Just An Application

September 8, 2014

The Mystery Of The Unsigned JAR: Part Four — JARs Within JARs

Filed under: Security, Things That Go Bump In The Night — Tags: , — Simon Lewis @ 7:15 am

Given the calls to getClass and getResourceAsStream in the load method, the hidden JAR is obviously in the JAR.

There are only six files in the JAR and five of them are a priori not a JAR so that leaves the putative ‘dll’[1].

In fact the ‘dll’ is an encrypted JAR.

It contains a variety of things none of which you would want running on your computer.

Perhaps the most interesting thing is that it is multi-platform. There is code for installing itself on Linux, MacOS X and Windows.

The one thing I am not clear about is how the thing is intended to be run in the first place. The top-level JAR contains a manifest with a


entry, so the JAR is ‘runnable’ in that respect, but it arrived as an attachment in an e-mail.

Are there really still/were there ever e-mail clients that would automatically run a JAR found as an attachment and without any kind of attempt at sand-boxing ?


  1. The ‘dll’ might have been more credible as a dll if there had been an actual call to System.loadLibrary somewhere

Copyright (c) 2014 By Simon Lewis. All Rights Reserved.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

%d bloggers like this: