© 2014 IBM Corporation
IBM Security
1© 2014 IBM Corporation
Malware in a JAR: How Rogue Java
Applications Compromise your Endpoints
Christopher Beier
Sr. Product Marketing Manager
IBM Security
© 2014 IBM Corporation
IBM Security
2
Question:
Which end user application is most targeted and most exploits
by cybercriminals?
A. Adobe Acrobat
B. The Calculator
C. Browsers
D. Java
© 2014 IBM Corporation
IBM Security
3
JAVA vs. JavaScript
Java is a programming language and computing platform first released by
Sun Microsystems in 1995.
The JavaScript programming language, developed by Netscape, Inc., is not
part of the Java platform.
– JavaScript does not create applets or stand-alone applications. In its most
common form, JavaScript resides inside HTML documents, and can provide levels
of interactivity to web pages that are not achievable with simple HTML.
– Java creates applications that run in a virtual machine or browser while JavaScript
code is run on a browser only.
– Java code needs to be compiled while JavaScript code are all in text.
– They require different plug-ins.
© 2014 IBM Corporation
IBM Security
4
The Stats According to the JAVA.com site
97% of Enterprise Desktops Run Java
89% of Desktops (or Computers) in the U.S. Run Java
9 Million Java Developers Worldwide
#1 Choice for Developers
#1 Development Platform
3 Billion Mobile Phones Run Java
100% of Blu-ray Disc Players Ship with Java
5 Billion Java Cards in Use
125 million TV devices run Java
5 of the Top 5 Original Equipment Manufacturers Ship Java ME
© 2014 IBM Corporation
IBM Security
5
… combined with a presence
in every enterprise makes
Java the top target for
exploits.
explosive growth of Java vulnerabilities…
© 2014 IBM Corporation
IBM Security
9
Malware written in Java code is
extremely difficult to detect and
therefore can remain
stealthy for longer periods of
time.
Malware in a JAR:
The JAR format uses ZIP
compression to store the data
in compact form.
Cyber-criminals are using Java-based malware to
infiltrate organizations established a long-term
presence.
© 2014 IBM Corporation
IBM Security
11
The top 19 critical vulnerabilities (and affected software) in 2014 are:
•CVE-2014-0290 – Internet Explorer
•CVE-2014-0417 – Java
•CVE-2014-0525 – Adobe Acrobat/Reader
•CVE-2014-0536 – Adobe Flash
•CVE-2014-0559 – Adobe Flash
•CVE-2014-1753 – Internet Explorer
•CVE-2014-2401 – Java
•CVE-2014-1772 – Internet Explorer
•CVE-2014-1782 – Internet Explorer
•CVE-2014-1804 – Internet Explorer
•CVE-2014-2768 – Internet Explorer
•CVE-2014-4057 – Internet Explorer
•CVE-2014-4095 – Internet Explorer
•CVE-2014-4097 – Internet Explorer
•CVE-2014-4105 – Internet Explorer
•CVE-2014-0581 – Flash Player
•CVE-2014-6368 – Internet Explorer
•CVE-2014-8447 – Adobe Reader and Acrobat
•CVE-2014-6443 – Netis router
© 2014 IBM Corporation
IBM Security
12
Exploit chain disruption
Disrupt zero day attacks without prior knowledge of the exploit or vulnerability
• Correlate application state with post-exploit actions
• Apply allow / block controls across the exploit chain
Write files
Breach other programs
Alter registry
Other breachmethods
Monitor post-exploit
actions
Evaluate application
states
Exploit propagationApplication states
Indicators
© 2014 IBM Corporation
IBM Security
13
Lockdown for Java
Monitor and control high risk Java application actions
• Malicious activity is blocked while legitimate Java applications are
allowed
• Trust for specific Java apps is granted by Trusteer / IT administrator
Monitor and control high-risk activities
Malicious appRogue Java app
bypasses Java’s
internal controls
e.g., Display, local calculation
Trusted app
Untrusted app
Allow low-risk activities
e.g., Write to file system, registry change
Trusted app
Untrusted app
Trusted app
© 2014 IBM Corporation
IBM Security
14
IBM Security Trusteer Apex
KB to
create
icon
Threat and Risk ReportingVulnerability Mapping and Critical Event Reporting
Advanced Threat Analysis and Turnkey Service
CredentialProtection
Exploit Chain Disruption
Malware Detection and
Mitigation
Malicious Communication
Prevention
Lockdownfor Java
Global Threat Research and IntelligenceGlobal threat intelligence delivered in near-real time from the cloud
• Prevent reuse on
non-corporate
sites
• Protect against
submission on
phishing sites
• Report on
credential usage
• Block anomalous
activity caused by
exploits
• Zero-day defense
by controlling
exploit chain
Mitigation of
massively
distributed APTs
• Cloud-based
detection of
known threats
• Block malware
communication
• Disrupt command
and control
• Protects against
data exfiltration
• Block high-risk
actions by
malicious Java
applications
• Administer the
trust level
reducing user
disruption
ADVANCED MULTI-LAYERED DEFENSE
© 2014 IBM Corporation
IBM Security
15
IBM Intelligent Threat Protection
A dynamic, integrated system to disrupt the lifecycle of advanced attacks
and prevent loss
Open Integrations Global Threat Intelligence
Ready for IBM Security
Intelligence Ecosystem
IBM Security Network
Protection XGS
Smarter Prevention Security Intelligence
IBM Emergency
Response Services
Continuous Response
IBM X-Force
Threat Intelligence
• Leverage threat intelligencefrom multiple expert sources
• Prevent malware installation and disrupt malware communications
• Prevent remote network exploits and limit the use of risky web applications
• Discover and prioritize vulnerabilities
• Correlate enterprise-wide threats and detect suspicious behavior
• Retrace full attack activity, Search for breach indicators and guide defense hardening
• Assess impact and plan strategically and leverage experts to analyze data and contain threats
• Share security context across multiple products
• 100+ vendors, 400+ products
Trusteer Apex Endpoint
Malware Protection
IBM Security QRadar
Security Intelligence
IBM Security QRadar
Incident Forensics
IBM Guardium Data
Activity Monitoring
• Prevent remote network exploits and limit the use of risky web applications
IBM Endpoint Manager• Automate and manage continuous
security configuration policy compliance
© 2014 IBM Corporation
IBM Security
16
Find out more…
And visit us on SecurityIntelligence.com
IBM X-Force Threat Intelligence Reportshttp://www.ibm.com/security/xforce/
Website
ibm.com/security/threat-protection/
YouTube
youtube.com/user/IBMSecuritySolutions
Twitter@ibmsecurity
IBM X-Force Security Insights Blog
www.SecurityIntelligence.com/x-force
© 2014 IBM Corporation
IBM Security
17
www.ibm.com/security
© Copyright IBM Corporation 2014. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.