Jump to content
Tuts 4 You

Enterprise Java Rootkits

Teddy Rogers

About This File

In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. In "Byte Wars: The Impact of September 11 on Information Technology," Ed Yourdon cautions us to "remember that hardly anyone watches the programmers".

How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? In many ways malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. What's really scary is that a trojaned Struts or Log4j library could effect most of the financial industry all at once.

In this paper, we examine the techniques that malicious programmers can use to insert and hide these attacks in an enterprise Java application. We examine techniques for bootstrapping external attacks, avoid code review, avoiding statis analysis, trojaning libraries, and trojaning an enterprise build server. The point here is not to show how complex these attacks are, but rather how many opportunities there are and how simple and obvious they are to most developers.

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...