Threat behavior
TrojanDownloader:Java/OpenConnection.AB is a trojan Java applet that could allow the downloading and execution of arbitrary malicious files.
Installation
TrojanDownloader:Java/OpenConnection.AB may be served from a malicious website as a Java archive as in the following example:
<website>/<directory>/FlashPlayer.jar
As found in the wild, the archive contains one Java class named "Main.class" with a size of 2878 bytes.
Payload
Downloads arbitrary files
If the trojan applet is run on a vulnerable computer, the applet could allow the downloading and execution of arbitrary malicious files. The applet receives the URL for a file as a parameter with a parameter name "link". The parameter is defined inside an HTML document file that references the applet. This provides flexibility to the applet code which can be reused for a number of downloaded files only by changing the parameter "link" inside the hosting web page.
The applet exports two functions named "Init" and "Plugin". Once the applet is loaded by the Java virtual machine (JVM), the "Plugin" function is called which in turn creates a temporary file as "FlashPlayer" with the extension derived from the name of the downloaded file. The applet proceeds to download a remote file and store it as the name "FlashPlayer.<ext>".
If "<ext>" is ".jar" the applet will attempt to launch a Java application launcher as the following to execute the Java archive package:
javaw.exe -jar <absolute path>/FlashPlayer.jar"
Note that javaw.exe is a console-lessapplication and therefore is normally hidden from a user.
If the extension is not ".jar" the applet will attempt to run a file in a separate process space. If this fails, the URL is stored in a batch script as a file "tmp.bat" inside a temp folder and the batch script is executed. If the batch script execution fails, the exception is not caught by the applet and will be displayed by the browser.
Additional information
The name of the Java applet could be anything and does not affect the applet's functionality. It is not uncommon for antivirus software to detect malicious Java applets in a web browser's cache. It doesn’t necessarily mean that the system is compromised. Most of the time it reflects the fact that at some stage a webpage with a malicious applet had been visited and cached internally. To thwart such a notification, it is often enough to purge the cache using a web browser's configurable security options.
Prevention
