Thursday, 8 January 2015

Digging deeper into JAR packages and Java bytecode

Before the Christmas break we announced the inclusion of a tool to further characterize Mac OS X executables and iPhone apps, at the same time we also silently deployed one to dig deeper into JAR packages and Java .class files.

Virustotal has always scanned and produced verdicts for these types of files, as it scans any type of binary content, however, now it will also produce static notions such as the Java packages used, the manifest of the JAR bundle, interesting strings, file type distribution, date timestamp metadata for files within the archive, etc. You may take a look at this new information in the file details tab of the following report:

Similarly, when it comes to .class files the tool will produce new notions such as the original class name, the target platform, whether it extends some class or implements some interface, its methods, what functions does it provide and require, etc. An example can be viewed in the file details tab of the following report:

Many of today's threats are distributed through exploit kits, a wide variety of which make use of malicious JARs in order to exploit Java and end up serving the final malicious payload to the victim, hence, we hope this new information helps researchers in better discriminating these threats.

No comments:

Post a Comment