back to article Multi-platform exploit sniffs your OS, penetrates your back door

Cybercrooks have begun deploying a web exploit which detects whether the victim is running Windows, Mac OS or Linux before firing an appropriate Trojan. The multi-platform backdoor was found on a Colombian Transport site by security researchers at F-Secure. The backdoor uses a JAR (Java ARchive file) to figure out if a user's …

COMMENTS

This topic is closed for new posts.
FAIL

@Editors: You are a FAIL

This thing is not an "exploit", it is just an attempt to run a Java program with the privileges of the currently logged in user.

The user has to explictly consent, this, as the screenshots demonstrate.

Once again a lame attempt to damage the competitors of Windoze and once again lazy journalism.

4
11
Anonymous Coward

Re: @Editors: You are a FAIL

Pretty much all modern Windows "exploits" require the user to install the software and either grant permission to run with elevated rights, or run in the user's context. This is no different.

Once again a Linux fanboy tries to put the blame on poor journalism or pro Windows bias, rather than trying to understand what the problem really is.

The problem is the user.

6
12
Flame

@AC: Except For

* automatically loading and executing code from USB sticks and CDs

* having kernel exploits in Font Parsers for twenty years

* having kernel exploits in Bitmap Parsers for twenty years

* running a Guest's print jobs with Admin privilege

* fscking up certificates

* hundreds of other kernel exploits

..Windows is equally secure as Linux. Indeed. Redmond reality distortion.

8
7
Flame

I forgot to mention

..that Windows by default makes a user the Admin user. So if you accidently run malware by own consent, the damage is much higher than on the proper Unixoid systems (where you only run as root to install sw).

Yeah, the UAC Bandaid is supposed to fix that. But surely they have some braindead exceptions in that concept, all in the name of "making it as simple and convenient as possible." For Chinese intelligence, of course.

6
6

Re: @Editors: You are a FAIL

"Pretty much all modern Windows 'exploits' "

There is no correlation between the quantity and the danger they represent. True there are millions of Trojans that seek to trick the user into letting them in but they are easy to defeat by not installing stuff you didn't specifically request and all platforms are vulnerable to them. The relatively small number that can sneak in undetected that represent the biggest problem and Windows still has the lion's share of them.

4
1
Flame

Fresh Bug: MS XML Parser

This one requires 0% consent:

http://threatpost.com/en_us/blogs/msxml-exploit-surfaces-black-hole-kit-070312

Just click on an XML document or view an Office Open XML (e.g. *.xlsx, *.pptx, *.docx) document. Turning off scripting does not matter,either.

They call this "Security Development Lifecycle". Mr Gates is a Comedian In Charge of Software Development.

0
5
JDX
Gold badge

@Mr Torx

How exactly do you know that Linux doesn't have many of the same issues? We only know Windows has them because people looked for them.

And AutoRun is a good feature. Linux users don't agree using a PC should be easy though.

1
14
Anonymous Coward

Re: @AC: Except For

@Mr Torx - I don't know if you think that MS don't fix problems, but everything that you've listed (other than wildly unverifiable claims like "hundreds of other kernel exploits") have been fixed and fixed for a long time. The XML thing is a zero day bug, which has been fixed. Has linux never had a zero day? Or a problem found ten or twenty years after it's been put there. Or, even, problems which have been re-introduced with updates to source code?

You appear to be in the very dangerous position of thinking that your chosen OS is invulnerable. This is usually followed be discovering something like you were rooted a couple of years ago, but didn't notice, because why would you look, you're invulnerable, after all.

2
5
Anonymous Coward

Re: I forgot to mention

Windows hasn't made the Administrator the default user for a very long time, indeed. Some distributers have, but that's hardly the fault of the OS.

1
3
Flame

@ACs claiming "Linux is equally bad"

Yes, M$ does hesitantly fix bugs, but the whole Windows system was designed and implemented in ways which are horrible from a security point of view.

Linux did have kernel exploits, too, but the Linux kernel is much leaner than the Windows kernel, as it does not include GUI rendering code. In reality that means much less probability of exploitable bugs.

The retards of Redmond don't think it is wrong to run print jobs with Admin privileges, because that is convenient for the developer of the print system. Just look at Stuxnet, Flame etc and how they got their work done.

With open source everbody can inspect code and then name and shame the developers. With closed, commercial code you the user has to "believe" in some greedy corporation's efforts. M$ and Adobe are 100% focused on money, money and money. How do they get it ? Not by security reviews, but by releasing new features, which they can charge for.

There is a sucker born every minute and he will believe in M$ security efforts.

7
4
Anonymous Coward

Re: @Editors: You are a FAIL

@Mr Torx : The user has to explictly consent, this, as the screenshots demonstrate. Once again a lame attempt to damage the competitors of Windoze and once again lazy journalism.

I typed 186.87.69.249:8081 into the address bar and this came up.

0
0
Silver badge

Re: @Mr Torx

Linux, by it's very nature, is open to inspection by anybody who wants. Whether this is done is a moot point, but at least you can do it. Previous Linux exploits (like buffer overruns) certainly have been discovered before being found in the wild (you can tell these because they are normally published as 'potential' buffer overruns). Windows does not have this level of openess, so although there are more systems to attack, there is less chance to spot an exploit before it is actually used (which is why zero-day exploits are so damaging to Windows).

The autorun is another matter entirely. If the underlying OS was secure, and the default user was not privileged, then it would be relatively safe (but of course, personal information would be available even if they were not privileged). But Windows has a reputation of being unsafe, and certainly in XP and earlier, most systems were configured so that the default user was an administrator. This make autorun almost suicidal if users put untrusted media in their systems. I does not take a genius to see this.

Users on Linux and other UNIX-like operating systems can still be affected without privilege (I can think of several ways to add key-loggers to sessions on systems running X-Windows, for example), but in general, this is likely to affect the user and only that user, and the underlying OS and other users will be safe (significant, but less so if a Linux system is 'personal', i.e. only one user ever uses it - this is the problem Android has).

Because many users of commodity OSs do not really understand the differences in the security models and practice between different OSs, I see many challenges to Linux that are unfounded, and really should never be voiced if the person doing the challenging actually knew. I judge this to be one of them.

7
0
Anonymous Coward

Re: @AC: Except For

Except we know Windoze isn't that secure....

0
0
Silver badge

Re: I forgot to mention

There is a distinction between an administrator account, an account that can run commands using something like UAC, and one who can log in, but cannot even run UAC.

Up to and including XP, most default users on Windows were in the first category. Windows Vista on later, the default is in the second category, as are most Linuxes. But it is possible to configure Linux users in the third category (i.e. they are not allowed to run anything using sudo or it's ilk). Most UNIX systems are configured like this, and ordinary users do not have any abillity to do anything damaging to the OS unless there is an actual defect in the security system (and note I am not saying that there are no defects in any OS).

I find it funny how UNIX, the oldest of all of the OS's mentioned, is the one that implements, the least-risk model. Just shows that people don't learn from history.

6
0
Anonymous Coward

Re: I forgot to mention

@Peter Gathercole: Go and look up runas, it's been in Windows since XP, it allows sudo-like operations, but is much more configurable in that you actually authenticate as a separate user, be that local or domain hosted.

Windows(NT) has always had separation of admin and user functions and is very configurable, just because some people didn't use it does not make Windows (NT) inherently unsafe or insecure.

0
0
Bronze badge
Trollface

I must join in

Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble Rabble.

You can blame whatever you like, as soon as someone states something you like is rubbish this happens.

1
0
Silver badge

Re: I forgot to mention

Thing is, Microsoft is learning from the consumer end of the history timetable. And what history tells us is that end users don't like to jump hoops. If they can, they'll find shortcuts and end runs around security measures because they just wanna get to work, much like the stove and the TV: turn it on and get going. Security by necessity compromises ease of use, so what do you do when you need to balance the two: secure enough that people can't poke holes in everything, yet easy enough to use that people aren't going to go to pains to...well, poke holes in everything.

0
0
Silver badge

@ AC 11:09

Yes, Windows of the NT/2000/XP... range has many security features that ought to be more than a match for the UNIX model. But avoiding the fanbois arguments about how many bugs in Windows vs Linux and so on, there is a significant difference in that for most Windows users and a lot of older Windows software - it just did not work in practice.

The whole 'run as' option for windows often failed for installers, and a lot of crappy written software (including some from MS in the past) assumed the user had admin privileges and open firewalls, etc, for really stupid stuff. If you are on a tight budget and/or have some older specialised software you just have to run as admin and hope for the best.

The other big problem is the ACLs use for access control with NTFS installations (majority case from ~2000 onwards) are simply too complex for anyone other than a seasoned Windows administrator to understand. So for Joe Average all of the security features it just broke things, or in the case of UAC on Vista it just irritated them when it popped up so often that they disabled that as well.

So to say "just because some people didn't use it" is a gross misunderstanding of the majority of non-corporate Windows users' problems with using the security offered, where as most Linux users don't need to bypass the UNIX model's default security to nearly the same degree.

5
0
Anonymous Coward

Re: @ AC 11:09

Paul - your arguments run like: I didn't understand it, it didn't work for me, so it was the same for everybody, or too complicated for anybody.

Just as an example - Runas often didn't work for installers, but if you told runas to download the user profile (the most common cause of the failure) it did.

As for ACLs being too complicated, really? I mean actually, seriously, you find an Access control list too complicated? They've been used all over for decades, just because Unix doesn't have such a granular file system (well, in some file systems, it does) doesn't mean that it's too complicated.

You continue to make the point that non-corporate users didn't actively use security - they shouldn't have had to, the default user IDs are setup correctly for default user access, it's just that some lazy system manufacturers gave higher levels of access than were required, this is rare these days. You have to admit though, that the average Linux user (and I include myself in this as I am a very heavy Linux/UNIX user) isn't the average computer user, there is a much higher average level of knowledge about the system, it's a false comparison.

0
2
Linux

Re: @Mr Torx

I run Linux mainly because I'm lazy. Things work out of the box without hunting for drivers, few security risks, and generally a much easier life. I work with repairing broken computers, and we can have all sorts of fun with security flaws and driver issues with MS products. I spend more time each week fixing friends machines then I have fixing all my linux installs in the last 3 years.

As a real test of how hard or easy Windows and Linux can be by comparison, might I suggest you install each in one machine, then move your hdd to a very different machine? Chances are very good that the Linux system will just run, happily, without needing any driver changes (although if you use AMD in one and NVidia in another, you might have to download or activate something due to licensing issues). All your files, settings, and programs working without any changes, and without activation issues. Try doing that with Windows, even going to a machine with identical hardware.

(Yes, I have seen machines which don't like one version or another of Linux, and have in the past experienced major driver issues - but they are actually very rare these days, and I do play with a hell of a lot of different hardware)

As to people looking for these things - er, how many millions of eyes look at Linux code? How many dozens look at Windows code? More likely someone is going to spot something shifty with Linux code than with Windows code. Where malware and exploits are concerned, there's more Linux people paying a lot of attention to their systems then there are Windows users paying attention to theirs.

Autorun.. I love it! It really does pay a significant portion of my wages. All that malware that so quickly jumps onto Windows machines when they take a USB stick from one machine to another.. Some of it jumps even when AR is turned off because of something in the way Windows processes the autorun.inf files. One of the greatest features in any Microsoft product!

(I use it on Linux as well - but then I don't need to worry about malware there :) )

Yeah yeah, I know.. Don't feed the trolls... Now, where'd I leave that rat poison...

7
1
Silver badge

Re: AC 13:41

No my argument is more like: My friends/family/granny didn't understand it, it didn't work for them...

As for runas - why should it not have "just worked" like sudo? More skill required to fault-find.

Same for ACLs, the issue is not that I don't understand what they should do, more the fact you often need to use the tool to see what the effective ACLs are, and a lot of insight to see what those implications are for the system.

Then you get on to the thorny issue of execute permissions - can I use the ACLs to block all user-writeable areas like TEMP and their own profile from execute permissions and not break the whole machine? Not break Chrome? Linux has the execute bit that, by default, is disabled on downloads etc (OK, not on stuff copied from CD or FAT which is dumb...) which is another hump in malware prevention, ACLs should allow the same, but by default don't.

But you are 100% correct to say "they shouldn't have had to, the default user IDs are setup correctly for default user access" - it is this 'insecure by default' problem that plagued Windows for years, and while it is much improved now you still get the odd legacy application that only works with your admin pants down. You just pray that no one brings along a bucket of soapy frogs...

3
0
Anonymous Coward

Re: AC 13:41

Paul - Setup a default Windows 7 system, it'll work just fine and be secure enough for non-it literate users.

If someone runs as Administrator it's not. This is an old practice predominantly down to 3rd party resellers, which doesn't happen any more and didn't with people who actually knew how to setup systems anyway.

Runas sometimes doesn't work straight off because it's much more granular and therefore more complicated than sudo. And you can hardly say sudo is a friendly setup, what with having to hack the sudoers file, which is horrible. Complaining that something doesn't work because it's not as simple as Linux is exactly opposite of what Linux users and Windows users usually complain about (ie: Windows is too simple, Linux is too complicated.)

Yes, there is a read/execute as well as a read ACL, no you can't execute by default downloaded material. There is no need of any special tool to find out what ACLs you've got (other than right click properties.) However Chrome is a very good example of a staggeringly badly written piece of software, which is very easy to break, just by using simple, standard ACLs. This just goes to underline the fact that you don't understand the system that you're complaining about.

But just to keep you happy, as it's obviously all you want to hear: Linux FTW, it's 733ter than Windoze.

0
4
Anonymous Coward

@JDX

"And AutoRun is a good feature"

I sincerely hope you are NOT a sys. admin.

3
1
Bronze badge

Re: @AC: Except For

Add two more points:

** lack of Windows repositories (even AppStore is recent) to minimize the risk of installing malware with new software. Otherwise, if possible you have to do it from source, but vanilla Windows lacks even md5sum utility. To address a similar threat, Android system requires every java app to run under unique uid and to show all the app's privileges prior to installation.

** even if you know that a given app is secure, there is no guarantee that installation is done through one package manager, no guarantee of updates, noway to take care of the conflicts and/or dependencies. (Not sure whether Windows installer checks it when used). There is likewise no analog to ckeckinstall or dpkg-deb to manually register an app installed from source.

** patching IE with the recent IE vulnerability (that took 1 month to develop) required reboot of the whole system. This is enough of a nuisance for many users to simply not bother with such patches.

1
1
Bronze badge
Megaphone

à Charles le neuvième

Charlie, it is not secure and foolproof enough, that's why there is a multimillion anti-virus sca..., sorry, industry and Redmond does strongly recommend running an AV of some kind (compare it to apparmor or similar). That is the whole point.

2
1
Bronze badge

@ AC 13:41 GMT

Translating from Paul's British English:

The Windows permissions implementation (ACL) did not bother very much with the KISS principle. Hence, the consequence was that only you and few Windows apps developers got it, the rest would sometimes require their unhappy users to properly run the said apps with the admin's rights only, the situation pretty unheard of in the POSIX land.

At the same time, the notorious Redmond's braggadocio about their system's simplicity for an average user should then be put back into Ballmer's arse, the place where it really belongs.

2
0

Re: @AC: Except For [fix]

let me fix this for you:

Except we know Windoze user isn't that secure....

He will click randomly any button to get rid of a popup

(without reading its content)

1
0
Anonymous Coward

Re: @Editors: You are a FAIL

What is actually new here?

0
0
Anonymous Coward

Re: @ AC 13:41 GMT

@Eulampios...

If you can't understand how ACLs work, you have no business professing to others that you know about IT security. ACLs are the basis of a very large proportion of different permissions systems and really aren't complicated. I have never come across anyone who can't understand ACLs after about five minutes of explaining how they work and what they achieve.

As for repos - repos are great, but they aren't a panacea. They are particularly good for FOSS, not so good for pay for shrink wrap. They are great if you want everything to stay up to date all the time, many do, not so great if an update to a library breaks something else. Most commercial linux users need to manually install pay for software and this is a massive ball ache. Windows is able to host many different versions of software because it doesn't rely upon repos. An example: when I updated one of my linux boxes recently, it broke Pound Proxy because one of the dependent libraries had had a function removed from it, in Windows you can have several versions of DLLs and these can automatically be sorted through until any missing function is found. You can also setup your own 'repo' for Windows to deliver packages to workstations and servers.

0
0
Silver badge

Re: I forgot to mention

"But it is possible to configure Linux users in the third category"

Actually, this is the default behaviour in most Redhat based distros which have the root user enabled and a non-privilged account configured during the install.

Debian based distro's don't enable the root account and instead rely on giving the first user account account sudo priviliges. However, subsequent users configured on the system are not given sudo priviliges and also fall into your third category.

0
0
Vic
Silver badge

Re: @ AC 13:41 GMT

> They are particularly good for FOSS, not so good for pay for shrink wrap.

That's incorrect. They are perfectly fine for shrink-wrap. Red Hat use exactly that model for their paid-for code.

> not so great if an update to a library breaks something else

And that's exactly why you use a repo by way of a package manager - dependencies are tracked.

> Most commercial linux users need to manually install pay for software

Your experience clashes with mine. And I manage commercial Linux systems for a living.

> Windows is able to host many different versions of software because it doesn't rely upon repos

Linux is also able to host many different versions of software, and it does (usually) rely on repos. That's because repos do not prevent multiple installations if that's what the user wants...

> You can also setup your own 'repo' for Windows

I suspect you don't yet know about the ways you can do this with Linux.

Vic.

1
0
Anonymous Coward

Re: @ AC 13:41 GMT

Red Hat is paid for FOSS as an update service, a different case.

I gave you an example which shows where a package manager failed.

I use Linux every day, manually installing (usually) backup software, it's a horrible experience.

Of course I know its possible to do this on Linux, that wasn't my point.

See, the thing here is that I am a Linux fan, I am also a fan of windows, I just find the people who spout off about each is as if it's the only right thinking option really rather tedious.

0
2
Silver badge

Re: I forgot to mention

I've used that feature for many years. It's not news to me, nor does it alter anything I've said.

When my kids were younger, and we shared PCs, I gave them all normal user ids, kept the admin login to myself for infrequent use (I also used an ordinary account for my normal work), and created another administrator account to be used with runas which I then made unable to log in directly through a registry hack. I gave my kids the password for the runas account for applications that were stupid enough to need administrator privilege to run. This worked fine for everything until I came across the game Blockland, which needed to actually be run from an logged in administrator account.

But it did not take long for my kids to realise that they could actually run almost anything as the runas admin account, but what it did do was make their default access for browsing and mail, the most likely things to cause the system to be compromised.

I've never said that the security model of Windows NT based OSs is weak. In fact, on these forums, I've actually said that it is probably better than the default UNIX model. What I have said, though, is that it is set up on ordinary systems in a generally flawed manner, and this is compounded by application writers creating programs that need administrator rights to access certain parts of the filesystem needed by the application, but this is another story.

0
0
Anonymous Coward

So

We had to change "Write once run anywhere" to "Write once crash anywhere", now it looks like "write once exploit anywhere".

2
1
Jad
Stop

Good luck with that ...

Since I'm not running Java, or for that matter any of the mentioned Operating systems ...

2
5

Re: Good luck with that ...

I think you forgot you were on a geek website...

Bragging that you run a non-mainstream OS and don't install java tends not to be that impressive to people who know what they're talking about :)

News websites would be pretty thin on articles if they only printed things which directly related to your computer setup. Nice that you felt the need to tell the world this doesn't affect you though.

tata xx

3
2
Stop

Re: Good luck with that ...

I think he had a valid point in pointing out that educated users have removed the Java Risk a long time ago,

3
5
Trollface

So, Apple fanbois

Running a 6502 on an Apple IIe don't have a problem with this nonsense.

0
0
Bronze badge

"runas" !~ "sudo"

runas is not sudo-like, i is su-like command. There are a few differences: sudo elevates the privileges of the given user according to /etc/sudoers , it does not just plainly jump between different users. On the other hand, having sudo you can lock the admin root account to completely disallow login therein (except for elevation via sudo or ssh key, if the latter is allowed in the first place).

0
0
Vic
Silver badge

Re: "runas" !~ "sudo"

> having sudo you can lock the admin root account to completely disallow login

You can also set up /etc/sudoers to permit only a limited subset of root's capabilities, giving users the features they need without opening up the whole box...

Vic.

0
0
Anonymous Coward

Re: "runas" !~ "sudo"

Meh, so it's su like, not sudo like, it's still very effective and does everything that sudo and/or su can do plus more and more granularly.

0
2
Silver badge
Holmes

"more granularly"

What does that even mean?

Can I easily allow a dumb user to use "runas" but ONLY for a single command on Windows?

0
0
Anonymous Coward

Re: "more granularly"

It means more finely grained is: more configuration options.

Runas can do single or multiple commands, GUI elements, scripts or programs in different users local or global, with or without profile, as you wish.

0
0
FAIL

It's not really an exploit to check the User-Agent header sent by the browser - only people browsing Incognito require something this silly.

0
0
WTF?

User-Agent? I don't follow.

As others have mentioned I'm not sure this can really be called an exploit. I'll suggest "blended threat" as a possible alternative or maybe "bell-ended threat", since only a dickhead would fall for this lame trick.

0
0
This topic is closed for new posts.

Forums