NEWS FROM THE LAB - Monday, March 14, 2005

Java Applet trojan that infects Internet Explorer even when run in Firefox. Posted by Jarno @ 12:27 GMT

Well heres a proof that Java is portable programming environment :)

Christopher Boyd from Vitalsecurity.org has found a Java trojan that is capable of downloading and infecting Internet Explorer with Spyware/Adware, even is you are running another browser that supports Java such as Firefox.

We detect this as Java.OpenStream.T

What is happening here is that, the trojan is in signed Java archive, that is signed with valid certificate. Which causes the Java runtime to ask from user whether this applet should be executed or not. And if user answers yes, the Java applet is given all the access that any other binary running under the user account would have.
Java warning
This allows the trojan do the same kind of nasty tricks as any other Java downloader trojan does, but without using any kind of exploits.

Also what makes the case interesting is that this trojan is probably not intended to work with Firefox or any other alternative browser. The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms.

And yes, the trojan will most likely also work under Linux, but it won't do really anything there as it tries to download and execute Win32 EXE trojan.

So if a website asks you whether you want to run Java applet, and you are not intending to run some Java application you trust, just answer no.