Anti-decompiling techniques in malicious Java Applets

Step 1: How this started

While I was investigating the Trojan.JS.Iframe.aeq case (see blogpost <>😉 one of the files dropped by the Exploit Kit was an Applet exploiting a vulnerability:

document.write(‘<applet archive="dyJhixy.jar" code="QPAfQoaG.ZqnpOsRRk"><param value="" name="kYtNtcpnx"/></applet>’);

Step 2: First analysis

So basically I unzipped the .jar and took a look using JD-GUI, a java decompiler. These were the resulting classes inside the .jar file:

The class names are weird, but nothing unusual. Usually the Manifest states the entry point (main class) of the…

Please click here to read the complete article.

Read more: Anti-decompiling techniques in malicious Java Applets

Story added 19. August 2013, content source with full text you can find at link above.