The only use for java these days
Are minecraft, android development and viruses. In that order.
Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact …
Java exploits don't only work on Windows, they'll run on anything that Java will run on, including Linux.
What you're displaying is a fairly common mindset that "Windows is the only thing that gets exploited, therefore I'm safe, whatever I do with my non-Windows OS." It's very dangerous and I've seen it bite people, a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world.
Trevor was talking about his own experience, so it might not have been appropriate in this particular article, but I do wish that more people would remember the penguins when it comes to documenting these risks and recovering from them.
If it saves just one chicken...
The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges.
As other operating systems become more usable, we'll find more poorly trained and untrained people using them. Which means more people making the mistake of using an elevated privileges account for everyday work.
Perhaps the only solution is to go the Apple route, and maybe a bit further. Create an operating system what will only run software signed by the operating system author. I fear that is where we are headed.
Where we are clearly headed is "Safe Computing" shooting up on 'roids and methamphetamine:
Everyone will run their OS inside a VM. At least one "bundes-trojaner" will be in full control of the VM and continuously monitor all interfaces to the hardware layer for "dangerous traffic". External connections are logged and saved for 7 years in case the definition of "dangerous traffic" mutate and prosecution becomes necessary after the fact.
You cannot install anything outside of the VM, any attempt to hack it will bring the full force of NDAA 2012 or RIAA sturmtroopers to your doorstep. All of this is for our own protection, of course.
Which shows that my last reply must be, err ...wrong. Oh well, that happens! :)
But I wonder why they bother, as it is so unnecessary for everything except admin tasks. It would make me sad too.
Not that I never spent all day logged in as root on a work machine. And not that I never screwed up when doing so <Blush>
Which, if you are not a transplanted M$ n00b, is never recommended.
this should read:
Which is never recommended.
To MS'ses credit they are actively trying to persuade everyone since NT 3.51 (that's a very long time ago, thank you) to please not log on as admin. only: nobody listens. neither do you. or he. or she. or who ever. Long story short: migrating these people to Linux will not solve the problem, only make it worse: they will still log on as root (I'm the admin!) and now will not even have a clue how stuff works in linux.
migrating normal users to linux is a disaster waiting to happen. trust me. I know. for sure. been there. and turned back.
I would say that MS says one thing and does another.
On a default install of Windows 2000 Professional/Server you are root (administrator) by default, so are you in Windows XP/2003, then on Vista you get elevated privileges through UAC all the time which is neither an administrator account, neither a non-privileged user, same for Windows 7/2008/R2.
Microsoft had the oportunity with Win7 to go to a fully user/admin separated model like everything on the industry other than them for the last 30 years.
But no, they know that will break software and alienate users, and the bottom line is more important than doing things the right way.
The good news is that on OS X you can go into the Java preferences, disable the Java plug-in on all browsers with a click on the checkbox, and still have local Java programs (well, in my case Eclipse) running perfectly fine.
Windows, on the other hand, is a fecking nightmare to disable.
"Windows, on the other hand, is a fecking nightmare to disable."
You can go into the Java preferences and disable the Java plug-in by clicking on the checkbox.......
Let me guess. You've been fannying around with the options in the various browsers rather than going to the horse's mouth of the Java console in Control Panel, haven't you?
You need to run the Java control panel from an elevated command prompt (obvious, that) and while that works for alternative browsers it still doesn't work properly for IE and IE is part of Windows. See my post on the next page.
Your icon is self referential I suppose?
"...compared to Windows XP, where everybody runs with administrator privileges"?
In the corporate environment this is unforgivable (and if there's a sysadmin of any note it won't be true). I will concede that in the home it's more tempting to run as an administrator. Bear in mind that full admin rights aren't given by default to newly created accounts: it is the owner's choice.
"The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges."
Utter bollocks I am afraid too say. It would not be hard at all to craft a payload that did anything harmful on a Linux install. What planet are you living on? Clearly not the same one as me. Running Linux is not an effective shield for now. Windows and Linux boxes are exploited for differing reasons.
Windows - Exploited these days to slurp mostly banking data and anything else they fancy due to the high volume of Windows users and therefore banking details available to be stolen. Making target No.1 for anything exploiting for Cash profit that can be rapidly taken advantage of.
Linux - Small desktop percentage and therefore low volume of banking transactions compared to Windows. Hence why you don't see you & your friends Linux desktops hit with a slew of Malware. There is no substantial profit to be made. Linux has a heavy server percentage and the exploits developed reflect that. Stating that it's harder to exploit a Linux system is utter drivel of the highest order. It's secure on the desktop due to it's obscurity/low install base. As simple as that. On the server it needs proper care & attention to detail or your open to all sorts of attack .
So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it.
Exploiting a Linux workstation and installing a rootkit running as a regular user requires much more than a simple Java exploit.
Most hacks that I have encountered in Linux follows only one pattern, the people using it are completely clueless.
I have never faced an exploit on a Linux desktop, but I have been exploited by a 0-day vulnerability in Opera in Windows, thanks god I never run as Admin and the little nasty only got to infect my profile.
Seriously I have yet to face the same thing in Linux.
"So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it."
I am eager to see Linux being exploited in this manner, I would love to see what the response will be from the technical community, the Linux crowd will not sit idle, as thankfully there is no inertia to overcome.
True, the software would run on any machine with a suitable java runtime. However, most non-windows installations use sensible user permissions as default. Plus, the exploit code is going to be very OS specific so you'd need to have something explicitly targeting linux, osx, vms, ...
"was happily serving porn to the world" Must have a really good broadband connection!
Yep, although I do wonder how he managed to get incoming tcp connections through the router firewall... oh wait, upnp... another fine invention for malware.
We need something which is inherently less capable than java. You don't need to root a box if it can happily run a java web-server as a local user, or spend some time scanning your RPC services for exploits now or in the future or (I suspect is the most common) wait some time and then pretend to be a flash update requesting admin privileges to install.
Linux is a good model with its repositories. No per-application update systems please. Flash should never ask to install updates, the system should keep a list of updates which the user can check (or silently install). How often have we seen "posing as a flash update"?
I'd like to see further OS controls, especially for mobiles. Few applications need access to the internet, mostly they just need to talk to one domain. How about controls set during an installation which limit what an application can access? Should that be part of the standard application installation system? So the OS restricts flash to *.adobe.com for updates. Anything which wants wide or unusual internet access should be easily spotted. Hmm, why does that pack of emoticons need any outbound network connections, let alone access to the entire internet? How about path restrictions? Why not set the binary path and library requirements at installation and get the OS to prevent loading/execution of anything else?
I want to lynch the people who write malware.
I have had to clean out systems in a way that the author has described before and I have a dim view of damage control and rebuilding systems from malware take overs...
The amount of shit and misery they cause in terms of people "tens of millions of years of people time, to fix up the shit" to billions of people many times over, over the decades - I think the sentence ought to be burning at the stake.
Fuck them.
In how many other OS's could a virus get in through a NON priviledged account yet not only hide itself all over the system but disable core services AND create a new friggin partition?? I think this demonstrates that despite what the Seattle snake oil salesmen have to say , Windows never was and never will be a serious OS and certainly not one fit for 24/7 use in a high availability corporate enviroment. Requiring anti virus in an OS is like putting rollers under a car because the wheels have been designed square.
I think he did. He was pointing out that it takes two to tango, and that while JITB is a high risk gamble, running an OS that apparently just lies down, rolls over and sticks it's legs up in the air isn't actually going to help matters.
Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX. Finally, nice article and lots of useful information that I really hope I never have to use.
At least malware authors are paying proper attention to version management :-)
No he wasn't - he was windows bashing. And while windows might need a bash now and then it should really be for things that are wrong with windows. The supposed evil of Microsoft is nothing compared to the incompetent, irresponsible malware that is java. Windows can be done secure with the right amount of application - java cannot be done secure - on any OS - period.
I really do feel sorry for anyone who has to maintain any system with a java reliant component.
"And while windows might need a bash now and then it should really be for things that are wrong with windows."
So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS? Whose fault is it then , the magic malware pixie?? Jeez....
Indeed, but if you do not know what you are doing with Windoze you get an account with Admin rights, if you do not know what you are doing in Linux you get a user account which doesn't give you any access to Admin privileges, thus such malware can not run.
This Malware seems to do windozy type things, so it might well be possible to use the same java exploit on a Linux box, but it wouldn't do anything, it would not give the malware access to anything, so it would be plain useless.
The 2 OS's work in totally different ways, windoze leave everything open, Linux makes you open things, in which case you need to know what you are doing first!
This is why Linux seems to have such a high learning curve, because its not all done for you.
I am sure there are viruses for Linux (though in my 10+ years experience, I've never seen one, only read about them being theoretically possible), but the system has to be compromised first to allow them to run.
Your information is dated. On Windows XP users ended up with an admin aka root account, but Vista and Win7 have changed that behaviour quite heavily.
And lets please also not forget that during the times of XP Linux distributions didn't enforce users to create an account for themselves yet.
Quite frankly I also can't believe that you're actually thinking that the capability of locally running code on Linux would be a lesser problem than running code on Windows. Because that is assuming that there are no local root exploits - what so ever - available on Linux right now. Can you be 100% positive of that? I don't think so...
Being able to run code locally, no matter what the platform is, is bad news. Whether this is on Windows, Linux, Mac or BSD*, the whole ordeal is bad and a huge security risk which needs to be addressed ASAP.
""""Linux you get a user account which doesn't give you any access to Admin privileges, thus such malware can not run"""
*Plenty* of malware can be usefully run from a perfectly ordinary user account, indeed: Most servers run their services as non-priviledged users on crippled accounts. A user account is quite powerful on its own, one can do much more than one can with Windows, f.ex. Inject the exploit via Java, fire up the service and attach it to a TTY so it does not shut down when the user logs out would be adequate for most nefarious purposes.
Sure, it is easy to find and delete the malware using the process management tools - but the average user will not have the knowledge to venture outside of GNOME ... and ... The average Ubuntu user is getting trained and conditioned to "sudo everything", so it will not be much of a hack to root those boxes either.
"So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS?"
Well, that heavily depends.
Technically speaking Linux also allows execution of privileged code from a non-root account through the use of sudo. So the concept as a whole isn't bad perse. The real question is how its done. On Windows 7 (UAC) people are warned up front for both executing code from a web location as well as raising their privileges to the admin user.
If we're talking about a way to easily circumvent UAC so that code can be executed as administrator without so much as a warning then yes; that would be a major flaw. But not the concept by itself.
The article describes an attack using Java on a system where only the latest update of Java 6 was installed. If this is correct (I'm not an expert but I'm sceptical, maybe the Java attack failed and it got in some other way, malware carries 1001 different ways to break into a system including lame passwords obviously) then this is another previously unpublished attack.
http://en.wikipedia.org/wiki/Java_version_history says that Java SE 6 Update 35 was released on 30/08/2012 (Thursday) with a "security-in-depth fix", which I think means that Java 6 had one of the bugs from Java 7 but there wasn't a known way to exploit it. Regardless, if the users didn't have Update 35, then they were briefly not-up-to-date. But that's little consolation.
But I still think it might be not Java after all.
Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX.
That's something that baffles me too. Java the language's memory model is pretty anal: you cannot cast objects as anything other than their own classes and super-classes (in order to, say, access an arbitrary object as a byte array), nor can you access object fields via pointer offsets or otherwise perform any feats of pointer arithmetic. Hell, in principle you don't even know your pointers – there is no necessary relationship between the "object references" a Java program works with and the actual memory layout, other than a one-to-one relation between references and objects.
You would easily have me believe that such a strict memory model would be simple to implement securely – yet that clearly isn't the case. How can this be? Is it just sloppy programming? Or are there inherent challenges to securely implement a virtual machine architecture such as Java's?
Relevant vulnerabilities exist in Windows and Java Runtime Engine. The attack vector starts with Java then goes into Windows from there. Assuming it's using Java.Awetook, the payload is downloaded from a webserver in J2RE then executed in Windows with elevated privileges. Both MS and Oracle may be responsible for vulnerabilities and security weaknesses here.
Large companies and governments can't run OS/x or Linux because they have not been adequately tested by malicious hackers.
When you're an attractive target, such as a large company or a government, it doesn't matter what the "popular" common malware is, you're going to be targeted with custom malware, and you need an OS that has been adequately vetted.
You can't get a desktop/laptop OS that has been adequately vetted, but Windows comes closest.
Does anyone argue that more hacker hours have been spent trying to crack Windows than OS/x or Linux? I didn't think so.
So basically you are in home user and you run OS/x or have the smarts to Linux and you're using security by obscurity; your security is dependent on the fact that hackers haven't discovered the exploits on the OS you've chosen, and haven't yet found it profitable to create exploits for it. You're secure only because of the relative obscurity of your chosen OS. That doesn't work for attractive targets where it is worth the cost to hackers to custom develop malware.
@AC 11:54
You mean the model that's been gradually changing since Vista came out in '06 whereby now, under 7 and probably 8 it's actually quite possible to work as a standard user rather than admin?
Yeah, no.
What you want to be doing is berating lazy software authors who haven't checked that their software will work without admin rights, and/or organisations who won't pay to upgrade to newer software that resolves said issues.
Of course, that might involve not being a plonker blindly toeing the "Windows = teh suxxor!" line...
"Because the Windows 'every user has to be an administrator else nothing works right' model is broken..."
That hasn't been true for over 7 years. But ignorant users think it is, so they use elevated accounts for everything.
If Linux users were as common and uneducated as Windows users, we'd have at least as many problems.
"In how many other OS's could a virus get in through a NON priviledged account"
The OS did NOT let the virus in, the JVM did. If I remember correctly, the last worm to successfully exploit a Windows vulnerability to actively spread from one machine to another without user intervention, was the Blaster/Sasser worm. Even then, I was running a school at the time, and although the Blaster successfully exploited the RPC vulnerability, the students machines were so heavily locked down via group policy that the process elevation attempts failed due to certain services being disabled.
There have been activeX exploits, but any sysadmin with half a brain can lock this down using the internet zone group policy settings.
Since then, almost all viral infections have either used social engineering tricks, or the unholy trio. Acrobat, Flash, or Java.
The Windows platform of today features ACL control over Filesystem, registry, and active process utilisation of such granular detail that it far outstrips any nix variant. It features Address Space Layout Randomisation that is superior to that offered by Linux or OSX. It has a very capable firewall built in and enabled as standard. Almost all network traffic is PKI encrypted by default. Hard disks can be hardware encrypted to FIPS 140-2 compliant levels.
But, a chain is only as strong as its weakest link. The problem with the MS platform today is not the underlying OS, but the plethora of badly written software that requires diligent sysadmins to punch dirty great holes in these security features to make them work.
And running any platform without some antivirus software is reckles at best, idiotic at worst.
You mean z/OS, z/VSE and z/VM. And that is true. But again, as with Linux and OS/x it is security by obscurity. Folks with knowledge of the major IBM operating system feel we have an ethical obligation not to exploit that knowledge illegally.
Some people with knowledge of PC operating systems don't feel any ethical obligations at all.
But to answer you question, "Care to name any viruses for S/360?" there is the "Christmas Tree" virus, and it was accidentally created by a co-op student who wanted to send electronic christmas cards through email, that is how easy it was to create.
7 options here:
http://www.techradar.com/news/software/applications/7-of-the-best-anti-virus-apps-for-linux-669087
You know there are at least several hundred known Linux worms / viruses and malware?
@Richto - from your link - final paragraph
"We should close by saying that the number of Linux viruses that could possibly damage your system in any way is currently less than 10, so don't have any nightmares"
@Psymon Posted Monday 3rd September 2012 13:25 GMT
Mate, all that you say is true, yet with all the immense granularity in modern Windows versions, what you say implies that the burden of the security relies on the user's shoulders.
All that granularity requires a vast experience administering Windows, otherwise you will break any application in existence.
I will give you an example: As part of the security policy that I used to apply to the computers of a Windows 2000 domain back in the day, we used to disable all the services that we did not use, only to spend weeks with a vendor trying to solve some issues on an application derived from the fact that it had dependencies that the vendor in the UK wasn't aware of.
It caused much grief across the organization and the IT manager mandated that Windows be secured, yet nothing removed, no DCOM permissions tampered with, no ACL's done on the Registry, and no permissions changed on the C:\ partition. Because troubleshooting became a pain.
I used to think the Linux/Unix model was fairly limited, yet I have to find a box that can not be secured with just a few basic common sense policies.
If you are calling me a Linux fanboy, I'm going to ask you to back that statement up with some sort of evidence. For the record, these are the following things I am a "fanboy" of (in rough order):
1) My wife, close friends and selected coworkers.
2) Ninite.com (Just. Frakking. Works.)
3) Cyanogenmod (My phone. MINE.)
4) A significant chunk of The Register's writers, current and departed (I miss Sarah.)
5) Ars Technica's Nobel Intent (Science, bitches!)
6) Evidence-based legislation (Science, bitches!)
7) Mars Rovers (Science, bitches!)
8) Intel networking (Just. Frakking. Works.)
9) Jose Barreto (Awesome guy working for Microsoft's storage team.)
10) Classic Shell (I want my goddamned up button back!)
My definition of "fanboy" means I give those individuals, people, products and concepts on this list "the benefit of the doubt." It means I will accept at face value what is presented. I will trust what they have to say without the need for significant deep dives; this trust has been earned over time.
By nature however, I am a cynical person. I do the research, I question everything. So if you are suggesting that "Linux is the most compromised X on the planet" and that "anyone who believes otherwise is a Linux fanboy," I am going to call you on it. That goes against every scrap of evidence I have; prove your accusation.
Linux is not the most compromised webserver, despite being the most dominant. Various web APPLICATIONS (frequently, but not exclusively run on Linux) are vulnerable as hell...but these web apps lead to compromise on Windows as well as Linux. The actual underlying technology is significantly less assailable than the competition; shocking considering the many issues surrounding Linux governance and implementation.
So...prove it. Prove that Windows is "more secure" for the same tasks running the same apps. Especially when both are properly configured and hardened for a production environment. Prove also that those who disagree are "Linux fanboys," instead of people who have different - possibly more accurate - information than you are working from.
...you can prove that, can't you?
RICHTO - you seem to have missed the point, as usual. This whole sorry mess was with a network of Windows computers which you claim ( and almost no-one else does) are superior by far to other OSs.
If you are so convinced about the superiority of WIndows (and given its overwhelming market share) why do you bother with all these banal posts for which you get downvoted like no-one I've ever seen ?
I was thinking exactly the same thing. Surely given this level of infection and the virulence of the malware a full re-build of the system from a known image would be both quicker and safer. Furthermore, if the organisation uses a half decent infrastructure, then all the users mail and files should be on the corresponding mail and file servers which if protected means the downtime is about 40 minutes per machine and the time to reconnect them to the network once everything is cleaned.
This post has been deleted by its author
How many PCs do you know of that you buy at the local electronics store come preconfigured for PXE boot? Not a large enterprise; systems are not configured for image-based dissemination. Main office has only 11 people! Everything is on the other end of wet-noodle VPN. Nah; these folks use Best-Buy specials and the previous admin left such a mess that two months later I'm still picking up pieces.
At this point, it wouldn't be an "image" either. It would be a clean install. And there is a lot of CFO-only software to get off that thing...
Not sure about "preconfigured" but most dell & hp laptops will pxe boot and my ancient 3com and intel cards (and motherboard nic) on an athlon 1800xp also do. Sometimes its buried in the bios. I wouldn't try over wifi though. Mac G5 also netboots.
The problem is that without a server you can't do it and best-buy assumes this is your first/only pc (quite reasonably).
Perhaps Valve's console will provide a server to use for netbooting linux or at least an iscsi server, now that windows is beginning to catch up with the rest of the enterprise...
aka the "nuke from orbit option".
1. disconnect from network.
2. backup essential user files not stored on network to USB
3. low level HD and partition wipe
4. Re-image from last months desktop image
5. Scan USB stick in triplicate on quarnatine machine
6. Restore backups
7 (optional): Reimage desktop ghost with Java removed...
Once initial detection was made, this option was probably quicker, simplier and you won't be worrying about whether you got everything for weeks afterwards.
Agree 100%.
Every time I come across an infection on a machine I always reimage.
It might be a pain, but its better to have piece of mind knowing a machine is clean rather than fretting that you missed a bit and the bugger reanimated itself.
There are so many varients and the authors adapt their wares so quickly that the chances are high that even if you think you killed it by following online guides etc its still lurking somewhere, waiting to fuck up your day when you least expect it.
There are many organisations which cannot operate without the dreaded three: IE, java, and flash.
When you work in an environment in which your systems need particular versions of Java, and these are mission critical systems that are no longer supported by the original vendor (who may or may not still exist themselves), the idea of removing or even patching Java is a non-starter.
The best we can do is lock out external devices, have draconian AV policies, and filter all website traffic. It's not a guaranteed catch-all but with luck and close systems management we can avoid disaster.
I, along with many others I'm sure, have sleepless nights over these issues. This story is going to haunt me for the next few weeks I'm sure. I think I'm going to need a drink.
Or very large corporations who haven't even migrated from Windows XP or Internet Explorer 6 yet, and have such draconian and buearocratic IT policies that trying to get anything done is like mating elephants: it's all done at a very high level and takes years to achieve any results.
Seriously. We can't even get updates to core software - which includes Java - across our local site, it has to be across the whole organisation... Which is somewhere in the region of 70,000 machines connected to it's bloated central network.
Nuke, for what I'd like to do to our systems.
You have my utmost sympathy.
I used to be a touch scathing of situations likes this; until I found myself in exactly this position. I am appalled at what I see as an intolerable position, but there is bugger all I can do about it.
We are in a situation where there are numerous separate "IT departments" - actually most are staffed by non-IT personnel. None of these report to any over all manager and they each work separately, with no central control, strategy or common methods of working. Helpdesk support has been outsourced and they also sort of manage the central services. I am aware that one of our sites has been compromised; however, the outsourced support have yet to fix the problem and anyone going to that site risks getting infected with some ransomeware.
When I was offered the job, I was told that they wanted me to take charge and fix these issues; but I'm not allowed to log onto most servers or to get access to key information as it is "nothing to do with me". Even when I do highlight the key things that could be done to address the key issues, I then get told that it's not for me to change the way that they work.
Thank God it's only a short term contract; I don't think that I could continue to work under these conditions for any length of time.
I've re-read the article twice now and I can't see a good reason to blame Java. The author even states "I have no idea what the initial vector was; the primary delivery mechanism scrubbed itself clean". So if this is true how do you know Java was to blame?
I'm sure there are unpatched security holes in Java but blaming a fully patched java 6 install with no evidence that it was at all to blame is just scare mongering.
The article does say malicious JAR files were involved - certainly other people infected tell of Java activity in their system tray before the rooting occurs.
I double-checked with Trevor on this point - because there is little gained in attacking a technology without basis - and he said the thing was originally detected as malicious jars - which spontaneously ate themselves. Flash was not installed on the PC at the time; Firefox, Chrome and IE were completely up to date. Acrobat wasn't in the browser. Those last two plugins are alternative vectors for delivering the malware, leaving just Java. And the mystery .jars.
C.
This post has been deleted by its author
I can know the attack vector without knowing the name of the attacker. I don't have a clue what the initial Bad Thing was. I do know they were malicious. Jar files that set off the alarms. The browsers were up to date. No flash was installed. Moments after detection, the jars dissapeared. So did Microsoft Security Essentials, Avast and a large chunk of all thee browser histories. It looked to me like someone using a java exploit that didn't want a security researcher decompiling the attack vector.
I crawled all over the thing for three days. I was hoping for an awesome new browser zero day. Alas, "Java is still broken" is not much of a story. But I was able to get the "this is how you fix it" info out to people, in case they got hit. That was really my goal.
Not all of us are so lucky as to have full imaging gear and pre-vetted application stacks. This is a new client of mine; small, most IT descisions still taken directly by CEO, call for help as they need it. Remote cleaning was a priority. If it happened to me, it might happen to someone else in a similar position; worth the time then to write up.
I battled for 2 days to remove this crap, in the end I gave up and reinstalled W7. I can't prove it was Java that let the bastard in but I can't prove that it wasnt java either.
Since I have reinstalled I have decided that there will be no more Java or Adobe Flash/Silverlight etc. If any applications needs either of the aforementioned well tough luck I will use something else.
I don't blame Oracle or Sun or MS, it's the virus writers that are to blame but I have had enough of the endless updates, incompatibilites and now the virii that can use these plugins as vectors of introduction.
Hopefully by limiting the attack surface I will stay uninfected for the next couple of years.
I digress, after a quick Wikipedia etc, that the plural form of Virus is actually Viruses ( at least in the English language written form, apparently there is not plural of Virus in Latin ).
( We say Cactus / Cacti - Radius / Radii apparently Virus and Platypus are exceptions to the general rule )
I still wont blame Oracle though as there are too many other factors that come into play, most notably would be MS Windows Security and Defence. If Java has complete access to the MBR then the problem stems more from the OS that it does the application. ( You might also be able to throw Intel or the BIOS writers into the bunch here - although it's debatable)
Basically put, the word "virus" (Latin in origin) was intended as a collective noun (a singular term describing a mass or group) and therefore had no proper plural form in Latin, considering that it was already essentially describing a plural. And since viri was already taken, we had to fall back on the old reliable. Happens all the time in English. If you don't believe me, ask your English teacher why we don't talk about more than one house the same way we talk about more than one mouse.
While the author puts the blame on Java as a whole I think its Oracle which really deserves a good portion of the blame.
After all; let us not forget that some exploit options were already known by them around last April this year. And it took them months before they actually fixed it (tried to at least).
So I think you're going a little bit too easy on them if you don't blame Oracle at all.
I think I've spotted your 'infection vector'.
If its like any organisation I've worked for, the worst cuplrits are right at the top.
"I want to install this, I need this gadget, why does it say Permission Denied? I don't care what the rules are, I want to install stuff. My kids want to use the computer too, and give me the serial number for that and that, I want to install those at home. No? NO!? Who's your manager?"
Who immediatly caves in, makes you look like an arse for saying no, and tells you ofcourse you should do the stupid thing AND work overtime to clean up the mess later.
Odds on that he was a Local Administrator, and thought he was above the same rules that apply to the peons in his 'employ'.
Oh, sorry.. I seemed to have ranted a little. But, I feel better now!
Doesn't fly at WROK PALCE.
NO C level twat (hmmm, perhaps I should use another term, since the majority of the C levels here are female) twit can over rule what the CIO decides the rules should be. End of discussion. The owner has her back on that one. "C" levels that do not abide are promoted to a position at another company.
It wasn't said in the opening paragraph, but I couldn't help thinking that it's alright work when you can bill the client for your time at some nice expensive day rate. Yet, on the other hand, having had the stress of malware removal for idiots who insist on not paying for decent AV, going on dodgy websites and not backing up their files I can attest that very quickly no matter how much money is involved, your sanity is worth more.
And thus we see the inherent superiority of the GUI. Or how did you propose to automate all this, then?
Personally I wouldn't buy another licence. I'd simply move the existing licence to inside a VM for the few things I would actually positively need windows for, and move as much as possible to {the main machine,another VM} running something that doesn't confuse security with dropping its pants. And if that isn't an option, why, you could still be running linux, or solaris, or what-have-you, inside that VM to run java-in-the-browser. Possibly java will still be a vector but as long as the exploits are windows-specific, you're good.
But really now, what inherent dependency on windows do you have left once you've decided to move your browser with java plugin to inside a VM? Why even bother shelling out for an OS licence if you can get something else that will also run that java applet in a browser for free?
Saying things like "Java-in-the-browser absolutely must be treated as already compromised" make it sound to the uninformed that Java is some sort of technology from the dark ages that should be banned from existence. But really the same could have been said of Flash, Acrobat, or... well, ActiveX was an infection platform since day one and took five years for Microsoft to finally deprecate it and abandon any hope of making it secure. Perhaps you're being a bit unfair by saying this about Java but not saying the same about these other popular plug ins.
We had a couple of years of PDF infection vectors, followed by -still going on- a stream of Flash infection vectors, and now we will see a stream of Java infection vectors. As each of those things get stronger and better sandboxed by the browser, malware is targetting progressively narrower user bases.
¿The next target? I don't know of other plug in that is as universal as the three above. But what is clear is that "any means of execute arbitrary content downloaded from the internet should be treated as already compromise"
Including (ahem) JavaScript. Seems that whatever the best industry minds do to sandbox executable content, some vulnerability is always going to be there. It is sad to say this, but validation by certificate of the whole chain from boot sector to web page seems the only way of providing any reasonable level of safety.
Of course, until someone finds a way to subvert the key chain, of course.
Firstly, an excellent article, and surely one of the first published accounts of the thing and how to kill it – and a rallying call to common sense, a Reg campaign.
Secondly, how could this happen and can we fix it – I mean do we need to replace the concept of a sandbox? Do we know whether address space randomisation or no-execute bits would have foiled the core exploit? I suspect that even with these hardware protections, exploits will still be found. It is a fundamental problem associated with running arbitrary code.
I like the post above, suggesting secure boot and a keychain, this would stop the rootkit infection, in a very obvious and uncompromisable manner. I think PC’s should come with a wire link to make the boot eeprom a ROM. Well that and the OS needs to be signed and the signature checked by the ROM code, standard stuff from then on. The problem is that Java would then need to be signed, for it to work doing its “day job” - and unless they can then sign all java apps we’re still ruined.
How about only corporate java gets signed and allowed to run – is that possible? Javablock will restrict Java to certain sites only, but its not as good as signed code.
The worry in all of this is that you only found this nasty because it was a shouty one – how many other discreet “sleeper” infections could be out there?
So you have your boot loader, os, and whatnot else signed, and it religiously checks all those certificates. Then what?
Then someone finds a hole like this one in one of the programs and proceeds to infect the system through the hole, and the code runs anyway. Despite that code with the hole in it having passed muster because it was signed. That's what.
There will be unsigned data on such a system, so all you need is a hole in signed software (certified secure! hole and all! except that the signature didn't magically make the hole go away) and even if you can somehow sign everything down to the last bit of data, an attacker only needs to wiggle through the holes and perhaps then add its own key to the key store to soundly defeat all that key chaining.
Signing the boot and the os and such is a means of control of, not of safety nor security for the end-user. Because the end-user doesn't have the keys to his own system, but an attacker will either circumvent them or obtain them, as has already been published a few times. You only need to ask a couple "then what?" questions to see the holes in the logic of signing for security, yet you advocate it anyway. Why?
Java is the headline here, yet that rather misses the point that (assuming it was Java.awetook) the user was successfully redirected to a website with the applet in place ready to infect their system.
So long as it's possible for users to arbitrarily discover and execute unverified third part code at will, there will always be an attack vector. Today it's Java; tomorrow it'll be the app on your iphone or Javascript or that funky Raspberry Pi you've got acting as a media server.
Should we give browsers a kicking for allowing users to.. erm.. browse? Or website owners a kicking for allowing their servers to be compromised? Or mail hosts for allowing through zero day emails?
It'd be a nice to see a slightly more nuanced view here. The issue seems to specifically be Java in the browser. Corporate users who rely on the rest of the Java stack have a far better chance of defending against attack. Blaming 'Java' for your woes is a bit like blaming C# - fun for a bit of corporate bashing, but not actually that informative.
Reading that list of stuff, creating partitions, disabling services etc sounds like the workstations are running as Administrators.
While this doesn't stop the infections, it does mean that things like Zero Access cannot create partitions and fiddle around with services.
Java, certainly is the cause of most malware, I've seen planted on workstations over the last 18 months, but thankfully most are running with user privileges so the damage is minimal.
And this is why, when I went back home this weekend to fix my parents wireless*, I also uninstalled Java from every machine in the house.
It's just easier that way.
Also, in this sort of situation I nuke from orbit and re-install if at all possible.
*Next time the internet stops working dad, don't ring up BT and let them talk you through resetting the modem ok?
Trevor's article was just the push I needed .
I have now taken Java off each home system running it. Can't say the same for my previous employers, but hey... we can't be everywhere at once now, can we ?
It will be interesting to see how much nasty more malware pops up before October 16th (and no doubt after)
Brrrrrr.....
This infection was multi-staged and took advantage of more than one vulnerability. However, the original attack vector was in fact Java based. This has been out in the wild for a while. This wasn't the first and probably won't be the last piece of malware to use this flaw. Claims that it was unpatched Java 7 is also a moot point considering a similar vulnerability to the one addressed in Oracle's recent emergency patch was found a day or two after it was released.
In the following stages vulnerabilities in security software and windows itself allowed for the malware to spread via a completely different vector to the other machines on the LAN.
That said this shouldn't be about who is most responsible and instead be about a systematic failure of several platforms whose security practices are lobotomized via backward compatibility and the bottom line (or maybe state sponsored cyberwarfare).
Were these machines running as admin? If they were, would dropping them to user have been sufficient?
I followed the MS link and it was not clear how, if at all, that would have helped. They did talk about 'Limit user privileges on the computer' but that's likely just generic advice.
Sorry if it's a silly question.
I'd say that disabling it in every browser is not a good way as it can't cope when a new browser is installed. Also you can disable the Java add-ons in IE and it will still work.
Following the instructions here (mentioned above) and opening the registry file here would be a more secure way of keeping the JVM but not allowing browser use.
Nope. I blame Java for lettine the bastard in the door and giving it escalted privs on an account not running as administrator. The facr that once in, the sattelite infections played merry hob with a Windows system is just par for the course. Protect the edges if you know that the center is soft and chewy. Nothing I can do about windows; but I can uninstall the inefection vector...Java.
"giving it escalted privs on an account not running as administrator."
And how would Java do that? Sure the JVM will run some generic Applet code but as it is not itself running as administrator, that code has to:
1) be able to do "intersting things" (which means the jar must have been validly signed)
2) those interesting things must be so interesting that Windows rolls over (in other words, this is a Windows vulnerability)
Note explicitly, that Oracle says taht your account can be compromised but says nothing about magical privilege escalation: The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.
Given the complex web of how things are run in Windows, who knows what happened to allow infection? The user running this was not an administrator on the local PC. How then did this get the kinds of privs nessecary to install a rootkit? Browser glitch? Did it pop up a "run escalated" box? (Users says no, but...they're a user...)
I have no idea how something crawling through Java could install a rootkit on a non-administrative user. And yet, it did. So is this something that uses multiple vulnerabilities in multiple products, or is there a whole new zero-day at work here that we just don't know about?
I'm open to thoughts on this.
"And how would Java do that?"
In ancient times users could register a callback to WM_TIMER, when the timer expired the subroutine would run as intended, but ... at system priority. Something like that still in there or maybe one can smash the stack of the JVM and get it to do interesting things outside of the sandbox?
People worry too much about The Hardware, me think. I would worry much more about the wetware, like having the RIAA send me lawsuit rich enough to bail a bank, the local po-lice arrest me as a child pornographer, or a "hacker", or a "terrist" mocker of the London olympics. That sort of thing - all perfectly possible by just compromising my user account.
Arbitrary code running is BAD.
Oh? Do tell. It is an actively versioned bit of malware, so it is a moving target for everyone. But in my experience, is MSE can kill it, it isn't all that relevant. MSE cannot however kill rootkits like Zeroaccess. They are a threat.
Sirefef will be isolated by and contained by MSE unless we're talking about the very latest greatest variant. It won't get a chance to download buddies. Unfortunately, whatever the primary vector was murdered MSE before installing Sirefef.
Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development. It can eliminate very old rootkits. Anything actively maintained will go through MSE like a hot knife through butter. It won't even see them, let alone be able to defang them.
FFS man, don't come in here and spread propaganda; we're actually trying to help people cope with real world issues here. This is not the time or the place for you pro Microsoft crap; especially when so much of it is half truths wrapped in outright lies. The lack of context in everything you’ve ever written in the comments section of The Register is appalling.
Please astroturf elsewhere.
"Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development."
What would you recommend? In the repair shop I work in we've found it generally far better than the alternatives - Avast is good but can miss stuff MSE kills, AVG (my previous fav) may slowly waddle up to it but probably not, and Norton is absolute proof the machine is infected. Not sure on Eset. Trend seems good but expensive.
Would love to hear your thoughts.
(In case you're wondering, I like 3 things about MS s/ware: system restore (when it works), MSE, and that all the issues pay my wages - but I'd give that up in a heartbeat for a world without MS!)
Fucked if I know. MSE seems "as good as the rest." Every malware vendor has gaps in coverage. I like Avast and MSE because they don't don't seem to stpe on eachother's toes, so they can coexist. I prefer using multiple overlapping scanners on high-importance machines. Otherwise...prayer?
Nothing offers complete coverage. So we need to be ready with the re-install. Personally, I periodically run one-shot "second opinion" scanners such as housecall, even when they aren't resident. I don't trust any one scanner to find malware, so I throw the kitchen sink at things and hope it works.
The problem is more than partly 'the cloud'. I've seen several large projects in the last year using Java to dish up some awful cloud based whizzyware where the departmental buyers largely bypassed IT to get the latest snakeoil. They won't be responsible for the endless security nightmares, update aggro, version conflicts and poor performance of the craptastic Java platforms they paid for however, no matter how many warnings they get.
Sure, it's not one size fits all, but it's a damn good argument for forcing world+dog to run their "real environments" on a virtual with the underlying host being something safe that just serves as a launcher to said virtual.
Push comes to shove, you bring the sucker down, mount it's drives on a clean (and loaded with "heavy artillery") special purpose virtual and proceed to happily clean the bugger.
Worst case scenario, you already have your backup (the old HD image files) and can just start transferring data files from the compromised virtual to a new clean one.
Back in the NT4 days, making ppl use virtuals for "daily use" would have been torture. Nowadays, any halfway recent box will handle it just fine.
Happy, cause that's what a small investment in extra RAM and HD's made me...
Malware depends on an ecosystem, and at the moment Windows is so pervasive that it is an easy target. Given the move to browser-based apps, surely it would make sense for companies to split their desktops into three types - Linux, Windows and MacOS. Then any malware infection will only affect a third of their operation.
If everyone did this, then malware would have a much harder time, just as real infections struggle to spread if much of the population is immunised.
As a side issue it would also finally put those eternal questions about relative vulnerability and TCO to rest - just imagine all the real life comparisons free of sales/fanboi spin.
The whole article is great apart from 'Download and run Symantec's Zeroaccess removal tool.' I'd never install ANYTHING by Symantec super bloat loada crap doesn't work wont install. If ou're doing this you've enogh problems and spyware without installing MORE by Symantec!
I don't know enough about the need for Java and hence the risk implied by this article. Is 'Java' the same as 'Java script'? What is 'java in the browser' and how do I eliminate it if I need, at the same time, to retain 'java' on Windows (various generations) and LInux to run some applications?
Basic guidance would be appreciated.
So obviously you decided it was via java because you saw some jar file in a temp directory somewhere. Is this article reads like spin against java
Anyone running a machine that a company depends on should ensure that sensible user permissions are n place and virus checkers are up to date. Without these you might as well give up. Blaming a java browser plugin is just trying to distract from the underlying issue, the initial vector could be anything, true, even the java plugin. But if it had such a catastrophic affect as you made out then someone isn't doing their job properly.
The user was not runnign as admin. Their antivirus was up to date. Their browsers were up to date. Their browser extentions were minimalistic. Jars showed up and then dissapeared; shortly thereafter the system was pwned.
If you have a different attack vector for that, I am all ears.
So the evidence says there's an attack that can get around good security practice measures wit downloads various additional payloads and cleans up after itself. Either fairly well but not well enough (if it came via java), or well enough that the author didn't find it (if it isn't).
Either the attack is an unknown java exploit, or an unknown exploit with some other aspect of the system. There doesn't seem to be any evidence that the malicious jars introduced sirefef, they could just as easily have been additional payloads that may or may not have run.
I can't name the non-java exploit that could have caused this, but neither has the author named the java exploit that could. I'm not saying that this is definitively not caused by a problem with java, but there doesn't seem to be any real evidence that there is.
Here is a much simpler version of Trevor Pott's advice.
1.Use a non-admin account for your daily work.
2.Use a non-admin account for your daily work.
3.Use a non-admin account for your daily work.
4.Use a non-admin account for your daily work.
5.Use a non-admin account for your daily work.
6.Use a non-admin account for your daily work.
7.Use a non-admin account for your daily work.
8.Use a non-admin account for your daily work.
9.Use a non-admin account for your daily work.
10.Use a non-admin account for your daily work.
11.Use a non-admin account for your daily work.
12.Use a non-admin account for your daily work.
Java runs in user-space. Delivering a Windows-only rootkit requires admin access to the desktop. Do the math.
Yes, and the math leads to two words: PRIVILEGE ESCALATION. Hijacking something in the OS that already has admin access to get the rootkit in place. Unfortunately, privilege escalation is something that can occur in ANY OS (yes, even you, Linux--where did the term "rooting" come from?) with some chink in the code (and since programmers are human and some malcontents are patient, determined and/or motivated, odds are something will be found).
I work for a company where we still have to use Windows XP.
The Designed for Windows spec from over a decade ago requires applications to behave for non-admins.
as has been noted, there had to be multiple exploits here.
maybe - one in java to allow native code execution, alternatively its lack of sandboxing might have been sufficient to allow the next step via valid windows api calls
probably - a windows privilege escalation exploit that allows a user to run as admin
certainly - a service exploit to run user level code to spread across the network
it is possible that there was no privilege escalation bug used, but it certainly sounds like there was. I thought these were getting rare. Could someone in IT comment on that? I'm a dev, I create these sorts of problems with sloppy code, not solve them. I do remember an old redhat 5 privilege escalation exploit that you could go from a user shell to a root shell with only seven lines of typing.
I wish I had a definative answer for you. I am 98% certain the initial attack was delivered through java in the browser to a non-administrative user. Then what? What does it execute? Is it using a java-native escalation, or some other exploit? How the hell did that bit of fail break out of its sandbox?
Then it ate itself. To me, this is the biggest indication that there was an unknown zero-day being used. The author of that malware did not want to initial payload to be examined by security companies. There are holes in the logs; I only even know that Jars appeared and dissapeared because I had a completely separate app on debug for a completely different reason. (Trying to debug something inovlving Office 365.) It caught the logs thrown by MSE before it was anhiliated (and all of it's logs, browser history etc) with it.
Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin. So I don't really care if it used a native flaw in Java to escalate privs enough to do that, or if it cascaded other flaws once the userspace code had been delivered. Java was the initial vecotr, and windows cracked like an egg after that.
Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin.
"ate anti-virus packages" and "not running as admin" are mutually exclusive. Links, or it didn't happen.
Are you sure the user in question didn't have some form of privileged access on the compromised PC? Maybe "Power User" access? I've seen too many pieces of poor advice published that I would not be surprised if this stupid advice was followed and then propagated through Group Policy, quite deliberately, just to make some broken gotta-have-this application work because said admin was pressured into taking the quick and lazy approach.
Your rant flies in the face of over nine years of experience dealing with this very problem. Am I just lucky? Why hasn't this happened to me, or my clients, or co-workers when the machines I dealt with all had the latest Java, the latest Flash, and the latest Readers, and so on?
Every time I try to run anything that my affect a system configuration, Windows asks for administrator's credentials. The user is not a member of "Administrator" or "Power Users," only "Users." This is verified by taking the time to trace all the domain memberships, how they interact, and what privileges those security groups have on the local computer. The user itself does not have specific permissions on the local machine. Everything I can see points to the user account not having any administrative privileges on the local PC whatsoever.
I do not rule out the possibility that someone may have tweaked some obscure setting in the registry of the local computer before I took over administration of this system that somehow allowed this to occur despite the fact that the user appears in every other way to be unprivileged. Without going over the registry with a fine toothed comb, I cannot possibly know for sure. I do know that no extant GPOs exist that cause any such weirdness. The system is also an off-the-shelf HP consumer-targeted system; there is always the possibility that it simply shipped with a bizarre/obscure registry tweak that nobody is aware of.
That said, I have done the legwork on this. I wouldn’t be posting an article claiming that the thing crawled in through Java without being pretty damned sure that this is exactly what happened. I also don’t claim that it exploited the latest discussed vulnerability; I have absolutely no idea which vulnerability it exploited; for all I know it exploited a vulnerability that is a true zero-day and completely unknown outside the blackhat community.
I have determined that the browser in use at the time was Internet Explorer 9. I have gone over the IE9 settings; unless the malware in question changed the settings post-infection, it is entirely default. That should not allow Java, Flash or anything else to break out of a sandbox in usermode; and yet, it happened.
Look, as far as I can tell, this system is an off-the-shelf HP client system from about 2 years ago. It was attached to a domain run by an administrator that was pretty damned “by the book.” The GPOs and other configurations are pretty clear. WSUS automatically clears critical, security and definition updates for immediate install, and the user was diligent about keeping Java, Flash, etc up to date. Nobody played around with anything obscure because it simply was never required in this environment. It is as close to “off the shelf” as you can get for an SME install.
That’s what’s so scary about all of this. I would like to be able to write a “well damn it Jim, such and such happened because users are stupid” article. They get nods and smiles and sympathy from the readers instead of vicious personal attacks from a pool of internet piranhas.
Indeed, I have one such client that got slapped by their own stupidity on the same weekend. Nothing up to date, everything unmaintained, didn’t listen to my “disable java in your browser now” cries, and they run every user as local administrators. They got predictably pwned, but that’s not exactly interesting. (I like the billable hours, though!)
No, the guys that did it “by the book” and then got run over by something that crawled in through the internet are interesting. The CFO in question is a pretty honest guy; I asked him if he used a USB key, CD or anything in recent memory and no, he had not. I’ve checked every other vector I can think of, and nothing presents itself. So either something crawled in through Java and then broke out, or I.E. itself has a truly abominable zero day.
If I.E. has a zero day, the self-immolating Jars make no sense; why would Java anything be used as an intermediary there? Creating malware that requires something like Java be installed narrows your target availability unless Java itself is part of the vulnerability package you are exploiting to get the toehold into the system. This looks and smells like a Java vulnerability being exploited, probably in combination with something else. (http://arstechnica.com/security/2012/08/microsoft-defense-bypassed-in-2-weeks/ ???)
This is the first time I’ve seen a malware attack on a system that is reasonably properly defended. There is no obvious way this could have or should have occurred. If anyone has a better explanation I’m all ears on this; but I’ve spent an entire long weekend looking for obvious vulnerabilities in configuration and found none so far.
Now whilst I'm not a sys-admin (officially) I am the de facto sys-admin for friends and family and I suspect at some point in the future I will get "the phone call" and have to clear up a similar mess without resorting to nuking from orbit (the concept of backups will never make it into the domestic arena no matter how much I nag). So thanks for the all the tips - looking forward to my next battle.......... (not).
Sir,
I don't know if there are awards for perseverance in the face of malware based adversity but if somebody does create one you will have my nomination.
I would have given up, f-disked and started again long before working out the process you have described in your article. If that wasn’t possible I may even have considered joining the foreign legion or signing on to a pacific crab boat.
AC? Because I work in the industry and "should" be made of sterner stuff.
Two things: 1) I don't get physical access to the system for another couple of days. 2) I write a sysadmin blog, and my readers are important to me. If I can figure out how to kill the damn thing, maybe I can help someone stuck in a bad situation. If it helps just one guy stuck on the wrong end of a Teamviewer session, it's worth my Friday. :)
MSE flagged them as malicious, and this was logged. I had an app trawling writes to standard windows events at the time making a second copy, so it caught them being flagged as such. By the time I looked at the computer (about 15 minutes later) the Jars were gone, along with most of MSE, Avast, the Windows logs, browser history and so forth.
So these jars showed up, MSE caught them as bad, but wasn't able to kill them. The rest you know. The following is what was seen:
Java/CVE-2011-3544.gen![insert a letter here]
Exploit:Java/CVE-2012-1723
Exploit:Java/CVE-2012-4681[insert letter here]
Exploit:Win32/Java (no qualifier?!?)
Now, CVE-2011-3544 and CVE-2012-1723 should not have affected a fully patched copy of Java. CVE-2012-4681 is just new enough that I can believe it might have been exploited if the user had “patched but not rebooted” or some such. Install logs for this system say that Java was up to date (Java 6u35).
What’s curious is seeing these together within a second of one another followed by the system going crazy. MSE lagged detection of CVE-2012-4681 by a day…so my working hypothesis is that the user went to a site that took a shotgun approach to Java exploits, at least one of which worked. (There may even have been more exploits to come; it is entirely possible that the payload went off before all the detections had been completed.)
The payload that worked nommed all the evidence, except for my little logger which caught the mentions of the files that shouldn’t have actually been an issue. Now, you can flog me all you want for the one stupid thing I actually did during this exercise, but I think making the call that “this crawled in through Java” is backed by reasonable evidence.
What I should have done was immediately image the system at a block level and get the image to Symantec/Kaspersky/etc with alacrity. Assuming the malware didn’t dban the blocks where it was stored, someone could have lifted the thing off of the recently deleted blocks and we might know more about it. Sadly, I got the call pre-coffee and simply set about trying to kill the thing. By the time I realised that I might actually be dealing with something totally unknown, it was too late; I’d made so many system changes that imaging the thing was likely pointless.
So this is why I say that Java is the most likely candidate. Nothing else was untowards on this system. It looks to me like someone out there has an updated Blacole toolkit with some terrifyingly new exploits in hand and is using it with abandon. That said, I am not a security expert. I do not work for Symantec, Kaspersky or any of these other firms. I can only look at the evidence I have and say “well, this looks like the attack vector, this looks like the end result, here’s how you nuke the buggers.”
I can only hope that by laying out a “how to kill it” in my post, someone is helped. If along the way a little bit of awareness is raised about the fact that Java in the browser is bad for us all, so much the better.
Frankly, I don't think Java needs to be singled out as "the only bad thing to run in your browser." I think that any extensions in a browser need to be vetted for necessity. That includes Flash, Silverlight, .net, various toolbars and more. Shrinking the attack surface is always a good idea.
In the case of Java, I have a particular hate on because of the frequency and severity of exploits, combined with the abysmal response from Oracle regarding patches. This gets combined with the sheer unavoidability of the product and the versioning issues that can and do crop up in real world use. It makes me ornery. Doubly so when the issues I described in my post – and the subsequent comments – occur.
So if I hath insulted the almighty JVM, please accept my apologies. It sure looks to me like it is at fault here. I can’t even blame the user for this one, and that bothers the hell out of me.
I just finished a bout with Zeroaccess (A, B & C) but it did not manage to proliferate on my network and I know why although not as clearly as I'd prefer to. Hopefully we'll get some better info about how it mobilizes itself at some point because after reading your account I'm surprised I got off as easy as I did.
We have some very sensitive data that we simply cannot afford to have compromised (by any threat) and as such we have a hyper-paranoid firewall setup that involves multiple levels of scanning, not only for inbound connections and downloads but also for intranet packet exchanges. It requires a herculean effort on the part of the firewall(s) in terms of memory and processing but it stopped zeroaccess dead in its tracks; it managed to infect the ONE system on the network that was excluded from the inbound AV scrubbing. Ironically, it was the CEO that managed to infect himself because he complained that his internet wasn't as zippy as he'd prefer and so demanded that he be left with ONLY the end point protection of his choosing.. Symantec, because he said MSE wasn't good enough :}