Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Contrary to initial reports, JACKSBOT may not be as low risk as initially thought. We noted some JACKSBOT infection in the wild, indicating that the people behind this multiplatform malware are saving their best tricks for last.

    We analyzed the JACKSBOT backdoor family (specific detection name JAVA_JACKSBOT.A) that arrives as a Java application. Because it is a Java application, it can run on any platform that supports the Java Runtime Environment. When it was first reported, it was considered low risk and no actual infection was recorded. However, days after the report was released, Trend Micro successfully cleaned two infection counts; one in Australia and one in Malaysia. This indicates that the malware is now being distributed in the wild.

    There is a possibility that this malware presents itself as a Minecraft modification to unsuspecting users as it contains the special command “MC” for stealing Minecraft passwords from the compromised system.

    Using a decompiler, I was able to see how this malware performs its dirty work. As seen in the screenshot below, the malware checks the OS currently running on the system.

    JACKSBOT can also be considered as a remote access Trojan (RAT), which is capable of taking control of the compromised system with some of the following backdoor commands for all OSes:

    • Chat
    • Corrupt
    • DeleteFile
    • GetFile
    • GetScreen
    • KillProcess
    • ListFiles
    • ListProcess
    • Restart
    • Shutdown
    • TakeFile
    • VisitURL

    However, the malware’s focus is mainly on Windows. The malware writers behind JACKSBOT may just be testing the waters for a successful multiplatform malware; however for now they appear to be unwilling to invest the time and resources to develop the code more completely. Consider this excerpt of the malware’s code focusing on Windows as seen below:

    For those familiar with running Linux and Mac, the system command “LOGOUT” may be done in Linux and Mac, but the malware writer did not choose to do so – which would make sense, given that his main target platform is Windows.

    A deeper look into the malware’s routines reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands as well as executing and ending programs. It can also steal information by logging keystrokes and mouse events.

    JACKSBOT’S information stealing capabilities is useless if it cannot properly log it into a file. However, this is also covered by the malware for all target OSes. Other commands that may be bothersome to users include displaying message boxes, stealing system information and files, visiting remote URLs, performing DDoS attacks and capturing screen shots.

    With the tight market competition among OSes and the growing market for Mac OS X, it’s efficient for cybercriminals to write multiplatform malware rather than OS specific binaries. Although there are only 2 infections right now, JACKSBOT and its kin may in fact be the next trend in the threat landscape considering the rapidly changing market. Additionally, it is likely that the authors will continue to improve the code to fully support infection for OS X and Linux.

    Users with JACKSBOT infected system may unknowingly be giving away all important data to someone else. This malware also allows cybercriminals to modify the affected system. Thus, users should be cautious before downloading files from suspicious URLs, especially cracks or hacks, as these may lead to the system compromise.

    The Trend Micro Smart Protection Network™ detects and deletes JAVA_JACKSBOT.A if it is found on user systems.

    With additional insights from Roland dela Paz

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • PhaseCoder

      lmao this is stealth bots source why use v1? v3 is way better

    • _me

      This is Stealthbot

    • Johanne Demetria

      Hi message_driver,

      To clarify things, there was never a mention of Redpois0n in the blog post. We did not copy nor made Intego’s blog post as a reference, although we do acknowledge that they were the ones to first report of the JACKSBOT malware(thus the link in the blog post). We’ve done our research prior to releasing this blog post and we know that some of the users of the so-called jRat want to use it for legal purposes; They also want to have a removal tool for the jRat, as there was no existing removal tool(uninstaller) for jRat.

      As for the tray icon, the sample we received did not have this option. Like some remote admin tools, the server component does not have a tray icon; the client component can remotely perform commands on the server without the server knowing it.

      The capabilities of jRat is notable and possibilities of it being exploited by someone else other than the malware writer are endless. It can be bundled with another software installer, giving those with malicious intent the ability to perform the backdoor capabilities of this program. The fact that it is publicly available for
      download adds to the plausibility of someone exploiting this jRat.

      Again, the fact that it can perform DDoS attacks and destroy files on the compromised system makes it all the more malicious.

    • Ryan Northrup

      Quick question:

      Does JACKSBOT still require root access to operate, or has that changed since the initial report from Intego?

      If it does still require root access, then the simple solution is to not be running Minecraft (which is what the malware appears to be purporting itself to be a modification of) as root. The worst that would happen is having the Minecraft password stolen.

      Basically, I don’t see how it would control processes, initiate shutdowns, or add itself to /etc/rc.common without root access, which means that – if these things are actually happening – either the malware is escalating its privileges somehow – in which case the security hole ought to be patched up – or the users are running Minecraft – or the .jar directly – as superuser, which is completely unnecessary and has never – *ever* – been recommended.

      Definitely informative, however, and I’ll certainly keep an eye out for this on my company’s Windows machines (not that I expect my coworkers to be downloading Minecraft modifications on their work computers, but still).

      • TrendLabs

        Hi Ryan, sorry for the delayed response.

        For installing and uninstalling of the file itself (i.e., write at /etc/rc.common for mac and /etc/rc.local for Linux), as well as shutting down and restarting the computer, it requires root privileges. Other than those stated, taking advantage of this malware capabilities does not require root privileges such as creating files, creating directories, corrupting files, listing processes, killing processes, among others.

        We cannot remove the possibility of someone taking advantage of the capability of this malware and bundling it with another purposeful looking-software(i.e., a trojan). With such a situation, the user may be unknowingly installing the malware, thus allowing it to do its dirty work.

        For the most part, we know that this program alone is a RAT; a hacktool in a way, but given the fact that part of its capabilities are performing DDoS attacks and corrupting of files, its author has given this program a reason to be considered risky to install, thus making it a malicious software.

    • Dong Badong

      Wow! Very good read guys!

    • Stacy Kindle

      Good job Trend Micro! Give it up for HOTTY!

    • Dong

      Wow! Very good read guys!

    • HOTY Demmy

      This is a very good article! Keep it up Trend Micro!

    • Caloy_Showboy

      This is very informative! More power!

    • HOTY Demmy

      GOOD job Trend Micro and to your Engineer…


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice