Brazilian Coders Are Pioneering the First Cross-OS Malware Using JAR Files

An anonymous reader writes: Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows, Linux, Mac, and even Android from the same codebase, instead of relying on 4 different versions. Right now, only the malware dropper, a component used to infect computers with banking trojans, seems to have been coded in Java, but security experts expect a full-blown banking trojan to soon follow.

Re:Does anyone actually install a JRE any more?

[Todd+Knarr]

It wouldn't need to run as a browser plugin. The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application. I suspect a lot of people have it because Oracle's made deals to have it included on the manufacturer's images, and those people don't have a clue what Java is or how to remove it so that's a problem.

I am, however, surprised it took them this long to come up with this idea. It's fairly standard on Unix systems, that's how cross-platform scripting of all sorts is done.

Re:So using Java exactly what it was designed for?

[TheRaven64]

It is a bit of a stretch. There was a nice entry into the IOCC a few years ago that was a program that was valid as C program, a shell script, or a makefile. Running it as either a shell script or makefile would compile the C program, which would then print its output. There's been some interesting recent research involving isolating instructions that are NOPs on various architectures and writing exploit code that is a valid executable on both x86 and ARM (it doesn't have to be long, because you can encode a jump to the architecture-specific version in the portable code).

It's worth noting that this is even (almost) the official and documented way of writing a cross-architecture Windows binary: you have a little .NET stub that P/Invoke's the native binary for the architecture that it detects.