Feeds

back to article 'Fileless' malware installs into RAM

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs. The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an …

COMMENTS

This topic is closed for new posts.
Silver badge

Java?

Would that be the same Java that isn't even included with a default OS X install any more?

I haven't even bothered enabling Flash, let alone Java, in years. Neither are endorsed as standards by the W3C, so any website that cannot be viewed without either (or both) of them is clearly not standards-compliant. Such sites should be shunned until their developers get a clue.

(In the interests of not feeding the anti-Apple trolls, I should probably mention that I also use Windows and, yes, Flash and Java are both absent from my Windows 7 partition too. I haven't missed them.)

If you do get hit by this malware, you're holding the internet the wrong way.

13
22
Bronze badge
Stop

Re: Java?

This would be the Java that you download for both Mac and Windows, although as the article suggests, the latest version offered on the website now is not vulnerable.

10
0
Silver badge
Facepalm

Re: Java?

"Java ... not endorsed as standard by the W3C"

And what exactly would it mean for the W3C to "endorsed Java as standard"? And what would it endorse? The Bytecode and Class file defintions? A particular implementation of a JVM? The Java language? Version 1.5 or 1.6? The whole Java library coaltrain? What?

10
0
Anonymous Coward

Re: Java? - Please, please, please

tell Cisco developers and others to stop using Java for the management GUI of their products so I can purge them from my machines.

10
1

Re: Java? - Please, please, please

Cisco is one reason I am nervous about installing Java updates ever since a security update a couple of years ago rendered Java incompatible with our Cisco firewall.

2
0
Silver badge

Re: Java?

Java... not just for the internet.

I have Java plugins disabled in all my browsers but I need to have the language for some cross platform software that uses it and Android development.

1
0

Re: Java? - Please, please, please

Sorry about the TLAs but I've always thought that anyone who's serious about IOS uses the CLI not the GUI ...

1
1
Anonymous Coward

@Dr Who - Re: Java? - Please, please, please

Although there are some aspects where CLI is king, sometimes big-iron corporate firewalls with thousands of network objects, rules, access-lists and crypto-maps are easier to handle via GUI. For example Packet Tracer and Packet Capture Wizard are invaluable troubleshooting tools that require a GUI.

0
0
Thumb Up

Re: Java? - Please, please, please

I strongly second that. Their Java GUI is a mess, unreliable, and, well, it uses Java. In short: I hate it.

0
0
Devil

Java?

The language and "sandboxed" environment that was supposed to save us all from nasties by never running anything untrusted? The language that is supposed to take over the IT world because it is so safe and stable?

Perish the thought!

No Windows, No OSX, No penguins. Just daemons.

8
1
Silver badge
Big Brother

Actually this is quite clever

If you can infect a java system it is probably something that stays up for a long time and it you are better off re-infecting after a reboot than tipping-off AV or file integrity systems by trying to store something.

Probably aimed at small-medium corporate systems rather than the home pc or large-enterprise with IDS.

Of course, you restart your daemons regularly and use a SAN with r/o base systems and SAN mounted software installs so you can regularly check MD5 sums for malicious alterations, right?

3
0

How to protect yourself

Disable Java in Firefox using Chris Pederick's Web Developer toolbar.

0
0
Gold badge

Java got nuked off all my systems, after 2 drive-by downloads in the last 2 months. Both were stopped by the AV, but I'm still paranoid enough that I had to waste a few hours testing to make sure.

Both times I was on the most up-to-date build.

Does LibreOffice need Java, in the same way OpenOffice did? If so it might have to go back on the home PC - or I'll just use Google Docs for the very few times I need office-y stuff on it.

0
0
Thumb Up

OnLive

I've started using an iPad running OnLive Desktop when I need to go places on the web where I should really know better.

The iPad is pretty much immune to anything currently out there, and the OnLive server instance I have is locked down and it's system files can't be modified so it's pretty much immune too. I believe the OnLive images are killed and rebuilt every night anyway.

I admit it's not a replacement for a full PC setup, but I'm rapidly finding it my go-to solution for most things Internetty. Doesn't hurt that it gives me a 97Mbit download speed AND because the OnLive servers are based in the US, I can get Hulu and ABCPlayer wherever I am in the world.

Downside; you do need a decent internet connection to connect to OnIive, so not a permanent solution for most people.

0
0

Well, they are essentially the same codebase, so...

probably yes. Though I haven't tried nuking OOffice and installing Libre.

0
0

LibreOffice doesn't require Java

Some Extensions still requires Java, but the standard Writer and Calc functionality works fine without a JRE installed..

0
0
FAIL

Patching

I think it shows what absolute shite most people's patching habits are when a super slick piece of malware that doesn't drop any files to disk can be mated to a year old exploit and still be sucessful.

This isn't a Windows/Mac/Oracle fail. It's a People fail.

4
0
Anonymous Coward

Ahhh!

Windows - ever so secure!

2
13
Thumb Down

Re: Ahhh!

RTFA. It used a Java exploit.

2
0
Bronze badge
Meh

Re: Ahhh!

Twat.

0
0

Bah!

Java is ubiquitous in the world these days for anything as it "makes the developer's life easy".

IBM use it in their product lines, Symantec use it, hell, every bugger uses it. To think of it as something for internet use is to understate the problem by several orders of magnitude.

And before people start wittering about Norton anti-virus, I'm referring to the enterprise level product lines there, stuff like Veritas.

The tendency here seems to be more Java as time goes on, not less, and it's everywhere.

1
0
Thumb Up

Re: Bah!

Java is freaking everywhere in Enterprise. And you know why? Even though it is shite in so many ways it is easy to learn. Thus when you have damn near every CompSci grad and half the population of India with a basic knowledge of the language you can get by with paying crap wages to your coder drones.

0
0
Gold badge

Installs the Lurk Trojan?

How does this count as "not installing any files"? Sure, it doesn't install any of its own files, and it taken a somewhat indirect route to installing this one, but if it survives a reboot (which the article states is the point of the exercise) then that sounds a lot like a file to me.

Now I could imagine a virus whose author was sufficiently confident of his ability to re-infect you after the reboot, who therefore chose not to install any files so as to increase the chances of going undetected. That would be an impressive piece of chutzpah and newsworthy.

But this, I don't think so. On the evidence of this article, it is just another delivery mechanism for a bog-standard file-system-based Trojan.

2
0

Re: Installs the Lurk Trojan?

It's worse than that, actually, in the sense of lame-press-release territory. It's nothing more than the way this stuff has always been done, for as long as malware has spread itself via the Internet. All those tasty buffer-overflow bugs, from back in 2000 or even earlier, allowed the malevolent server to plant code into the browser process, and for that code to download other code, either to memory or to files on disk.

Lame, lame, lame.

FAIL icon for the people making the announcement.

1
0

Re: Installs the Lurk Trojan?

The Lurk bit is secondary - the initial part doesn't install any files but snarfs some user data (e.g. browser history) and sends it back to the mothership, where a decision is then made about installing Lurk.

1
0
Bronze badge
WTF?

so it does install files?

"That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot."

Well yeah! I was keenly reading , interested to find out how the malware got over that hurdle , to discover it does infact install some files, somebody else's code too.

so I'm not seeing the difference really.

1
0

Re: so it does install files?

That's what this version does.

What about the version that they haven't found yet, which just lives in RAM.

If it's pervasive enough then the botnet could just run in RAM.

And then when the JVM's die so too does that part of the botnet, so the body is dumped, no evidence.

2
0
Anonymous Coward

OS X Vulnerable?

"uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.”

Seeing has how OS X has neither .dlls nor a javaw.exe process, how does it affect both Windows and OS X?

1
0
Boffin

Re: OS X Vulnerable?

This particular exploit would fail ... however a Mac with Java installed could be vulnerable to a Java exploit with a payload designed for a Mac.

0
0
Bronze badge

It has been a while since Slammer

http://www.theregister.co.uk/2003/01/27/sql_worm_slams_the_net/

January 2003: a RAM-resident worm attacking a patched vulnerability in Microsoft SQL Server. If you hadn't patched it, that is. Oh, and performing denial-of-service by drowning your network in infection attempts.

.

1
0
Anonymous Coward

Time between reboots?

Wonder what the average time between reboots is on a laptop is these days? Suspect it gets longer and longer so allows for wider opportunities for this type of attack.

1
0
Devil

People forget

As a rather wise member of corporate technical staff once noted: It doesn't matter what language, what application, what language, in the end it's all 1's and 0's.

If you know what kind of CPU you're on and can grab some executable RAM, you can bypass anything.

0
0

No Minecraft?

No Java? But how will I play Minecraft and Project Zomboid?

0
0

No Java?

But how will I play Minecraft and Project Zomboid with no Java?

0
0
This topic is closed for new posts.