The document discusses how Java applications are frequently targeted by cybercriminals for malware attacks. It notes that Java's wide usage on desktops and mobile devices, combined with vulnerabilities, make it a top target for exploits. The document outlines how malware can be hidden in Java archives (JAR files) and details two common attack types using Java-based malware. It recommends defense solutions like IBM Security Trusteer Apex to monitor and control risky Java application actions and disrupt exploit chains.

1. © 2014 IBM Corporation
IBM Security
1© 2014 IBM Corporation
Malware in a JAR: How Rogue Java
Applications Compromise your Endpoints
Christopher Beier
Sr. Product Marketing Manager
IBM Security

2. © 2014 IBM Corporation
IBM Security
2
Question:
Which end user application is most targeted and most exploits
by cybercriminals?
A. Adobe Acrobat
B. The Calculator
C. Browsers
D. Java

3. © 2014 IBM Corporation
IBM Security
3
JAVA vs. JavaScript
 Java is a programming language and computing platform first released by
Sun Microsystems in 1995.
 The JavaScript programming language, developed by Netscape, Inc., is not
part of the Java platform.
– JavaScript does not create applets or stand-alone applications. In its most
common form, JavaScript resides inside HTML documents, and can provide levels
of interactivity to web pages that are not achievable with simple HTML.
– Java creates applications that run in a virtual machine or browser while JavaScript
code is run on a browser only.
– Java code needs to be compiled while JavaScript code are all in text.
– They require different plug-ins.

4. © 2014 IBM Corporation
IBM Security
4
The Stats According to the JAVA.com site
 97% of Enterprise Desktops
Run Java
 89% of Desktops (or
Computers) in the U.S. Run
Java
 9 Million Java Developers
Worldwide
 #1 Choice for Developers
 #1 Development Platform
 3 Billion Mobile Phones Run
Java
 100% of Blu-ray Disc Players
Ship with Java
 5 Billion Java Cards in Use
 125 million TV devices run
Java
 5 of the Top 5 Original
Equipment Manufacturers
Ship Java ME

5. © 2014 IBM Corporation
IBM Security
5
… combined with a presence
in every enterprise makes
Java the top targetfor
exploits.
explosive growth of Java
vulnerabilities…

6. © 2014 IBM Corporation
IBM Security
6

7. © 2014 IBM Corporation
IBM Security
7

8. © 2014 IBM Corporation
IBM Security
8
Two attack types…
Source IBM Xforce Research and Development

9. © 2014 IBM Corporation
IBM Security
9
Malware written in Java code is
extremely difficult to detect and
therefore can remain
stealthy for longer periods of
time.
Malware in a JAR:
The JAR format uses ZIP
compression to store the data
in compact form.
Cyber-criminals are using Java-based malware to
infiltrate organizations established a long-term
presence.

10. © 2014 IBM Corporation
IBM Security
10

11. © 2014 IBM Corporation
IBM Security
11
The top 19 critical vulnerabilities (and affected software) in 2014 are:
•CVE-2014-0290 – Internet Explorer
•CVE-2014-0417 – Java
•CVE-2014-0525 – Adobe Acrobat/Reader
•CVE-2014-0536 – Adobe Flash
•CVE-2014-0559 – Adobe Flash
•CVE-2014-1753 – Internet Explorer
•CVE-2014-2401 – Java
•CVE-2014-1772 – Internet Explorer
•CVE-2014-1782 – Internet Explorer
•CVE-2014-1804 – Internet Explorer
•CVE-2014-2768 – Internet Explorer
•CVE-2014-4057 – Internet Explorer
•CVE-2014-4095 – Internet Explorer
•CVE-2014-4097 – Internet Explorer
•CVE-2014-4105 – Internet Explorer
•CVE-2014-0581 – Flash Player
•CVE-2014-6368 – Internet Explorer
•CVE-2014-8447 – Adobe Reader and Acrobat
•CVE-2014-6443 – Netis router

12. © 2014 IBM Corporation
IBM Security
12
Exploit chain disruption
 Disrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions
• Apply allow / block controls across the exploit chain
Write files
Breach other
programs
Alter registry
Other breach
methods
Monitor post-exploit
actions
Evaluate application
states
Exploit propagationApplication states
Indicators

13. © 2014 IBM Corporation
IBM Security
13
Lockdown for Java
 Monitor and control high risk Java application actions
• Malicious activity is blocked while legitimate Java applications are
allowed
• Trust for specific Java apps is granted by Trusteer / IT administrator
Monitor and control high-risk activities
Malicious app
Rogue Java app
bypasses Java’s
internal controls
e.g., Display, local calculation
Trusted app
Untrusted app
Allow low-risk activities
e.g., Write to file system, registry change
Trusted app
Untrusted app
Trusted app

14. © 2014 IBM Corporation
IBM Security
14
IBM Security Trusteer Apex
KB to
create
icon
Threat and Risk Reporting
Vulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
Credential
Protection
Exploit Chain
Disruption
Malware
Detection and
Mitigation
Malicious
Communication
Prevention
Lockdown
for Java
Global Threat Research and Intelligence
Global threat intelligence delivered in near-real time from the cloud
• Prevent reuse on
non-corporate
sites
• Protect against
submission on
phishing sites
• Report on
credential usage
• Block anomalous
activity caused by
exploits
• Zero-day defense
by controlling
exploit chain
Mitigation of
massively
distributed APTs
• Cloud-based
detection of
known threats
• Block malware
communication
• Disrupt command
and control
• Protects against
data exfiltration
• Block high-risk
actions by
malicious Java
applications
• Administer the
trust level
reducing user
disruption
ADVANCED MULTI-LAYERED DEFENSE

15. © 2014 IBM Corporation
IBM Security
15
IBM Intelligent Threat Protection
A dynamic, integrated system to disrupt the lifecycle of advanced attacks
and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security
Intelligence Ecosystem
IBM Security Network
Protection XGS
Smarter Prevention Security Intelligence
IBM Emergency
Response Services
Continuous Response
IBM X-Force
Threat Intelligence
• Leverage threat intelligence
from multiple expert sources
• Prevent malware installation and
disrupt malware communications
• Prevent remote network exploits and limit the
use of risky web applications
• Discover and prioritize vulnerabilities
• Correlate enterprise-wide threats and
detect suspicious behavior
• Retrace full attack activity, Search for breach
indicators and guide defense hardening
• Assess impact and plan strategically and
leverage experts to analyze data and contain
threats
• Share security context
across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint
Malware Protection
IBM Security QRadar
Security Intelligence
IBM Security QRadar
Incident Forensics
IBM Guardium Data
Activity Monitoring
• Prevent remote network exploits and limit
the use of risky web applications
IBM Endpoint Manager
• Automate and manage continuous
security configuration policy compliance

16. © 2014 IBM Corporation
IBM Security
16
Find out more…
And visit us on SecurityIntelligence.com
IBM X-Force Threat Intelligence Reports
http://www.ibm.com/security/xforce/
Website
ibm.com/security/threat-protection/
YouTube
youtube.com/user/IBMSecuritySolutions
Twitter
@ibmsecurity
IBM X-Force Security Insights Blog
www.SecurityIntelligence.com/x-force

17. © 2014 IBM Corporation
IBM Security
17
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.