will automatically be flooded with connection requests which it will be unable to answer, causing it to collapse. In the meanwhile, the company loses potential customers and, implicitly, money.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.