About Thawte

News

Javafog: New variant of Icefog malware discovered

The Icefog malware sample first came to light in September, 2013, however, it is still a threat to computer security as a new, more dangerous variant has been discovered. The new sample, called "Javafog," reportedly targets sensitive corporate information and has already infiltrated several organizations.

The Inquirer contributor Lee Bell stated that one security firm found Javafog in the internal systems of "a very large American independent oil and gas corporation," illustrating the threat this malware poses to corporations. InformationWeek contributor Mathew Schwartz also reported that experts have found the sample on eight different systems within three U.S. organizations, including the oil and gas company. While analysts declined to name the affected businesses, all three firms have been notified of infection, and two were already able to remove the sample.

Similarities and differences
The sample was first found when a security analyst was in the process of monitoring several Icefog command and control servers that were previously shut down. Although Icefog attackers "went completely dark" after a report was published on the original sample, security experts continued monitoring for activity and came across a Java version of Icefog.

The new sample is similar to Icefog, in that it installs malware after infiltrating a user's system. Furthermore, Javafog was designed to be able to communicate information with the C&C servers used for malicious purposes by Icefog. However, the variant could prove to be a bigger threat than its predecessor.

"The truth is that even at the time of writing, detection for Javafog is extremely poor (three out of 47 on Virustotal)," according to a security expert. "Java malware is not as popular as Windows Preinstallation Environment malware, and can be harder to spot."

A main difference displayed by Icefog is its "smash and grab" attack style, Schwartz noted. Where many samples aim for a long-term, undetected presence on a system, Icefog attackers seem to take what they are after and immediately cease the attack. This provides an added challenge when it comes to identifying the infection, as it historically only remains on devices for a short period of time.

Prevent being a victim
Users can avoid falling victim to this threat by ensuring that Java is up to date and has all security patches installed. Additionally, security expert Dana Tamir advised that individuals restrict program executions to known Java files only. This will prevent the malware sample from entering the system to begin with.

Schwartz also noted that while Javafog is comparable to Icefog, this newest malware only has the most basic functionality. The backdoor only serves to upload files and make changes to the server with which it communicates.

corporate office

Thawte
The Gateway
Century Lane
Century City, 7441
Cape Town
South Africa

Postal Address:
P O Box 15986
Panorama 7500
Cape Town
South Africa

Call: +353 1 793 9141
Fax: +27 21 819 2950

We have updated our Privacy Policy which can be found here.

Thawte is a leading global Certification Authority. Our SSL and code signing digital certificates are used globally to secure servers, provide data encryption, authenticate users, protect privacy and assure online identifies through stringent authentication and verification processes. Our SSL certificates include Wildcard SSL Certificates, SAN /UC Certificates and Extended Validation SSL Certificates.

What is an SSL Certificate Which SSL Certificate is Right for Me? Why Choose Thawte?