back to article Thanks ever so much Java, for that biz-wide rootkit infection

Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact …

COMMENTS

This topic is closed for new posts.

Page:

Mushroom

The only use for java these days

Are minecraft, android development and viruses. In that order.

5
3
Linux

Re: The only use for java these days

That's why I play minecraft using Linux...

1
10
Anonymous Coward

Re: The only use for java these days

Java exploits don't only work on Windows, they'll run on anything that Java will run on, including Linux.

What you're displaying is a fairly common mindset that "Windows is the only thing that gets exploited, therefore I'm safe, whatever I do with my non-Windows OS." It's very dangerous and I've seen it bite people, a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world.

15
5
Silver badge

Playmobile reconstruction or it didn't happen

Have you got a URL for some good Java coded Linux Malware? I would like to try it out. When I have tried installing malware before it didn't work - not even under wine.

12
1
Anonymous Coward

Re: The only use for java these days

It depends, the virus may be using JNI or an exploit in the VM to access OS resources.

0
0
Linux

Re: mindset that "Windows is the only thing that gets exploited,

Trevor was talking about his own experience, so it might not have been appropriate in this particular article, but I do wish that more people would remember the penguins when it comes to documenting these risks and recovering from them.

If it saves just one chicken...

1
0

Re: The only use for java these days

The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges.

5
3
Gold badge

Re: The only use for java these days

Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...

1
4
Bronze badge

Re: ...for those running as root

Which, if you are not a transplanted M$ n00b, is never recommended.

2
1
Silver badge

Re: The only use for java these days

The good news is that on OS X you can go into the Java preferences, disable the Java plug-in on all browsers with a click on the checkbox, and still have local Java programs (well, in my case Eclipse) running perfectly fine.

Windows, on the other hand, is a fecking nightmare to disable.

1
5
Gold badge

Re: ...for those running as root

Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.

3
2
Gold badge

Re: The only use for java these days

Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.

2
0
Anonymous Coward

Linux box had been rooted?

> a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world ..

Any idea how it got onto your friends computer and how did it disable the firewall on his broadband modem?

2
0
Bronze badge

Re: ...for those running as root

How do they run as root on Ubuntu?

0
0
Gold badge

Re: ...for those running as root

Set a root password. Then you can log into the GUI as root.

1
0
Bronze badge

It would be unethical to send malware

It would be unethical to send malware to an unknown party or a party not working for a reputable major antivirus or security firm.

If you doubt that Linux has vulnerabilities and exploits search on Linux here:

http://www.kb.cert.org/vuls/byid?searchview

0
0
Bronze badge

Re: Linux box had been rooted?

First you're making an error assuming all broadbank modems have firewalls, they don't.

Secondly, something that can get through a hardware firewall to access Windows computers behind it can get through a hardware firewall to access Linux computers behind it.

1
1
Bronze badge

Re: ...for those running as root

As other operating systems become more usable, we'll find more poorly trained and untrained people using them. Which means more people making the mistake of using an elevated privileges account for everyday work.

Perhaps the only solution is to go the Apple route, and maybe a bit further. Create an operating system what will only run software signed by the operating system author. I fear that is where we are headed.

1
0
Anonymous Coward

Re: ...for those running as root

Where we are clearly headed is "Safe Computing" shooting up on 'roids and methamphetamine:

Everyone will run their OS inside a VM. At least one "bundes-trojaner" will be in full control of the VM and continuously monitor all interfaces to the hardware layer for "dangerous traffic". External connections are logged and saved for 7 years in case the definition of "dangerous traffic" mutate and prosecution becomes necessary after the fact.

You cannot install anything outside of the VM, any attempt to hack it will bring the full force of NDAA 2012 or RIAA sturmtroopers to your doorstep. All of this is for our own protection, of course.

1
0
Flame

Re: ...for those running as root

What the hell are people running Ubuntu who know enough to set a root password doing setting a root password?

No sympathy for rooted boxes there if they're going to insist on being as stupid as possible.

3
1

Re: ...for those running as root

Which, if you are not a transplanted M$ n00b, is never recommended.

this should read:

Which is never recommended.

To MS'ses credit they are actively trying to persuade everyone since NT 3.51 (that's a very long time ago, thank you) to please not log on as admin. only: nobody listens. neither do you. or he. or she. or who ever. Long story short: migrating these people to Linux will not solve the problem, only make it worse: they will still log on as root (I'm the admin!) and now will not even have a clue how stuff works in linux.

migrating normal users to linux is a disaster waiting to happen. trust me. I know. for sure. been there. and turned back.

3
0
Silver badge

Re: ...for those running as root

"Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad."

Even a few is surprising - on a default Ubuntu install, you can't login or su root.

2
0
Gold badge
Facepalm

Re: The only use for java these days

"Windows, on the other hand, is a fecking nightmare to disable."

You can go into the Java preferences and disable the Java plug-in by clicking on the checkbox.......

Let me guess. You've been fannying around with the options in the various browsers rather than going to the horse's mouth of the Java console in Control Panel, haven't you?

1
0
Silver badge

Re: The only use for java these days

You need to run the Java control panel from an elevated command prompt (obvious, that) and while that works for alternative browsers it still doesn't work properly for IE and IE is part of Windows. See my post on the next page.

Your icon is self referential I suppose?

1
0
Bronze badge
FAIL

Re: Java exploits don't only work on Windows

True, the software would run on any machine with a suitable java runtime. However, most non-windows installations use sensible user permissions as default. Plus, the exploit code is going to be very OS specific so you'd need to have something explicitly targeting linux, osx, vms, ...

"was happily serving porn to the world" Must have a really good broadband connection!

1
0
Bronze badge

Re: .Set a root password

It would almost serve them right if they did get infected.

0
1
Anonymous Coward

Re: Linux box had been rooted?

A "broadband firewall" is just a NAT. It doesn't give you any protection whatsoever from malware that installs itself via booby-trapped websites or received in E-mail.

0
0
Anonymous Coward

Re: The only use for java these days

"...compared to Windows XP, where everybody runs with administrator privileges"?

In the corporate environment this is unforgivable (and if there's a sysadmin of any note it won't be true). I will concede that in the home it's more tempting to run as an administrator. Bear in mind that full admin rights aren't given by default to newly created accounts: it is the owner's choice.

0
0

Re: ...for those running as root

"How do they run as root on Ubuntu?"

sudo su

Most obvious way I can think of.

0
0
Gold badge

Re: ...for those running as root

sudo passwd root

Enter a pssword

Now you can log in to the GUI. What's so hard about that?

0
0
Anonymous Coward

Re: Ubuntu for those running as root...

It is designed to make that difficult, therefore unlikely.

I can "sudo su" in a terminal and forget that I'm root --- but I'm not even sure how to be running the entire desktop as root.

0
0
Anonymous Coward

Re: ...for those running as root

Which shows that my last reply must be, err ...wrong. Oh well, that happens! :)

But I wonder why they bother, as it is so unnecessary for everything except admin tasks. It would make me sad too.

Not that I never spent all day logged in as root on a work machine. And not that I never screwed up when doing so <Blush>

0
0
Anonymous Coward

Re: ..default Ubuntu install, you can't login or su root.

You can sudo su or sudo su - which is pretty much the same as being logged in as root.

And in mid post, I tried sudo su root. Yes, you can su root.

0
0
Anonymous Coward

Re: The only use for java these days

"The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges."

Utter bollocks I am afraid too say. It would not be hard at all to craft a payload that did anything harmful on a Linux install. What planet are you living on? Clearly not the same one as me. Running Linux is not an effective shield for now. Windows and Linux boxes are exploited for differing reasons.

Windows - Exploited these days to slurp mostly banking data and anything else they fancy due to the high volume of Windows users and therefore banking details available to be stolen. Making target No.1 for anything exploiting for Cash profit that can be rapidly taken advantage of.

Linux - Small desktop percentage and therefore low volume of banking transactions compared to Windows. Hence why you don't see you & your friends Linux desktops hit with a slew of Malware. There is no substantial profit to be made. Linux has a heavy server percentage and the exploits developed reflect that. Stating that it's harder to exploit a Linux system is utter drivel of the highest order. It's secure on the desktop due to it's obscurity/low install base. As simple as that. On the server it needs proper care & attention to detail or your open to all sorts of attack .

So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it.

2
0
Silver badge

Re: The only use for java these days

Yep, although I do wonder how he managed to get incoming tcp connections through the router firewall... oh wait, upnp... another fine invention for malware.

We need something which is inherently less capable than java. You don't need to root a box if it can happily run a java web-server as a local user, or spend some time scanning your RPC services for exploits now or in the future or (I suspect is the most common) wait some time and then pretend to be a flash update requesting admin privileges to install.

Linux is a good model with its repositories. No per-application update systems please. Flash should never ask to install updates, the system should keep a list of updates which the user can check (or silently install). How often have we seen "posing as a flash update"?

I'd like to see further OS controls, especially for mobiles. Few applications need access to the internet, mostly they just need to talk to one domain. How about controls set during an installation which limit what an application can access? Should that be part of the standard application installation system? So the OS restricts flash to *.adobe.com for updates. Anything which wants wide or unusual internet access should be easily spotted. Hmm, why does that pack of emoticons need any outbound network connections, let alone access to the entire internet? How about path restrictions? Why not set the binary path and library requirements at installation and get the OS to prevent loading/execution of anything else?

0
0
Anonymous Coward

Re: Linux box had been rooted?

a java trojan and then upnp would do it on most home systems.

Or rooted and then keylogged?

0
0
Silver badge
FAIL

Re: ...for those running as root

I would say that MS says one thing and does another.

On a default install of Windows 2000 Professional/Server you are root (administrator) by default, so are you in Windows XP/2003, then on Vista you get elevated privileges through UAC all the time which is neither an administrator account, neither a non-privileged user, same for Windows 7/2008/R2.

Microsoft had the oportunity with Win7 to go to a fully user/admin separated model like everything on the industry other than them for the last 30 years.

But no, they know that will break software and alienate users, and the bottom line is more important than doing things the right way.

0
0
Silver badge
Linux

Re: The only use for java these days

Exploiting a Linux workstation and installing a rootkit running as a regular user requires much more than a simple Java exploit.

Most hacks that I have encountered in Linux follows only one pattern, the people using it are completely clueless.

I have never faced an exploit on a Linux desktop, but I have been exploited by a 0-day vulnerability in Opera in Windows, thanks god I never run as Admin and the little nasty only got to infect my profile.

Seriously I have yet to face the same thing in Linux.

0
0
Silver badge
Linux

Re: The only use for java these days

"So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it."

I am eager to see Linux being exploited in this manner, I would love to see what the response will be from the technical community, the Linux crowd will not sit idle, as thankfully there is no inertia to overcome.

0
0
Headmaster

Re: The only use for java these days

I want to lynch the people who write malware.

I have had to clean out systems in a way that the author has described before and I have a dim view of damage control and rebuilding systems from malware take overs...

The amount of shit and misery they cause in terms of people "tens of millions of years of people time, to fix up the shit" to billions of people many times over, over the decades - I think the sentence ought to be burning at the stake.

Fuck them.

0
0
Silver badge
FAIL

Lets not just blame java here

In how many other OS's could a virus get in through a NON priviledged account yet not only hide itself all over the system but disable core services AND create a new friggin partition?? I think this demonstrates that despite what the Seattle snake oil salesmen have to say , Windows never was and never will be a serious OS and certainly not one fit for 24/7 use in a high availability corporate enviroment. Requiring anti virus in an OS is like putting rollers under a car because the wheels have been designed square.

36
10
Mushroom

Re: Lets not just blame java here

Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle.

Try understanding something before you let the words fall out.

6
23

Re: Lets not just blame java here

I think he did. He was pointing out that it takes two to tango, and that while JITB is a high risk gamble, running an OS that apparently just lies down, rolls over and sticks it's legs up in the air isn't actually going to help matters.

Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX. Finally, nice article and lots of useful information that I really hope I never have to use.

At least malware authors are paying proper attention to version management :-)

27
2

Re: Lets not just blame java here

> certainly not one fit for 24/7 use in a high availability corporate enviroment.

Er the number of corporate environments running it like that would seem to indicate otherwise.

9
9

Re: Lets not just blame java here

Relevant vulnerabilities exist in Windows and Java Runtime Engine. The attack vector starts with Java then goes into Windows from there. Assuming it's using Java.Awetook, the payload is downloaded from a webserver in J2RE then executed in Windows with elevated privileges. Both MS and Oracle may be responsible for vulnerabilities and security weaknesses here.

8
1
Anonymous Coward

Re: Lets not just blame java here

Because the Windows 'every user has to be an administrator else nothing works right' model is broken...

11
4

Re: Lets not just blame java here @ steve

No he wasn't - he was windows bashing. And while windows might need a bash now and then it should really be for things that are wrong with windows. The supposed evil of Microsoft is nothing compared to the incompetent, irresponsible malware that is java. Windows can be done secure with the right amount of application - java cannot be done secure - on any OS - period.

I really do feel sorry for anyone who has to maintain any system with a java reliant component.

7
14
Silver badge
WTF?

Re: Lets not just blame java here

"Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle."

You clearly have no idea what security and (non)priviledge accounts mean. You must be a Windows user.

12
7
Silver badge
WTF?

Re: Lets not just blame java here @ steve

"And while windows might need a bash now and then it should really be for things that are wrong with windows."

So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS? Whose fault is it then , the magic malware pixie?? Jeez....

20
2

Re: Lets not just blame java here

Oh I don't know - maybe the person who configured the account to allow that to happen. I bet it's quite possible to get into lots of trouble running any OS if you don't know what you are doing.

1
3

Page:

This topic is closed for new posts.

Forums