Routine processing of our large volume collections has unearthed a sample that seems noteworthy to be mentioned. Digging deeper revealed it was indeed a simple variant descending from a very old and familiar family of Java based Trojans [Java/SillyDl]
Intricacies of its execution
This sample's payload is same as what the age old downloader agents are known to do. By Design, It downloads additional malware executables from distribution sites on the internet and proceeds to trigger their installation routines. Implemented as an applet, a better and easy understanding of this malware component can be gained through the output of instrumented standalone version of this applet shown in Fig 1.
Fig.1: Instrumented output
So far, everything seems to be simple and very old behaviour. So Why did it need attention?
The sample is created using the updated SDK[ Java Development Kit version 7] recently made available a week ago. Being among the first of the samples to be created using this updated development environment is what primarily intrigued us. Note:JDK7 is the latest major version released a week ago and it is the first major release since JDK6 five years ago.
At this stage there are no JDK7 specific APIs (or) new features introduced in JDK7 are used in this malware. It is simply compiled using JDK7.
This fact suggests that the malware author may not have intentionally used JDK7; however we can expect samples created using new features introduced in JDK7 anytime sooner.
There is a side effect of the usage of the latest JDK to create malware. Naturally, a Java-class created using a higher version of JDK cannot be executed by a lower version Java Virtual Machine. Hence this sample will not run in the machines that are still using the older version of JDK (and generally there will be plenty of machines still using older versions of JVM).
Fig.2 is a screenshot of the Runtime errors encountered while we tried to load this applet in a system that was running JDK6.
Fig.2: Runtime error message from JRE 1.6
This sample is detected as "Java/SillyDlJava.AT". Though this malware does not use any new features of the updated SDK, it will be interesting to watch out for this trend.