I am going to explain a quick and quite effective way to spot malicious content inside malware written with languages that support reflection. I am not going to reinvent the wheel, but I will show you how to combine the wheel and a little bit of brain to obtain a good result while dealing with malware analysis.
Intro.
I will focus on JAVA, but the idea exposed here it is applicable to every language that supports reflection.
I am going to explain a quick way to understand what is contained inside the class that we are analyzing without decompiling it or wasting time to understand its (probably obfuscated) code.
What is reflection ?
Reflection is a way that enables a program to see and manipulate itself, which is composed by metadata and operations to manipulate the metadata itself.
In my words ? A nice way to mess with unknown code :]
What and where is the metadata ?
Metadata is information, which is associated with an entity in a such a way that an entity can “admire” itself.
Metadata can be found in:
- class
- contructor
- field
- method
- …
How can I access the metadata ?
Simple: java.lang.reflect;
For instance, in order to have all the declared methods used in an unknown class (c):
import java.lang.reflect.*;
// ...
for( Method m : c.getDeclaredMethods() )
{
System.out.println( m.toString() );
}
Time to be practical.
Let me pick a sample to analyze, and let me fire up jref.
The sample that I am going to analyze comes inside a jar, it contains the following three classes:
1. Mailvue.class
2. Skypeqd.class
3. Twitters.class
Let’s investigate.
1. Mailvue.class
2. Skypeqd.class
3. Twitters.class
As we can easily deduce, this package is an Applet that is attempting to exploit the well known deserialization bug CVE-2008-5353. For more details about, please refer to my previous blog post here.
The tool: jref.
Jref is NOT an advanced tool, it is only a little (few lines of code) java program that collects and prints out information about the provided class.
You will be able to download this tool on this website (tomorrow?).
I will edit this post with the link. You will be also able to download this tool from the tools link on the sidebar.
Conclusion.
You can quickly and easily extend the main idea here to all the others languages that support reflection.
I hope you have enjoyed the reading.
Happy reflection ;]
I used to use DJ Java for decompiling any Java malware, used to be pretty good before it went payware.
Surprised this was .net reflection! I suppose most people have out dated Java inside their browser.
Anyway, nice article.
@sarkie_dave
Link | July 9th, 2010 at 12:01 pm
Hi, thanks for the post. Is the tool available? I have something I could use it for, a sample of the newest unruy. In the meanwhile, I’m going to look at JavaSnoop. I’ve learned that there are some Java options for calling the jar that will also do something of a run trace, but I need to fire up the goat first.
@curtw
Link | August 21st, 2010 at 7:33 am
Hi Donato,
It is very interesting. I started to study the malware contained in Java Applets, and see that the most unsafe packages are java.net , java.lang.reflect and java.security – any more ? Is it possible to use reflection ( without decompiling ) to detect that applet uses some unsafe method
java.net.URL.openConnection() or writeObject , readObject in your example or at least imported packages like” import java.net.URLConnection” ?
Regards,
Tadeusz
Link | December 1st, 2010 at 7:39 pm