Combating a spate of Java malware with machine learning in real-time
Credit to Author: msft-mmpc| Date: Thu, 20 Apr 2017 13:02:00 +0000
In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team’s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats.
Attackers are constantly changing their methods and tools. We know from many years of research into malware and cybercriminal operations that cybercriminals have go-to programming languages for their malicious activities, but they switch from time to time to slip past security solutions. For instance, we recently tracked how cybercriminals have changed how they use NSIS installers in order to evade AV and deliver ransomware.
To help deliver real-time protection, our researchers use the Microsoft intelligent security graph, a robust automated system that monitors threat intelligence from a wide network of sensors. This system includes machine learning models, which drive proactive and predictive protection against fresh threats.
Tracking malicious email campaigns
Our sensors first picked up signs of the Java spam campaigns at the start of the year. Our automated tools, which can sort and classify massive volumes of malicious emails, showed us actionable intelligence about the surge of Java malware-bearing emails.
These emails use various social engineering techniques to lure recipients to open malicious attachments. Many of the emails are in Portuguese, but we’re also seeing cases in English. They pretend to be notifications for billing, payment, pension, or other financial alerts.
Here are the most popular subject line and attachment file name combinations used in the email campaigns:
| Subject | Attachment file name |
| Segue em anexo Oficio Numero: <number> | Decisão-Judicial.zip |
| Serviços de Cobranças Imperio adverte, Boleto N<number> | 2Via_Boleto_N<number>.zip |
| “Cobrança Extrajudicial” Imperio Serviços de Cobranças | 2Via_Boleto_N<number>.zip |
| Payment Advice | Payment Advice.rar |
| Curriculum Vitae <Date> | Curriculum_<name><number>.zip |
| FGTS Inativo – <number> – Disponivel para saque em <number> | SALDO_FGTS_MP_<number>.zip |
| FGTS Inativo – <number> – Disponivel para saque em <number> | FGTS_-_MP_<number>.zip |
| Extrato_FGTS_disponivel_em_sua_conta_inativa_de_N<number> | FGTS_Disponivel_N<number>.zip |
| NEW PURCHASE ORDER (TOP URGENT) | BLUERHINETECHNOLOGY_EXPORT_PURCHASE_ORDER.zip |
| NF-e <number>. Emitente <number> – GLOBECALL DO BRASIL LTDA. <number> | NF-e-<number>.zip |
Figure 1. Most popular subject line and attachment file name combinations in email campaigns
The attachments are usually .zip or .rar archive files that contain the malicious .jar files. The choice of .jar as attachment file type is an attempt by cybercriminals to stay away from the more recognizable malicious file types: MIME, PDF, text, HTML, or document files.
Figure 2. Sample malicious email carrying Java malware in a .zip file
Tracking updates in malicious code
In addition to information about the email campaigns, our monitoring tools also showed another interesting trend: throughout the run of the campaigns, an average of 900 unique Java malware files were used in these campaigns every day. At one point, there were 1,200 unique malicious Java files in a single day.
Figure 3. Volume of unique Java malware used in email campaigns
These Java malware files are variants of old malware with updated code that attempt to evade detection by security products.
The most notable change we saw in these new variants of Java malware is in the way they obfuscate malicious code. For instance, we saw the following obfuscation techniques:
- Using a series of append operators and a string decryption function
Figure 4. Sample obfuscated Java malware code - Using overly long variable names, making them effectively unreadable
Figure 5. Sample obfuscated Java malware code - Using excessive codes, making code tracing more difficult
Figure 6. Sample obfuscated Java malware code
Obfuscated codes can make analysis tedious. We use automated systems that detonate the attachments, effectively bypassing obfuscation. When malware is detonated, we see the malicious intent and gain intelligence that we can use to prevent attacks.
Our tools log malicious behaviors observed during detonation and use these to detect new and unknown attachments. These malicious behaviors include:
Figure 7. Sample Java malware trace logs
From threat intelligence to real-time protection
Through automated analysis, machine learning, and predictive modeling, we’re better able to deliver protection against the latest, never-before-seen malware. These expert systems give us visibility and context into attacks as they happen, allowing us to deliver real-time protection against the full range of threats.
Context-aware detonation systems analyze millions of potential malware samples and gather huge amounts of threat intelligence. This threat intelligence enriches our cloud protection engine, allowing us to block threats in real-time. In addition to the Java malware, we also detect the payloads, which are usually online banking Trojans like Banker and Banload, or Java remote access Trojans (RATs) like Jrat and Qrat.
Figure 8. Automated systems feed threat intelligence to cloud engines and machine learning models, which result in real-time protection against threats
Threat intelligence from the detonation system constantly enhances our machine learning models. New malicious file identifiers from the analysis of the latest threats are added to machine learning classifiers, which power predictive protection.
This is how we use automation, machine learning, and the cloud to deliver protection technologies that are smarter and stronger against new and unknown threats. We automatically protect Windows PCs against more than 97% of Java malware in the wild.
Figure 9. Breakdown of Java malware detection methods
Conclusion: Real-time protection against relentless threats
The email campaigns distributing Java malware account for a small portion of cybercriminal operations that deliver new malware and other threats. Cybercriminals are continuously improving their tools and modus operandi to evade system protections.
Our research team is evolving how we combat cybercrime by augmenting human capacity with a combination of sensors, automated processes, machine learning, and cloud protection technologies. Through these, we are better able to monitor and create solutions against these threats.
These protections are available in the security technologies that are built into Windows 10. And with the Creators Update, up-to-date computers get the latest security features and proactive mitigation.
Windows Defender Antivirus provides real-time protection against threats like Java malware and their payloads by using automation, machine learning, and heuristics.
In enterprise environments, Office 365 Advanced Threat Protection blocks malicious emails from spam campaigns, such as those that distribute Java malware, using machine learning capabilities and threat intelligence from the automated processes discussed in this blog.
Device Guard locks down devices and provides kernel-level virtualization-based security, allowing only trusted applications to run.
Windows Defender Advanced Threat Protection alerts security operations teams about suspicious activities on devices in their networks.
It is also important to note that Oracle has been enforcing stronger security checks against legitimate applications using Java. For instance, starting with Java 7 Update 51, Java does not allow Java applications that are not signed, are self-signed, or are missing permission attributes. Oracle will also start blocking .jar files signed with MD5, requiring instead signing with SHA1 or stronger.
However, the Java malware discussed in this blog are equivalent to executable files (as opposed to Java applet). Here are some additional tips to defend against Java malware in enterprise environments:
- Remove JAR in file type associations in the operating system so that .jar files don’t run when double-clicked; .jar files must be manually executed using command line
- Restrict Java to execute only signed .jar files
- Manually verify signed .jar files
- Apply email gateway policy to block .jar as attachments
Duc Nguyen, Jeong Mun, Alden Pornasdoro
Microsoft Malware Protection Center