A researcher at McAfee has discovered a Java-based, cross-platform botnet that can infect both Mac and Windows systems. The malware agent, dubbed “IncognitoRAT”, is a Java-based Trojan in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on multiple platforms. The malicious code is available for Windows, Mac OS X, and as propagation vector using the iPhone/iPad. Only the Windows version of the malicious downloader has been spotted actually spreading in the wild.
The original infection source is a Windows executable created using the JarToExe tool, which includes the ability to convert Java’s .jar files into .exe files, add program icons and version information, and protect and encrypt Java programs. It relies on the victim system to have Java Runtime Environment installed and must be connected to the Internet.
As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities, including:
- Java Registry Wrapper, used to access the Windows Registry and execute the malware every time the computer starts.
- Java Remote Control, to view the screen and control keyboard and mouse.
- JLayer MP3 Library, to remotely play MP3 files on the infected machine.
- RNP-VideoPlayer, to play videos remotely.
- JavaMail, to send stolen information to an email account.
- Freedom for Media Java, an open source media framework to watch and record images from a remote webcam.
One thing that is rather odd is that the botnet agent might crash the infected machines, and apparently shows a curious message to the user:
Someone appears to have a sense of humor…