A cross-platform java-bot

Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.

Initializing and decrypting strings

To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.

String initialization and decryption is implemented in the static initializer code (<clinit>).

Encrypted string initialization

Read more: A cross-platform java-bot

Story added 28. January 2014, content source with full text you can find at link above.