Java Applets

reverse-engineering malware j4va exploit

The first applets to discover are the Demo Applets. If you have installed the JDK, they can be found in demo/applets. Note that the JDK 7 distributes the demos in a separate package. Alphabetically, we can start with Animator example 1. If you want to run it natively instead of in a browser for now, use appletviewer:

appletviewer /opt/jdk1.6.0_31/demo/applets/Animator/example1.html

The Animator example html links to source code for, which contains classes Animation, AnimationFrame, DescriptionFrame, and ParseException. Using our decompiler, jd-gui we can retrieve the source from the .class file.

Animator example 1

If you have trouble running this on Linux (especially Gentoo), it's possible that you need to mess around with your Java plugins. For me, this did it:

ln -s /opt/jdk1.6.0_31/jre/lib/i386/ ~/.mozilla/plugins/

So now let's look into the running of this Applet. First of all, notice that you didn't have to click a "Are you sure?" dialog box for this Applet. The reason for this is the security model allows simple applets to run without confirmation. For detailed information about this see What Applets Can and Cannot Do by Sun/Oracle. It says that this Applet cannot do harm to your local system, so we don't have to ask you about it. What about signed Applets? It says there that signed Applets can do bad things to your system. Chapter 10: Signed Applets from Advanced Programming for the Java 2 Platform explains how we go about signing a potentially malicious Applet. For the impatient:

jar cvf SignedApplet.jar SignedAppletDemo.class
keytool -genkey -alias signFiles -keystore compstore -keypass kpi135 -dname "" -storepass ab987c
jarsigner -keystore compstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles

Then we put the applet into an HTML file like this:

<applet archive="SSignedApplet.jar" code="SignedAppletDemo.class" height="100" width="300"/>
It gives us this big warning:
Java warning
Assuming that we don't have a $200 code-signing key (which I don't yet) this warning looks pretty good, right? For $200, you get a much nicer looking warning. CERT thinks it's dangerous and so should you. There's nothing stopping a malware producer from buying as many code signing certificates as he needs.
Java verified message
We should also note that the checkbox is checked by default, so one accidental click means Java insecurity for a long time.

Hackers and malware authors have been using this for years. This can't be used lightly though. The attacker must be sure that the victim will click Run. How does the malware author know? The malware author only needs to lure the victim into making the mistake. The promise of free warez, a cell phone unlock key, or photos has fooled many people.

But malware authors don't actually have to resort to this. Since they can find out the version of Java running without asking the user, any user who has an old version of Java can be exploited instead. The past 2 years has seen an unprecedented number of vulnerabilities in Java, most of which have publicly available exploits requiring no expertise.

So now that we've subverted the Applet system to get arbitrary code execution on millions of home user's machines, let's talk about how to disable Java on our own machines.
Disable Java on Firefox
Disable Java on IE
Disable Java in Chrome
Disable Java in Opera
Disable Java icon