back to article Thanks ever so much Java, for that biz-wide rootkit infection

Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact …

COMMENTS

This topic is closed for new posts.
  1. Mark C Casey
    Mushroom

    The only use for java these days

    Are minecraft, android development and viruses. In that order.

    1. historymaker118
      Linux

      Re: The only use for java these days

      That's why I play minecraft using Linux...

      1. Anonymous Coward
        Anonymous Coward

        Re: The only use for java these days

        Java exploits don't only work on Windows, they'll run on anything that Java will run on, including Linux.

        What you're displaying is a fairly common mindset that "Windows is the only thing that gets exploited, therefore I'm safe, whatever I do with my non-Windows OS." It's very dangerous and I've seen it bite people, a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world.

        1. Flocke Kroes Silver badge

          Playmobile reconstruction or it didn't happen

          Have you got a URL for some good Java coded Linux Malware? I would like to try it out. When I have tried installing malware before it didn't work - not even under wine.

          1. WatAWorld

            It would be unethical to send malware

            It would be unethical to send malware to an unknown party or a party not working for a reputable major antivirus or security firm.

            If you doubt that Linux has vulnerabilities and exploits search on Linux here:

            http://www.kb.cert.org/vuls/byid?searchview

        2. Anonymous Coward
          Anonymous Coward

          Re: The only use for java these days

          It depends, the virus may be using JNI or an exploit in the VM to access OS resources.

        3. Anonymous Coward
          Linux

          Re: mindset that "Windows is the only thing that gets exploited,

          Trevor was talking about his own experience, so it might not have been appropriate in this particular article, but I do wish that more people would remember the penguins when it comes to documenting these risks and recovering from them.

          If it saves just one chicken...

        4. Neil McAllister

          Re: The only use for java these days

          The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges.

          1. Trevor_Pott Gold badge

            Re: The only use for java these days

            Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...

            1. Fatman

              Re: ...for those running as root

              Which, if you are not a transplanted M$ n00b, is never recommended.

              1. Trevor_Pott Gold badge

                Re: ...for those running as root

                Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.

                1. eulampios

                  Re: ...for those running as root

                  How do they run as root on Ubuntu?

                  1. Trevor_Pott Gold badge

                    Re: ...for those running as root

                    Set a root password. Then you can log into the GUI as root.

                    1. cyborg
                      Flame

                      Re: ...for those running as root

                      What the hell are people running Ubuntu who know enough to set a root password doing setting a root password?

                      No sympathy for rooted boxes there if they're going to insist on being as stupid as possible.

                    2. vic 4

                      Re: .Set a root password

                      It would almost serve them right if they did get infected.

                  2. S4qFBxkFFg

                    Re: ...for those running as root

                    "How do they run as root on Ubuntu?"

                    sudo su

                    Most obvious way I can think of.

                2. WatAWorld

                  Re: ...for those running as root

                  As other operating systems become more usable, we'll find more poorly trained and untrained people using them. Which means more people making the mistake of using an elevated privileges account for everyday work.

                  Perhaps the only solution is to go the Apple route, and maybe a bit further. Create an operating system what will only run software signed by the operating system author. I fear that is where we are headed.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: ...for those running as root

                    Where we are clearly headed is "Safe Computing" shooting up on 'roids and methamphetamine:

                    Everyone will run their OS inside a VM. At least one "bundes-trojaner" will be in full control of the VM and continuously monitor all interfaces to the hardware layer for "dangerous traffic". External connections are logged and saved for 7 years in case the definition of "dangerous traffic" mutate and prosecution becomes necessary after the fact.

                    You cannot install anything outside of the VM, any attempt to hack it will bring the full force of NDAA 2012 or RIAA sturmtroopers to your doorstep. All of this is for our own protection, of course.

                3. John H Woods Silver badge

                  Re: ...for those running as root

                  "Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad."

                  Even a few is surprising - on a default Ubuntu install, you can't login or su root.

                  1. Trevor_Pott Gold badge

                    Re: ...for those running as root

                    sudo passwd root

                    Enter a pssword

                    Now you can log in to the GUI. What's so hard about that?

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: ..default Ubuntu install, you can't login or su root.

                    You can sudo su or sudo su - which is pretty much the same as being logged in as root.

                    And in mid post, I tried sudo su root. Yes, you can su root.

                4. Anonymous Coward
                  Anonymous Coward

                  Re: ...for those running as root

                  Which shows that my last reply must be, err ...wrong. Oh well, that happens! :)

                  But I wonder why they bother, as it is so unnecessary for everything except admin tasks. It would make me sad too.

                  Not that I never spent all day logged in as root on a work machine. And not that I never screwed up when doing so <Blush>

              2. redniels

                Re: ...for those running as root

                Which, if you are not a transplanted M$ n00b, is never recommended.

                this should read:

                Which is never recommended.

                To MS'ses credit they are actively trying to persuade everyone since NT 3.51 (that's a very long time ago, thank you) to please not log on as admin. only: nobody listens. neither do you. or he. or she. or who ever. Long story short: migrating these people to Linux will not solve the problem, only make it worse: they will still log on as root (I'm the admin!) and now will not even have a clue how stuff works in linux.

                migrating normal users to linux is a disaster waiting to happen. trust me. I know. for sure. been there. and turned back.

                1. John Sanders
                  FAIL

                  Re: ...for those running as root

                  I would say that MS says one thing and does another.

                  On a default install of Windows 2000 Professional/Server you are root (administrator) by default, so are you in Windows XP/2003, then on Vista you get elevated privileges through UAC all the time which is neither an administrator account, neither a non-privileged user, same for Windows 7/2008/R2.

                  Microsoft had the oportunity with Win7 to go to a fully user/admin separated model like everything on the industry other than them for the last 30 years.

                  But no, they know that will break software and alienate users, and the bottom line is more important than doing things the right way.

            2. Dan 55 Silver badge

              Re: The only use for java these days

              The good news is that on OS X you can go into the Java preferences, disable the Java plug-in on all browsers with a click on the checkbox, and still have local Java programs (well, in my case Eclipse) running perfectly fine.

              Windows, on the other hand, is a fecking nightmare to disable.

              1. Trevor_Pott Gold badge

                Re: The only use for java these days

                Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.

              2. TeeCee Gold badge
                Facepalm

                Re: The only use for java these days

                "Windows, on the other hand, is a fecking nightmare to disable."

                You can go into the Java preferences and disable the Java plug-in by clicking on the checkbox.......

                Let me guess. You've been fannying around with the options in the various browsers rather than going to the horse's mouth of the Java console in Control Panel, haven't you?

                1. Dan 55 Silver badge

                  Re: The only use for java these days

                  You need to run the Java control panel from an elevated command prompt (obvious, that) and while that works for alternative browsers it still doesn't work properly for IE and IE is part of Windows. See my post on the next page.

                  Your icon is self referential I suppose?

            3. Anonymous Coward
              Anonymous Coward

              Re: Ubuntu for those running as root...

              It is designed to make that difficult, therefore unlikely.

              I can "sudo su" in a terminal and forget that I'm root --- but I'm not even sure how to be running the entire desktop as root.

          2. Anonymous Coward
            Anonymous Coward

            Re: The only use for java these days

            "...compared to Windows XP, where everybody runs with administrator privileges"?

            In the corporate environment this is unforgivable (and if there's a sysadmin of any note it won't be true). I will concede that in the home it's more tempting to run as an administrator. Bear in mind that full admin rights aren't given by default to newly created accounts: it is the owner's choice.

          3. Anonymous Coward
            Anonymous Coward

            Re: The only use for java these days

            "The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges."

            Utter bollocks I am afraid too say. It would not be hard at all to craft a payload that did anything harmful on a Linux install. What planet are you living on? Clearly not the same one as me. Running Linux is not an effective shield for now. Windows and Linux boxes are exploited for differing reasons.

            Windows - Exploited these days to slurp mostly banking data and anything else they fancy due to the high volume of Windows users and therefore banking details available to be stolen. Making target No.1 for anything exploiting for Cash profit that can be rapidly taken advantage of.

            Linux - Small desktop percentage and therefore low volume of banking transactions compared to Windows. Hence why you don't see you & your friends Linux desktops hit with a slew of Malware. There is no substantial profit to be made. Linux has a heavy server percentage and the exploits developed reflect that. Stating that it's harder to exploit a Linux system is utter drivel of the highest order. It's secure on the desktop due to it's obscurity/low install base. As simple as that. On the server it needs proper care & attention to detail or your open to all sorts of attack .

            So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it.

            1. John Sanders
              Linux

              Re: The only use for java these days

              Exploiting a Linux workstation and installing a rootkit running as a regular user requires much more than a simple Java exploit.

              Most hacks that I have encountered in Linux follows only one pattern, the people using it are completely clueless.

              I have never faced an exploit on a Linux desktop, but I have been exploited by a 0-day vulnerability in Opera in Windows, thanks god I never run as Admin and the little nasty only got to infect my profile.

              Seriously I have yet to face the same thing in Linux.

            2. John Sanders
              Linux

              Re: The only use for java these days

              "So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it."

              I am eager to see Linux being exploited in this manner, I would love to see what the response will be from the technical community, the Linux crowd will not sit idle, as thankfully there is no inertia to overcome.

        5. Anonymous Coward
          Anonymous Coward

          Linux box had been rooted?

          > a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world ..

          Any idea how it got onto your friends computer and how did it disable the firewall on his broadband modem?

          1. WatAWorld

            Re: Linux box had been rooted?

            First you're making an error assuming all broadbank modems have firewalls, they don't.

            Secondly, something that can get through a hardware firewall to access Windows computers behind it can get through a hardware firewall to access Linux computers behind it.

          2. Anonymous Coward
            Anonymous Coward

            Re: Linux box had been rooted?

            A "broadband firewall" is just a NAT. It doesn't give you any protection whatsoever from malware that installs itself via booby-trapped websites or received in E-mail.

          3. Anonymous Coward
            Anonymous Coward

            Re: Linux box had been rooted?

            a java trojan and then upnp would do it on most home systems.

            Or rooted and then keylogged?

        6. vic 4
          FAIL

          Re: Java exploits don't only work on Windows

          True, the software would run on any machine with a suitable java runtime. However, most non-windows installations use sensible user permissions as default. Plus, the exploit code is going to be very OS specific so you'd need to have something explicitly targeting linux, osx, vms, ...

          "was happily serving porn to the world" Must have a really good broadband connection!

        7. P. Lee

          Re: The only use for java these days

          Yep, although I do wonder how he managed to get incoming tcp connections through the router firewall... oh wait, upnp... another fine invention for malware.

          We need something which is inherently less capable than java. You don't need to root a box if it can happily run a java web-server as a local user, or spend some time scanning your RPC services for exploits now or in the future or (I suspect is the most common) wait some time and then pretend to be a flash update requesting admin privileges to install.

          Linux is a good model with its repositories. No per-application update systems please. Flash should never ask to install updates, the system should keep a list of updates which the user can check (or silently install). How often have we seen "posing as a flash update"?

          I'd like to see further OS controls, especially for mobiles. Few applications need access to the internet, mostly they just need to talk to one domain. How about controls set during an installation which limit what an application can access? Should that be part of the standard application installation system? So the OS restricts flash to *.adobe.com for updates. Anything which wants wide or unusual internet access should be easily spotted. Hmm, why does that pack of emoticons need any outbound network connections, let alone access to the entire internet? How about path restrictions? Why not set the binary path and library requirements at installation and get the OS to prevent loading/execution of anything else?

    2. Anonymous Coward
      Headmaster

      Re: The only use for java these days

      I want to lynch the people who write malware.

      I have had to clean out systems in a way that the author has described before and I have a dim view of damage control and rebuilding systems from malware take overs...

      The amount of shit and misery they cause in terms of people "tens of millions of years of people time, to fix up the shit" to billions of people many times over, over the decades - I think the sentence ought to be burning at the stake.

      Fuck them.

  2. Anonymous Coward
    FAIL

    Lets not just blame java here

    In how many other OS's could a virus get in through a NON priviledged account yet not only hide itself all over the system but disable core services AND create a new friggin partition?? I think this demonstrates that despite what the Seattle snake oil salesmen have to say , Windows never was and never will be a serious OS and certainly not one fit for 24/7 use in a high availability corporate enviroment. Requiring anti virus in an OS is like putting rollers under a car because the wheels have been designed square.

    1. Colin Millar
      Mushroom

      Re: Lets not just blame java here

      Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle.

      Try understanding something before you let the words fall out.

      1. Steve Crook

        Re: Lets not just blame java here

        I think he did. He was pointing out that it takes two to tango, and that while JITB is a high risk gamble, running an OS that apparently just lies down, rolls over and sticks it's legs up in the air isn't actually going to help matters.

        Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX. Finally, nice article and lots of useful information that I really hope I never have to use.

        At least malware authors are paying proper attention to version management :-)

        1. Colin Millar

          Re: Lets not just blame java here @ steve

          No he wasn't - he was windows bashing. And while windows might need a bash now and then it should really be for things that are wrong with windows. The supposed evil of Microsoft is nothing compared to the incompetent, irresponsible malware that is java. Windows can be done secure with the right amount of application - java cannot be done secure - on any OS - period.

          I really do feel sorry for anyone who has to maintain any system with a java reliant component.

          1. Anonymous Coward
            WTF?

            Re: Lets not just blame java here @ steve

            "And while windows might need a bash now and then it should really be for things that are wrong with windows."

            So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS? Whose fault is it then , the magic malware pixie?? Jeez....

            1. Colin Millar

              Re: Lets not just blame java here

              Oh I don't know - maybe the person who configured the account to allow that to happen. I bet it's quite possible to get into lots of trouble running any OS if you don't know what you are doing.

              1. Anonymous Coward
                Anonymous Coward

                @Colin

                most Mac owners I know haven even less clue about what they're doing than the average PC owner, so I think the OS must have something to do with it.

                1. WatAWorld

                  Re: @Colin

                  It is the restrictions on what will run on the OS, restrictions that the FTC will not allow Microsoft, as the major OS vendor, to follow because it would inhibit free trade.

              2. Leona A
                Angel

                Re: Lets not just blame java here

                Indeed, but if you do not know what you are doing with Windoze you get an account with Admin rights, if you do not know what you are doing in Linux you get a user account which doesn't give you any access to Admin privileges, thus such malware can not run.

                This Malware seems to do windozy type things, so it might well be possible to use the same java exploit on a Linux box, but it wouldn't do anything, it would not give the malware access to anything, so it would be plain useless.

                The 2 OS's work in totally different ways, windoze leave everything open, Linux makes you open things, in which case you need to know what you are doing first!

                This is why Linux seems to have such a high learning curve, because its not all done for you.

                I am sure there are viruses for Linux (though in my 10+ years experience, I've never seen one, only read about them being theoretically possible), but the system has to be compromised first to allow them to run.

                1. Anonymous Coward
                  Windows

                  @Leona

                  Your information is dated. On Windows XP users ended up with an admin aka root account, but Vista and Win7 have changed that behaviour quite heavily.

                  And lets please also not forget that during the times of XP Linux distributions didn't enforce users to create an account for themselves yet.

                  Quite frankly I also can't believe that you're actually thinking that the capability of locally running code on Linux would be a lesser problem than running code on Windows. Because that is assuming that there are no local root exploits - what so ever - available on Linux right now. Can you be 100% positive of that? I don't think so...

                  Being able to run code locally, no matter what the platform is, is bad news. Whether this is on Windows, Linux, Mac or BSD*, the whole ordeal is bad and a huge security risk which needs to be addressed ASAP.

                2. WatAWorld

                  Re: Lets not just blame java here

                  "This is why Linux seems to have such a high learning curve"

                  And unfortunately that is a killer critical requirement Linux fails to meet, being easy to learn.

                  Fix that bug and Linux could take on Windows and win.

                3. fajensen
                  Flame

                  Re: Lets not just blame java here

                  """"Linux you get a user account which doesn't give you any access to Admin privileges, thus such malware can not run"""

                  *Plenty* of malware can be usefully run from a perfectly ordinary user account, indeed: Most servers run their services as non-priviledged users on crippled accounts. A user account is quite powerful on its own, one can do much more than one can with Windows, f.ex. Inject the exploit via Java, fire up the service and attach it to a TTY so it does not shut down when the user logs out would be adequate for most nefarious purposes.

                  Sure, it is easy to find and delete the malware using the process management tools - but the average user will not have the knowledge to venture outside of GNOME ... and ... The average Ubuntu user is getting trained and conditioned to "sudo everything", so it will not be much of a hack to root those boxes either.

              3. WatAWorld

                Re: Lets not just blame java here

                "I bet it's quite possible to get into lots of trouble running any OS if you don't know what you are doing."

                Who much of a newbie do you have to be to disagree with a statement that obviously true?

            2. Anonymous Coward
              Anonymous Coward

              @boltar

              "So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS?"

              Well, that heavily depends.

              Technically speaking Linux also allows execution of privileged code from a non-root account through the use of sudo. So the concept as a whole isn't bad perse. The real question is how its done. On Windows 7 (UAC) people are warned up front for both executing code from a web location as well as raising their privileges to the admin user.

              If we're talking about a way to easily circumvent UAC so that code can be executed as administrator without so much as a warning then yes; that would be a major flaw. But not the concept by itself.

          2. Anonymous Coward
            Anonymous Coward

            @Colin

            "java cannot be done secure".

            You do realize that this crap only affects Java 7 and not the previous SE6 ?

            1. Colin Millar

              Re: @Colin

              Yes - and I stand by it. Java has never been secure. Just because 6 was getting stable (and at 6 years old it was about time) doesn't mean it was always so.

            2. Robert Carnegie Silver badge

              Re: @Colin

              The article describes an attack using Java on a system where only the latest update of Java 6 was installed. If this is correct (I'm not an expert but I'm sceptical, maybe the Java attack failed and it got in some other way, malware carries 1001 different ways to break into a system including lame passwords obviously) then this is another previously unpublished attack.

              http://en.wikipedia.org/wiki/Java_version_history says that Java SE 6 Update 35 was released on 30/08/2012 (Thursday) with a "security-in-depth fix", which I think means that Java 6 had one of the bugs from Java 7 but there wasn't a known way to exploit it. Regardless, if the users didn't have Update 35, then they were briefly not-up-to-date. But that's little consolation.

              But I still think it might be not Java after all.

            3. WatAWorld

              Re: @Colin

              @ShelLuser the article starts off by saying this occurred on SE6.

        2. xperroni
          WTF?

          Re: Lets not just blame java here

          Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX.

          That's something that baffles me too. Java the language's memory model is pretty anal: you cannot cast objects as anything other than their own classes and super-classes (in order to, say, access an arbitrary object as a byte array), nor can you access object fields via pointer offsets or otherwise perform any feats of pointer arithmetic. Hell, in principle you don't even know your pointers – there is no necessary relationship between the "object references" a Java program works with and the actual memory layout, other than a one-to-one relation between references and objects.

          You would easily have me believe that such a strict memory model would be simple to implement securely – yet that clearly isn't the case. How can this be? Is it just sloppy programming? Or are there inherent challenges to securely implement a virtual machine architecture such as Java's?

      2. Paul Anderson

        Re: Lets not just blame java here

        Relevant vulnerabilities exist in Windows and Java Runtime Engine. The attack vector starts with Java then goes into Windows from there. Assuming it's using Java.Awetook, the payload is downloaded from a webserver in J2RE then executed in Windows with elevated privileges. Both MS and Oracle may be responsible for vulnerabilities and security weaknesses here.

      3. Anonymous Coward
        WTF?

        Re: Lets not just blame java here

        "Unfortunately for your prejudices this security flaw affects all versions of Java - if you don't believe me ask oracle."

        You clearly have no idea what security and (non)priviledge accounts mean. You must be a Windows user.

    2. Alan Bourke

      Re: Lets not just blame java here

      > certainly not one fit for 24/7 use in a high availability corporate enviroment.

      Er the number of corporate environments running it like that would seem to indicate otherwise.

      1. WatAWorld

        run OS/x or Linux and you're depending on security by obscurity

        Large companies and governments can't run OS/x or Linux because they have not been adequately tested by malicious hackers.

        When you're an attractive target, such as a large company or a government, it doesn't matter what the "popular" common malware is, you're going to be targeted with custom malware, and you need an OS that has been adequately vetted.

        You can't get a desktop/laptop OS that has been adequately vetted, but Windows comes closest.

        Does anyone argue that more hacker hours have been spent trying to crack Windows than OS/x or Linux? I didn't think so.

        So basically you are in home user and you run OS/x or have the smarts to Linux and you're using security by obscurity; your security is dependent on the fact that hackers haven't discovered the exploits on the OS you've chosen, and haven't yet found it profitable to create exploits for it. You're secure only because of the relative obscurity of your chosen OS. That doesn't work for attractive targets where it is worth the cost to hackers to custom develop malware.

    3. Anonymous Coward
      Anonymous Coward

      Re: Lets not just blame java here

      Because the Windows 'every user has to be an administrator else nothing works right' model is broken...

      1. Captain Underpants
        Facepalm

        Re: Lets not just blame java here

        @AC 11:54

        You mean the model that's been gradually changing since Vista came out in '06 whereby now, under 7 and probably 8 it's actually quite possible to work as a standard user rather than admin?

        Yeah, no.

        What you want to be doing is berating lazy software authors who haven't checked that their software will work without admin rights, and/or organisations who won't pay to upgrade to newer software that resolves said issues.

        Of course, that might involve not being a plonker blindly toeing the "Windows = teh suxxor!" line...

        1. WatAWorld

          Re: Lets not just blame java here

          I've worked at a several clients and on my own time I take care of several home users, and they're all able to work using limited accounts on Windows 7 with all sorts of games and common business software.

      2. Anonymous Coward
        Anonymous Coward

        Re: Lets not just blame java here

        Even though it is not the case that everything has to run as administrator, it seems that developers still follow that model to make their jobs easier. This is a universal platform-independent attitude problem..................

      3. WatAWorld

        Re: Lets not just blame java here

        "Because the Windows 'every user has to be an administrator else nothing works right' model is broken..."

        That hasn't been true for over 7 years. But ignorant users think it is, so they use elevated accounts for everything.

        If Linux users were as common and uneducated as Windows users, we'd have at least as many problems.

    4. Psymon
      FAIL

      Re: Lets not just blame java here

      "In how many other OS's could a virus get in through a NON priviledged account"

      The OS did NOT let the virus in, the JVM did. If I remember correctly, the last worm to successfully exploit a Windows vulnerability to actively spread from one machine to another without user intervention, was the Blaster/Sasser worm. Even then, I was running a school at the time, and although the Blaster successfully exploited the RPC vulnerability, the students machines were so heavily locked down via group policy that the process elevation attempts failed due to certain services being disabled.

      There have been activeX exploits, but any sysadmin with half a brain can lock this down using the internet zone group policy settings.

      Since then, almost all viral infections have either used social engineering tricks, or the unholy trio. Acrobat, Flash, or Java.

      The Windows platform of today features ACL control over Filesystem, registry, and active process utilisation of such granular detail that it far outstrips any nix variant. It features Address Space Layout Randomisation that is superior to that offered by Linux or OSX. It has a very capable firewall built in and enabled as standard. Almost all network traffic is PKI encrypted by default. Hard disks can be hardware encrypted to FIPS 140-2 compliant levels.

      But, a chain is only as strong as its weakest link. The problem with the MS platform today is not the underlying OS, but the plethora of badly written software that requires diligent sysadmins to punch dirty great holes in these security features to make them work.

      And running any platform without some antivirus software is reckles at best, idiotic at worst.

      1. Anonymous Coward
        Facepalm

        Re: Lets not just blame java here

        "And running any platform without some antivirus software is reckles at best, idiotic at worst."

        Really? Care to name any viruses for S/360?

        1. Anonymous Coward
          Anonymous Coward

          Re: Lets not just blame java here

          ... or OpenVMS, TandemNonStop

        2. WatAWorld

          Re: Lets not just blame java here

          You mean z/OS, z/VSE and z/VM. And that is true. But again, as with Linux and OS/x it is security by obscurity. Folks with knowledge of the major IBM operating system feel we have an ethical obligation not to exploit that knowledge illegally.

          Some people with knowledge of PC operating systems don't feel any ethical obligations at all.

          But to answer you question, "Care to name any viruses for S/360?" there is the "Christmas Tree" virus, and it was accidentally created by a co-op student who wanted to send electronic christmas cards through email, that is how easy it was to create.

      2. Anonymous Coward
        Anonymous Coward

        "And running any platform without some antivirus software is reckles at best, idiotic at worst."

        Could you suggest some anti-virus for a Linux system that will do anything other than find Windows viruses ?

        1. RICHTO
          Mushroom

          Re: "And running any platform without some antivirus software is reckles at best, idiotic at worst."

          7 options here:

          http://www.techradar.com/news/software/applications/7-of-the-best-anti-virus-apps-for-linux-669087

          You know there are at least several hundred known Linux worms / viruses and malware?

          1. Chemist

            Re: "And running any platform without some antivirus software is reckles at best, idiotic at worst."

            @Richto - from your link - final paragraph

            "We should close by saying that the number of Linux viruses that could possibly damage your system in any way is currently less than 10, so don't have any nightmares"

      3. Anonymous Coward
        Anonymous Coward

        Re: Lets not just blame java here

        "It features Address Space Layout Randomisation that is superior to that offered by Linux or OSX."

        Which if the MMU handling was designed properly from the start would not be an issue. Randomising physical address space mapping is a mere fig leaf.

      4. John Sanders
        Linux

        Re: Lets not just blame java here

        @Psymon Posted Monday 3rd September 2012 13:25 GMT

        Mate, all that you say is true, yet with all the immense granularity in modern Windows versions, what you say implies that the burden of the security relies on the user's shoulders.

        All that granularity requires a vast experience administering Windows, otherwise you will break any application in existence.

        I will give you an example: As part of the security policy that I used to apply to the computers of a Windows 2000 domain back in the day, we used to disable all the services that we did not use, only to spend weeks with a vendor trying to solve some issues on an application derived from the fact that it had dependencies that the vendor in the UK wasn't aware of.

        It caused much grief across the organization and the IT manager mandated that Windows be secured, yet nothing removed, no DCOM permissions tampered with, no ACL's done on the Registry, and no permissions changed on the C:\ partition. Because troubleshooting became a pain.

        I used to think the Linux/Unix model was fairly limited, yet I have to find a box that can not be secured with just a few basic common sense policies.

    5. RICHTO
      Mushroom

      Re: Lets not just blame java here

      Linux springs to mind. Hackers have been using kernel exploits in Linux for years to get root access via non priviledged accounts...That's a key reason why Linux webservers are so much more likely to be hacked than Windows ones....

      1. Trevor_Pott Gold badge

        Re: Lets not just blame java here

        Richto; who is paying you and how much? The amount of utterly bullshit FUD you spread about Linux is amazing. Honestly though, which company foots the bill? I'm really curious.

        1. Anonymous Coward
          Anonymous Coward

          @ Trevor_Pott

          He does have a point, Linux fanbois just refuse to believe it.

          1. Trevor_Pott Gold badge

            Re: @ Trevor_Pott

            If you are calling me a Linux fanboy, I'm going to ask you to back that statement up with some sort of evidence. For the record, these are the following things I am a "fanboy" of (in rough order):

            1) My wife, close friends and selected coworkers.

            2) Ninite.com (Just. Frakking. Works.)

            3) Cyanogenmod (My phone. MINE.)

            4) A significant chunk of The Register's writers, current and departed (I miss Sarah.)

            5) Ars Technica's Nobel Intent (Science, bitches!)

            6) Evidence-based legislation (Science, bitches!)

            7) Mars Rovers (Science, bitches!)

            8) Intel networking (Just. Frakking. Works.)

            9) Jose Barreto (Awesome guy working for Microsoft's storage team.)

            10) Classic Shell (I want my goddamned up button back!)

            My definition of "fanboy" means I give those individuals, people, products and concepts on this list "the benefit of the doubt." It means I will accept at face value what is presented. I will trust what they have to say without the need for significant deep dives; this trust has been earned over time.

            By nature however, I am a cynical person. I do the research, I question everything. So if you are suggesting that "Linux is the most compromised X on the planet" and that "anyone who believes otherwise is a Linux fanboy," I am going to call you on it. That goes against every scrap of evidence I have; prove your accusation.

            Linux is not the most compromised webserver, despite being the most dominant. Various web APPLICATIONS (frequently, but not exclusively run on Linux) are vulnerable as hell...but these web apps lead to compromise on Windows as well as Linux. The actual underlying technology is significantly less assailable than the competition; shocking considering the many issues surrounding Linux governance and implementation.

            So...prove it. Prove that Windows is "more secure" for the same tasks running the same apps. Especially when both are properly configured and hardened for a production environment. Prove also that those who disagree are "Linux fanboys," instead of people who have different - possibly more accurate - information than you are working from.

            ...you can prove that, can't you?

            1. Baudwalk

              Re: @ Trevor_Pott

              >>> 1) My wife, close friends and selected coworkers. <<<

              I take it She Who Must Be Obeyed doesn't read the Register. Not giving her the top spot on her own.

          2. Kiwi
            Linux

            Re: @ Trevor_Pott

            "He does have a point, Linux fanbois just refuse to believe it."

            Really? He(?) states "hundreds" - I'll ask for references to only 5 that are currently active in the wild. Can you do that? 5 out of "hundreds" should be easy.

            1. RICHTO
              Mushroom

              Re: @ Trevor_Pott

              There are hundreds of viruses and pieces of Malware in the wild that effect Linux:

              http://feeds.venturebeat.com/~r/Venturebeat/~3/upX-OccQap0/story01.htm

        2. Chemist

          Re: Lets not just blame java here

          "Richto; who is paying you and how much?"

          Trevor - I really can't believe ANYONE would pay RICHTO to produce the sort of babbling that he does.

        3. RICHTO
          Mushroom

          Re: Lets not just blame java here

          Amazing how many Linux shills dont have a clue what they are talking about.

          Proof here:

          http://www.zone-h.org/news/id/4737

          and here:

          http://www.internetnews.com/dev-news/article.php/3601946

      2. Destroy All Monsters Silver badge
        Trollface

        Re: Lets not just blame java here

        > That's a key reason why Linux webservers are so much more likely to be hacked than Windows ones....

        As Steve Jobs would say: Oh wow, oh wow, oh wow.

        Welp, I hope school is back on soon so that the juveniles are kept busy.

      3. Anonymous Coward
        Anonymous Coward

        Re: Lets not just blame java here

        RICHTO - you seem to have missed the point, as usual. This whole sorry mess was with a network of Windows computers which you claim ( and almost no-one else does) are superior by far to other OSs.

        If you are so convinced about the superiority of WIndows (and given its overwhelming market share) why do you bother with all these banal posts for which you get downvoted like no-one I've ever seen ?

        1. RICHTO
          Mushroom

          Re: Lets not just blame java here

          Remember the Morris Worm?

    6. The Original Steve

      Re: Lets not just blame java here

      Um, it needs to be elevated. No admin rights, no infection.

      Read the sources.

  3. Anonymous Coward
    Anonymous Coward

    Hmm

    Personally, I wouldn't trust any machine that had been through that sort of process and would re-image the lot.

    1. Callam McMillan

      Re: Hmm

      I was thinking exactly the same thing. Surely given this level of infection and the virulence of the malware a full re-build of the system from a known image would be both quicker and safer. Furthermore, if the organisation uses a half decent infrastructure, then all the users mail and files should be on the corresponding mail and file servers which if protected means the downtime is about 40 minutes per machine and the time to reconnect them to the network once everything is cleaned.

      1. Stoneshop

        Re: Hmm

        all the users mail and files should be on the corresponding mail and file servers which if protected means the downtime is about 40 minutes per machine

        and if insufficiently so will be infected as well.

    2. This post has been deleted by its author

      1. Trevor_Pott Gold badge

        Re: Hmm

        Agreed; that's a next-week project; for when I have physical access. For right now, this works over Teamviewer, and everything I can throw at it comes back clean.

        1. Christian Berger

          Re: Hmm

          Wait, can't you just reboot them and shove them an "imager" image via the network? That doesn't sound like something you'd need physical access for.

          1. Trevor_Pott Gold badge

            Re: Hmm

            How many PCs do you know of that you buy at the local electronics store come preconfigured for PXE boot? Not a large enterprise; systems are not configured for image-based dissemination. Main office has only 11 people! Everything is on the other end of wet-noodle VPN. Nah; these folks use Best-Buy specials and the previous admin left such a mess that two months later I'm still picking up pieces.

            At this point, it wouldn't be an "image" either. It would be a clean install. And there is a lot of CFO-only software to get off that thing...

            1. P. Lee

              Re: Hmm

              Not sure about "preconfigured" but most dell & hp laptops will pxe boot and my ancient 3com and intel cards (and motherboard nic) on an athlon 1800xp also do. Sometimes its buried in the bios. I wouldn't try over wifi though. Mac G5 also netboots.

              The problem is that without a server you can't do it and best-buy assumes this is your first/only pc (quite reasonably).

              Perhaps Valve's console will provide a server to use for netbooting linux or at least an iscsi server, now that windows is beginning to catch up with the rest of the enterprise...

              1. Trevor_Pott Gold badge

                Re: Hmm

                They generally are capable of PXE boot, but not configured for it. So you have to go into the BIOS and set it up; something that isn't going to happen when your phone call happens as the office is emptying and you get a "please just make this go away over the weekend, bye." :/

    3. SilverWave
      Meh

      Reinstall from read only media - its the only professional solution

      Any other solution is for the guy with a 10 gallon hat, six shooter’s and a horse tied up outside.

  4. Silverburn
    Mushroom

    Easier method

    aka the "nuke from orbit option".

    1. disconnect from network.

    2. backup essential user files not stored on network to USB

    3. low level HD and partition wipe

    4. Re-image from last months desktop image

    5. Scan USB stick in triplicate on quarnatine machine

    6. Restore backups

    7 (optional): Reimage desktop ghost with Java removed...

    Once initial detection was made, this option was probably quicker, simplier and you won't be worrying about whether you got everything for weeks afterwards.

    1. mickey mouse the fith

      Re: Easier method

      Agree 100%.

      Every time I come across an infection on a machine I always reimage.

      It might be a pain, but its better to have piece of mind knowing a machine is clean rather than fretting that you missed a bit and the bugger reanimated itself.

      There are so many varients and the authors adapt their wares so quickly that the chances are high that even if you think you killed it by following online guides etc its still lurking somewhere, waiting to fuck up your day when you least expect it.

  5. Barry Tabrah
    Pint

    The problem with ideal world thinking

    There are many organisations which cannot operate without the dreaded three: IE, java, and flash.

    When you work in an environment in which your systems need particular versions of Java, and these are mission critical systems that are no longer supported by the original vendor (who may or may not still exist themselves), the idea of removing or even patching Java is a non-starter.

    The best we can do is lock out external devices, have draconian AV policies, and filter all website traffic. It's not a guaranteed catch-all but with luck and close systems management we can avoid disaster.

    I, along with many others I'm sure, have sleepless nights over these issues. This story is going to haunt me for the next few weeks I'm sure. I think I'm going to need a drink.

    1. blcollier
      Mushroom

      Re: The problem with ideal world thinking

      Or very large corporations who haven't even migrated from Windows XP or Internet Explorer 6 yet, and have such draconian and buearocratic IT policies that trying to get anything done is like mating elephants: it's all done at a very high level and takes years to achieve any results.

      Seriously. We can't even get updates to core software - which includes Java - across our local site, it has to be across the whole organisation... Which is somewhere in the region of 70,000 machines connected to it's bloated central network.

      Nuke, for what I'd like to do to our systems.

      1. Anonymous Coward
        Anonymous Coward

        Re: The problem with ideal world thinking

        You have my utmost sympathy.

        I used to be a touch scathing of situations likes this; until I found myself in exactly this position. I am appalled at what I see as an intolerable position, but there is bugger all I can do about it.

        We are in a situation where there are numerous separate "IT departments" - actually most are staffed by non-IT personnel. None of these report to any over all manager and they each work separately, with no central control, strategy or common methods of working. Helpdesk support has been outsourced and they also sort of manage the central services. I am aware that one of our sites has been compromised; however, the outsourced support have yet to fix the problem and anyone going to that site risks getting infected with some ransomeware.

        When I was offered the job, I was told that they wanted me to take charge and fix these issues; but I'm not allowed to log onto most servers or to get access to key information as it is "nothing to do with me". Even when I do highlight the key things that could be done to address the key issues, I then get told that it's not for me to change the way that they work.

        Thank God it's only a short term contract; I don't think that I could continue to work under these conditions for any length of time.

        1. Fatman

          Re: You have my utmost sympathy.

          From your post:

          Thank God it's only a short term contract;

          I may suggest that once you have run that contract out, then get the hell out of there!!!

          DO NOT look back, that company is run by damagement.

  6. greenwoodma
    WTF?

    Why blame Java at all?

    I've re-read the article twice now and I can't see a good reason to blame Java. The author even states "I have no idea what the initial vector was; the primary delivery mechanism scrubbed itself clean". So if this is true how do you know Java was to blame?

    I'm sure there are unpatched security holes in Java but blaming a fully patched java 6 install with no evidence that it was at all to blame is just scare mongering.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Why blame Java at all?

      The article does say malicious JAR files were involved - certainly other people infected tell of Java activity in their system tray before the rooting occurs.

      I double-checked with Trevor on this point - because there is little gained in attacking a technology without basis - and he said the thing was originally detected as malicious jars - which spontaneously ate themselves. Flash was not installed on the PC at the time; Firefox, Chrome and IE were completely up to date. Acrobat wasn't in the browser. Those last two plugins are alternative vectors for delivering the malware, leaving just Java. And the mystery .jars.

      C.

      1. greenwoodma

        Re: Why blame Java at all?

        Right, well I guess malicious jar files does suggest java was involved, just a shame that point was missing from the original article, although I see it has now been added.

        1. diodesign (Written by Reg staff) Silver badge

          Re: Re: Why blame Java at all?

          Yes, it was added minutes after publishing in what was a slight oversight on my part. I thought I'd added that detail in.

          C.

    2. This post has been deleted by its author

      1. Trevor_Pott Gold badge

        Re: Why blame Java at all?

        I can know the attack vector without knowing the name of the attacker. I don't have a clue what the initial Bad Thing was. I do know they were malicious. Jar files that set off the alarms. The browsers were up to date. No flash was installed. Moments after detection, the jars dissapeared. So did Microsoft Security Essentials, Avast and a large chunk of all thee browser histories. It looked to me like someone using a java exploit that didn't want a security researcher decompiling the attack vector.

        I crawled all over the thing for three days. I was hoping for an awesome new browser zero day. Alas, "Java is still broken" is not much of a story. But I was able to get the "this is how you fix it" info out to people, in case they got hit. That was really my goal.

        Not all of us are so lucky as to have full imaging gear and pre-vetted application stacks. This is a new client of mine; small, most IT descisions still taken directly by CEO, call for help as they need it. Remote cleaning was a priority. If it happened to me, it might happen to someone else in a similar position; worth the time then to write up.

  7. Anonymous Coward
    Anonymous Coward

    Poor Trevor

    He sounds traumatised. I hope he got to have a nice cup of tea and a sit down(tm) at the very least, afterwards, if not an extremely stiff drink.

  8. romanempire
    Mushroom

    I'm for the...

    the "nuke from orbit option". Its the only way to be sure.

  9. Khaptain Silver badge
    Stop

    My first virus for many years

    I battled for 2 days to remove this crap, in the end I gave up and reinstalled W7. I can't prove it was Java that let the bastard in but I can't prove that it wasnt java either.

    Since I have reinstalled I have decided that there will be no more Java or Adobe Flash/Silverlight etc. If any applications needs either of the aforementioned well tough luck I will use something else.

    I don't blame Oracle or Sun or MS, it's the virus writers that are to blame but I have had enough of the endless updates, incompatibilites and now the virii that can use these plugins as vectors of introduction.

    Hopefully by limiting the attack surface I will stay uninfected for the next couple of years.

    1. Anonymous Coward
      Anonymous Coward

      Re: I don't blame Oracle

      Downvoted for not blaming Oracle, and for spelling "viruses" incorrectly.

      1. Khaptain Silver badge

        Re: I don't blame Oracle

        I digress, after a quick Wikipedia etc, that the plural form of Virus is actually Viruses ( at least in the English language written form, apparently there is not plural of Virus in Latin ).

        ( We say Cactus / Cacti - Radius / Radii apparently Virus and Platypus are exceptions to the general rule )

        I still wont blame Oracle though as there are too many other factors that come into play, most notably would be MS Windows Security and Defence. If Java has complete access to the MBR then the problem stems more from the OS that it does the application. ( You might also be able to throw Intel or the BIOS writers into the bunch here - although it's debatable)

      2. SwedishCodeMaffia
        Headmaster

        Re: I don't blame Oracle

        Viri?

        1. Ru
          Headmaster

          Re: I don't blame Oracle

          Viri

          ...is a plural form* of Vir, and hence translates as "men", not "more than one virus".

          * There's some other grammatical glop I'm not going to get into.

          1. Charles 9

            Re: I don't blame Oracle

            Basically put, the word "virus" (Latin in origin) was intended as a collective noun (a singular term describing a mass or group) and therefore had no proper plural form in Latin, considering that it was already essentially describing a plural. And since viri was already taken, we had to fall back on the old reliable. Happens all the time in English. If you don't believe me, ask your English teacher why we don't talk about more than one house the same way we talk about more than one mouse.

    2. Anonymous Coward
      FAIL

      Why not blame Oracle?

      While the author puts the blame on Java as a whole I think its Oracle which really deserves a good portion of the blame.

      After all; let us not forget that some exploit options were already known by them around last April this year. And it took them months before they actually fixed it (tried to at least).

      So I think you're going a little bit too easy on them if you don't blame Oracle at all.

  10. Anonymous Coward
    Anonymous Coward

    The chief financial officer of the company

    I think I've spotted your 'infection vector'.

    If its like any organisation I've worked for, the worst cuplrits are right at the top.

    "I want to install this, I need this gadget, why does it say Permission Denied? I don't care what the rules are, I want to install stuff. My kids want to use the computer too, and give me the serial number for that and that, I want to install those at home. No? NO!? Who's your manager?"

    Who immediatly caves in, makes you look like an arse for saying no, and tells you ofcourse you should do the stupid thing AND work overtime to clean up the mess later.

    Odds on that he was a Local Administrator, and thought he was above the same rules that apply to the peons in his 'employ'.

    Oh, sorry.. I seemed to have ranted a little. But, I feel better now!

    1. Fatman

      Re: I don't care what the rules are,

      Doesn't fly at WROK PALCE.

      NO C level twat (hmmm, perhaps I should use another term, since the majority of the C levels here are female) twit can over rule what the CIO decides the rules should be. End of discussion. The owner has her back on that one. "C" levels that do not abide are promoted to a position at another company.

  11. Callam McMillan

    At least there's the day rate.

    It wasn't said in the opening paragraph, but I couldn't help thinking that it's alright work when you can bill the client for your time at some nice expensive day rate. Yet, on the other hand, having had the stress of malware removal for idiots who insist on not paying for decent AV, going on dodgy websites and not backing up their files I can attest that very quickly no matter how much money is involved, your sanity is worth more.

    1. Trevor_Pott Gold badge

      Re: At least there's the day rate.

      This is the first thing in years I've seen simply waltz right on by MSE. It was actually Avast that caught the initial one. (Befor it was crippled, and MSE annihilated.)

  12. Anonymous Coward
    Anonymous Coward

    12 steps

    And thus we see the inherent superiority of the GUI. Or how did you propose to automate all this, then?

    Personally I wouldn't buy another licence. I'd simply move the existing licence to inside a VM for the few things I would actually positively need windows for, and move as much as possible to {the main machine,another VM} running something that doesn't confuse security with dropping its pants. And if that isn't an option, why, you could still be running linux, or solaris, or what-have-you, inside that VM to run java-in-the-browser. Possibly java will still be a vector but as long as the exploits are windows-specific, you're good.

    But really now, what inherent dependency on windows do you have left once you've decided to move your browser with java plugin to inside a VM? Why even bother shelling out for an OS licence if you can get something else that will also run that java applet in a browser for free?

    1. Trevor_Pott Gold badge

      Re: 12 steps

      If only it were that simple, and the people who pay money for things didn't have say in their own environments...eh?

  13. Anonymous Coward
    Anonymous Coward

    After Flash and Acrobat, now it is the turn of Java

    Saying things like "Java-in-the-browser absolutely must be treated as already compromised" make it sound to the uninformed that Java is some sort of technology from the dark ages that should be banned from existence. But really the same could have been said of Flash, Acrobat, or... well, ActiveX was an infection platform since day one and took five years for Microsoft to finally deprecate it and abandon any hope of making it secure. Perhaps you're being a bit unfair by saying this about Java but not saying the same about these other popular plug ins.

    We had a couple of years of PDF infection vectors, followed by -still going on- a stream of Flash infection vectors, and now we will see a stream of Java infection vectors. As each of those things get stronger and better sandboxed by the browser, malware is targetting progressively narrower user bases.

    ¿The next target? I don't know of other plug in that is as universal as the three above. But what is clear is that "any means of execute arbitrary content downloaded from the internet should be treated as already compromise"

    Including (ahem) JavaScript. Seems that whatever the best industry minds do to sandbox executable content, some vulnerability is always going to be there. It is sad to say this, but validation by certificate of the whole chain from boot sector to web page seems the only way of providing any reasonable level of safety.

    Of course, until someone finds a way to subvert the key chain, of course.

    1. bonkers
      Thumb Up

      Re: After Flash and Acrobat, now it is the turn of Java

      Firstly, an excellent article, and surely one of the first published accounts of the thing and how to kill it – and a rallying call to common sense, a Reg campaign.

      Secondly, how could this happen and can we fix it – I mean do we need to replace the concept of a sandbox? Do we know whether address space randomisation or no-execute bits would have foiled the core exploit? I suspect that even with these hardware protections, exploits will still be found. It is a fundamental problem associated with running arbitrary code.

      I like the post above, suggesting secure boot and a keychain, this would stop the rootkit infection, in a very obvious and uncompromisable manner. I think PC’s should come with a wire link to make the boot eeprom a ROM. Well that and the OS needs to be signed and the signature checked by the ROM code, standard stuff from then on. The problem is that Java would then need to be signed, for it to work doing its “day job” - and unless they can then sign all java apps we’re still ruined.

      How about only corporate java gets signed and allowed to run – is that possible? Javablock will restrict Java to certain sites only, but its not as good as signed code.

      The worry in all of this is that you only found this nasty because it was a shouty one – how many other discreet “sleeper” infections could be out there?

    2. Anonymous Coward
      Anonymous Coward

      Pray tell, how is signing code going to patch holes?

      So you have your boot loader, os, and whatnot else signed, and it religiously checks all those certificates. Then what?

      Then someone finds a hole like this one in one of the programs and proceeds to infect the system through the hole, and the code runs anyway. Despite that code with the hole in it having passed muster because it was signed. That's what.

      There will be unsigned data on such a system, so all you need is a hole in signed software (certified secure! hole and all! except that the signature didn't magically make the hole go away) and even if you can somehow sign everything down to the last bit of data, an attacker only needs to wiggle through the holes and perhaps then add its own key to the key store to soundly defeat all that key chaining.

      Signing the boot and the os and such is a means of control of, not of safety nor security for the end-user. Because the end-user doesn't have the keys to his own system, but an attacker will either circumvent them or obtain them, as has already been published a few times. You only need to ask a couple "then what?" questions to see the holes in the logic of signing for security, yet you advocate it anyway. Why?

  14. Andy 73 Silver badge

    Hmmm..

    Java is the headline here, yet that rather misses the point that (assuming it was Java.awetook) the user was successfully redirected to a website with the applet in place ready to infect their system.

    So long as it's possible for users to arbitrarily discover and execute unverified third part code at will, there will always be an attack vector. Today it's Java; tomorrow it'll be the app on your iphone or Javascript or that funky Raspberry Pi you've got acting as a media server.

    Should we give browsers a kicking for allowing users to.. erm.. browse? Or website owners a kicking for allowing their servers to be compromised? Or mail hosts for allowing through zero day emails?

    It'd be a nice to see a slightly more nuanced view here. The issue seems to specifically be Java in the browser. Corporate users who rely on the rest of the Java stack have a far better chance of defending against attack. Blaming 'Java' for your woes is a bit like blaming C# - fun for a bit of corporate bashing, but not actually that informative.

  15. Whitter
    Devil

    Plugins everywhere - especially XSS plugins.

    How long until the big three copy Opera (again) and allow plugins to be enabled/disabled on a site/site basis?

    The utility of such assumes the site you are using has not itself been compromised - so no panacea - but it's a little safer at least.

  16. Anonymous Coward
    Anonymous Coward

    Dear me, sounds like running with excessive privileges

    Reading that list of stuff, creating partitions, disabling services etc sounds like the workstations are running as Administrators.

    While this doesn't stop the infections, it does mean that things like Zero Access cannot create partitions and fiddle around with services.

    Java, certainly is the cause of most malware, I've seen planted on workstations over the last 18 months, but thankfully most are running with user privileges so the damage is minimal.

  17. phuzz Silver badge
    Mushroom

    And this is why, when I went back home this weekend to fix my parents wireless*, I also uninstalled Java from every machine in the house.

    It's just easier that way.

    Also, in this sort of situation I nuke from orbit and re-install if at all possible.

    *Next time the internet stops working dad, don't ring up BT and let them talk you through resetting the modem ok?

  18. groovyf

    Disabling Java add-on in IE doesn't actually disable it...

    Tested and verified on my own PC... went to Java's test site and it still detected and found it to be working even though it was disabled in IE's add-ons.

    http://techlogon.com/2011/11/05/how-to-disable-java-in-ie/

    1. (AMPC) Anonymous and mostly paranoid coward
      Windows

      Re: Disabling Java add-on in IE doesn't actually disable it...

      Trevor's article was just the push I needed .

      I have now taken Java off each home system running it. Can't say the same for my previous employers, but hey... we can't be everywhere at once now, can we ?

      It will be interesting to see how much nasty more malware pops up before October 16th (and no doubt after)

      Brrrrrr.....

      1. Anonymous Coward
        Anonymous Coward

        What happens on Oct. 16?

        See title.

  19. Ragequit
    WTF?

    What we have here is a serious lack of comprehension...

    This infection was multi-staged and took advantage of more than one vulnerability. However, the original attack vector was in fact Java based. This has been out in the wild for a while. This wasn't the first and probably won't be the last piece of malware to use this flaw. Claims that it was unpatched Java 7 is also a moot point considering a similar vulnerability to the one addressed in Oracle's recent emergency patch was found a day or two after it was released.

    In the following stages vulnerabilities in security software and windows itself allowed for the malware to spread via a completely different vector to the other machines on the LAN.

    That said this shouldn't be about who is most responsible and instead be about a systematic failure of several platforms whose security practices are lobotomized via backward compatibility and the bottom line (or maybe state sponsored cyberwarfare).

    1. Trevor_Pott Gold badge

      Re: What we have here is a serious lack of comprehension...

      Up to date Java...that's the thing...

      (!) :(

  20. Boris Winkle
    Unhappy

    Feel sorry for the companies who are locked to certain versions of java.

  21. BlueGreen

    question

    Were these machines running as admin? If they were, would dropping them to user have been sufficient?

    I followed the MS link and it was not clear how, if at all, that would have helped. They did talk about 'Limit user privileges on the computer' but that's likely just generic advice.

    Sorry if it's a silly question.

    1. Trevor_Pott Gold badge

      Re: question

      The user was not a member of the administrators group on the local PC; unless one of the infections in question altered permissions post-infection...

  22. tim 4
    Devil

    if you must use winsads

    ... then merely keep clean backups of your criticals and personals; and when something like this happens, just fdisk it to the ground , nwipe it to the curb, and reinstall your crippleware. :D

  23. Joe Harrison

    Disabling in browser

    Found good link on how you actually do this

    http://dottech.org/browsers/78082/how-to-uninstall-remove-java-from-firefox-chrome-internet-explorer-opera/#chrome

    1. Dan 55 Silver badge

      Re: Disabling in browser

      I'd say that disabling it in every browser is not a good way as it can't cope when a new browser is installed. Also you can disable the Java add-ons in IE and it will still work.

      Following the instructions here (mentioned above) and opening the registry file here would be a more secure way of keeping the JVM but not allowing browser use.

  24. William Boyle
    Devil

    Java - write once, infect everywhere!

  25. johnwerneken

    Its only September

    Halloween is supposed to be next month! Gremlins and ghosts and worms, Oh My!

  26. oxtan
    WTF?

    so the infection:

    * created a hidden partition on the system

    * deleted system services

    and you are still blaming java for this?

    1. Trevor_Pott Gold badge

      Nope. I blame Java for lettine the bastard in the door and giving it escalted privs on an account not running as administrator. The facr that once in, the sattelite infections played merry hob with a Windows system is just par for the course. Protect the edges if you know that the center is soft and chewy. Nothing I can do about windows; but I can uninstall the inefection vector...Java.

      1. Destroy All Monsters Silver badge
        Holmes

        "giving it escalted privs on an account not running as administrator."

        And how would Java do that? Sure the JVM will run some generic Applet code but as it is not itself running as administrator, that code has to:

        1) be able to do "intersting things" (which means the jar must have been validly signed)

        2) those interesting things must be so interesting that Windows rolls over (in other words, this is a Windows vulnerability)

        Note explicitly, that Oracle says taht your account can be compromised but says nothing about magical privilege escalation: The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows). When the user does not run with administrator privileges (typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", lowering the CVSS Base Score. For example, a Base Score of 10.0 becomes 7.5.

        1. Trevor_Pott Gold badge

          Given the complex web of how things are run in Windows, who knows what happened to allow infection? The user running this was not an administrator on the local PC. How then did this get the kinds of privs nessecary to install a rootkit? Browser glitch? Did it pop up a "run escalated" box? (Users says no, but...they're a user...)

          I have no idea how something crawling through Java could install a rootkit on a non-administrative user. And yet, it did. So is this something that uses multiple vulnerabilities in multiple products, or is there a whole new zero-day at work here that we just don't know about?

          I'm open to thoughts on this.

        2. fajensen
          Coat

          "And how would Java do that?"

          In ancient times users could register a callback to WM_TIMER, when the timer expired the subroutine would run as intended, but ... at system priority. Something like that still in there or maybe one can smash the stack of the JVM and get it to do interesting things outside of the sandbox?

          People worry too much about The Hardware, me think. I would worry much more about the wetware, like having the RIAA send me lawsuit rich enough to bail a bank, the local po-lice arrest me as a child pornographer, or a "hacker", or a "terrist" mocker of the London olympics. That sort of thing - all perfectly possible by just compromising my user account.

          Arbitrary code running is BAD.

      2. John Sanders
        Trollface

        Nothing I can do about windows

        @Trevor_Pott

        That is not entirely true: www.debian.org

        Sorry I know it is mean. I could not resist.

        1. Trevor_Pott Gold badge

          Re: Nothing I can do about windows

          RHEL or GTFO.

  27. JDX Gold badge

    even Microsoft Security Essentials can find and kill most variants

    That kind of silly statement just puts your entire knowledgeability in doubt

    1. Trevor_Pott Gold badge

      Re: even Microsoft Security Essentials can find and kill most variants

      Oh? Do tell. It is an actively versioned bit of malware, so it is a moving target for everyone. But in my experience, is MSE can kill it, it isn't all that relevant. MSE cannot however kill rootkits like Zeroaccess. They are a threat.

      Sirefef will be isolated by and contained by MSE unless we're talking about the very latest greatest variant. It won't get a chance to download buddies. Unfortunately, whatever the primary vector was murdered MSE before installing Sirefef.

      1. RICHTO
        Mushroom

        Re: even Microsoft Security Essentials can find and kill most variants

        MSE most certainly can kill rootkits. http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

        1. Trevor_Pott Gold badge

          Re: even Microsoft Security Essentials can find and kill most variants

          Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development. It can eliminate very old rootkits. Anything actively maintained will go through MSE like a hot knife through butter. It won't even see them, let alone be able to defang them.

          FFS man, don't come in here and spread propaganda; we're actually trying to help people cope with real world issues here. This is not the time or the place for you pro Microsoft crap; especially when so much of it is half truths wrapped in outright lies. The lack of context in everything you’ve ever written in the comments section of The Register is appalling.

          Please astroturf elsewhere.

          1. Kiwi
            Linux

            @Trevor: Re: even Microsoft Security Essentials can find and kill most variants

            "Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development."

            What would you recommend? In the repair shop I work in we've found it generally far better than the alternatives - Avast is good but can miss stuff MSE kills, AVG (my previous fav) may slowly waddle up to it but probably not, and Norton is absolute proof the machine is infected. Not sure on Eset. Trend seems good but expensive.

            Would love to hear your thoughts.

            (In case you're wondering, I like 3 things about MS s/ware: system restore (when it works), MSE, and that all the issues pay my wages - but I'd give that up in a heartbeat for a world without MS!)

            1. Trevor_Pott Gold badge

              Re: @Trevor: even Microsoft Security Essentials can find and kill most variants

              Fucked if I know. MSE seems "as good as the rest." Every malware vendor has gaps in coverage. I like Avast and MSE because they don't don't seem to stpe on eachother's toes, so they can coexist. I prefer using multiple overlapping scanners on high-importance machines. Otherwise...prayer?

              Nothing offers complete coverage. So we need to be ready with the re-install. Personally, I periodically run one-shot "second opinion" scanners such as housecall, even when they aren't resident. I don't trust any one scanner to find malware, so I throw the kitchen sink at things and hope it works.

  28. Antoinette Lacroix
    Coat

    Easy fix

    Pat your BSD boxes, sporting Diablo Java and relax.

    Wot ? Not running Unix ? Bummer !

  29. RonWheeler
    Unhappy

    Cloud

    The problem is more than partly 'the cloud'. I've seen several large projects in the last year using Java to dish up some awful cloud based whizzyware where the departmental buyers largely bypassed IT to get the latest snakeoil. They won't be responsible for the endless security nightmares, update aggro, version conflicts and poor performance of the craptastic Java platforms they paid for however, no matter how many warnings they get.

  30. b166er

    Remember kids, 7 Pro and upwards has XP Mode available.

    I suggest install XP Mode, lock that fucker down and take a snapshot for when the inevitable happens.

  31. Anonymous Coward
    Anonymous Coward

    And the solution is ...

    Run your OS from a read-only medium .. link

  32. Nuno trancoso
    Happy

    @Trevor

    Sure, it's not one size fits all, but it's a damn good argument for forcing world+dog to run their "real environments" on a virtual with the underlying host being something safe that just serves as a launcher to said virtual.

    Push comes to shove, you bring the sucker down, mount it's drives on a clean (and loaded with "heavy artillery") special purpose virtual and proceed to happily clean the bugger.

    Worst case scenario, you already have your backup (the old HD image files) and can just start transferring data files from the compromised virtual to a new clean one.

    Back in the NT4 days, making ppl use virtuals for "daily use" would have been torture. Nowadays, any halfway recent box will handle it just fine.

    Happy, cause that's what a small investment in extra RAM and HD's made me...

    1. Trevor_Pott Gold badge
      Pint

      Re: @Trevor

      I remember something about that. ;)

  33. Greg Fawcett
    Facepalm

    Diversity is the answer

    Malware depends on an ecosystem, and at the moment Windows is so pervasive that it is an easy target. Given the move to browser-based apps, surely it would make sense for companies to split their desktops into three types - Linux, Windows and MacOS. Then any malware infection will only affect a third of their operation.

    If everyone did this, then malware would have a much harder time, just as real infections struggle to spread if much of the population is immunised.

    As a side issue it would also finally put those eternal questions about relative vulnerability and TCO to rest - just imagine all the real life comparisons free of sales/fanboi spin.

  34. Mikel
    Unhappy

    So sad for folks who have to deal with this

    Switched to Linux years ago though, so not a problem here.

  35. Simon B
    WTF?

    Download and run Symantec products?! WTF!!

    The whole article is great apart from 'Download and run Symantec's Zeroaccess removal tool.' I'd never install ANYTHING by Symantec super bloat loada crap doesn't work wont install. If ou're doing this you've enogh problems and spyware without installing MORE by Symantec!

  36. A.A.Hamilton
    Meh

    A comment from the unknowing

    I don't know enough about the need for Java and hence the risk implied by this article. Is 'Java' the same as 'Java script'? What is 'java in the browser' and how do I eliminate it if I need, at the same time, to retain 'java' on Windows (various generations) and LInux to run some applications?

    Basic guidance would be appreciated.

  37. Anonymous Coward
    Anonymous Coward

    More Java fail

    In order to actually uninstall Java from Windows, one is prompted to allow an unsigned and numerically-named executable to make changes to one's computer.

  38. vic 4
    FAIL

    "have no idea what the initial vector was"

    So obviously you decided it was via java because you saw some jar file in a temp directory somewhere. Is this article reads like spin against java

    Anyone running a machine that a company depends on should ensure that sensible user permissions are n place and virus checkers are up to date. Without these you might as well give up. Blaming a java browser plugin is just trying to distract from the underlying issue, the initial vector could be anything, true, even the java plugin. But if it had such a catastrophic affect as you made out then someone isn't doing their job properly.

    1. Trevor_Pott Gold badge

      Re: "have no idea what the initial vector was"

      The user was not runnign as admin. Their antivirus was up to date. Their browsers were up to date. Their browser extentions were minimalistic. Jars showed up and then dissapeared; shortly thereafter the system was pwned.

      If you have a different attack vector for that, I am all ears.

      1. teebie

        Re: "have no idea what the initial vector was"

        So the evidence says there's an attack that can get around good security practice measures wit downloads various additional payloads and cleans up after itself. Either fairly well but not well enough (if it came via java), or well enough that the author didn't find it (if it isn't).

        Either the attack is an unknown java exploit, or an unknown exploit with some other aspect of the system. There doesn't seem to be any evidence that the malicious jars introduced sirefef, they could just as easily have been additional payloads that may or may not have run.

        I can't name the non-java exploit that could have caused this, but neither has the author named the java exploit that could. I'm not saying that this is definitively not caused by a problem with java, but there doesn't seem to be any real evidence that there is.

        1. Trevor_Pott Gold badge

          Re: "have no idea what the initial vector was"

          I feel pretty confident in my call that it's Java. See here: http://forums.theregister.co.uk/post/1533763 . It isn't a 100% slam dunk, but it's damned close.

  39. Gordon Fecyk
    Holmes

    [s/Cleaning up/Preventing] this one Trojan-horse town

    Here is a much simpler version of Trevor Pott's advice.

    1.Use a non-admin account for your daily work.

    2.Use a non-admin account for your daily work.

    3.Use a non-admin account for your daily work.

    4.Use a non-admin account for your daily work.

    5.Use a non-admin account for your daily work.

    6.Use a non-admin account for your daily work.

    7.Use a non-admin account for your daily work.

    8.Use a non-admin account for your daily work.

    9.Use a non-admin account for your daily work.

    10.Use a non-admin account for your daily work.

    11.Use a non-admin account for your daily work.

    12.Use a non-admin account for your daily work.

    Java runs in user-space. Delivering a Windows-only rootkit requires admin access to the desktop. Do the math.

    1. Charles 9

      Re: [s/Cleaning up/Preventing] this one Trojan-horse town

      Yes, and the math leads to two words: PRIVILEGE ESCALATION. Hijacking something in the OS that already has admin access to get the rootkit in place. Unfortunately, privilege escalation is something that can occur in ANY OS (yes, even you, Linux--where did the term "rooting" come from?) with some chink in the code (and since programmers are human and some malcontents are patient, determined and/or motivated, odds are something will be found).

  40. Dexter
    Unhappy

    It's all very well saying "this was fixed in Windows 7 years ago".

    I work for a company where we still have to use Windows XP (and IE for many intranet things).

    And as usual, to get useful stuff done on XP, you need admin privileges.

    Many people don't get a choice.

    1. Gordon Fecyk
      Thumb Down

      XP does non-admin, so no excuse for your apps

      I work for a company where we still have to use Windows XP.

      The Designed for Windows spec from over a decade ago requires applications to behave for non-admins.

  41. Glyph

    privilege escalation?!

    as has been noted, there had to be multiple exploits here.

    maybe - one in java to allow native code execution, alternatively its lack of sandboxing might have been sufficient to allow the next step via valid windows api calls

    probably - a windows privilege escalation exploit that allows a user to run as admin

    certainly - a service exploit to run user level code to spread across the network

    it is possible that there was no privilege escalation bug used, but it certainly sounds like there was. I thought these were getting rare. Could someone in IT comment on that? I'm a dev, I create these sorts of problems with sloppy code, not solve them. I do remember an old redhat 5 privilege escalation exploit that you could go from a user shell to a root shell with only seven lines of typing.

    1. Trevor_Pott Gold badge

      Re: privilege escalation?!

      I wish I had a definative answer for you. I am 98% certain the initial attack was delivered through java in the browser to a non-administrative user. Then what? What does it execute? Is it using a java-native escalation, or some other exploit? How the hell did that bit of fail break out of its sandbox?

      Then it ate itself. To me, this is the biggest indication that there was an unknown zero-day being used. The author of that malware did not want to initial payload to be examined by security companies. There are holes in the logs; I only even know that Jars appeared and dissapeared because I had a completely separate app on debug for a completely different reason. (Trying to debug something inovlving Office 365.) It caught the logs thrown by MSE before it was anhiliated (and all of it's logs, browser history etc) with it.

      Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin. So I don't really care if it used a native flaw in Java to escalate privs enough to do that, or if it cascaded other flaws once the userspace code had been delivered. Java was the initial vecotr, and windows cracked like an egg after that.

      1. Gordon Fecyk
        Thumb Down

        [citation needed]

        Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin.

        "ate anti-virus packages" and "not running as admin" are mutually exclusive. Links, or it didn't happen.

        Are you sure the user in question didn't have some form of privileged access on the compromised PC? Maybe "Power User" access? I've seen too many pieces of poor advice published that I would not be surprised if this stupid advice was followed and then propagated through Group Policy, quite deliberately, just to make some broken gotta-have-this application work because said admin was pressured into taking the quick and lazy approach.

        Your rant flies in the face of over nine years of experience dealing with this very problem. Am I just lucky? Why hasn't this happened to me, or my clients, or co-workers when the machines I dealt with all had the latest Java, the latest Flash, and the latest Readers, and so on?

        1. Trevor_Pott Gold badge

          Re: [citation needed]

          Every time I try to run anything that my affect a system configuration, Windows asks for administrator's credentials. The user is not a member of "Administrator" or "Power Users," only "Users." This is verified by taking the time to trace all the domain memberships, how they interact, and what privileges those security groups have on the local computer. The user itself does not have specific permissions on the local machine. Everything I can see points to the user account not having any administrative privileges on the local PC whatsoever.

          I do not rule out the possibility that someone may have tweaked some obscure setting in the registry of the local computer before I took over administration of this system that somehow allowed this to occur despite the fact that the user appears in every other way to be unprivileged. Without going over the registry with a fine toothed comb, I cannot possibly know for sure. I do know that no extant GPOs exist that cause any such weirdness. The system is also an off-the-shelf HP consumer-targeted system; there is always the possibility that it simply shipped with a bizarre/obscure registry tweak that nobody is aware of.

          That said, I have done the legwork on this. I wouldn’t be posting an article claiming that the thing crawled in through Java without being pretty damned sure that this is exactly what happened. I also don’t claim that it exploited the latest discussed vulnerability; I have absolutely no idea which vulnerability it exploited; for all I know it exploited a vulnerability that is a true zero-day and completely unknown outside the blackhat community.

          I have determined that the browser in use at the time was Internet Explorer 9. I have gone over the IE9 settings; unless the malware in question changed the settings post-infection, it is entirely default. That should not allow Java, Flash or anything else to break out of a sandbox in usermode; and yet, it happened.

          Look, as far as I can tell, this system is an off-the-shelf HP client system from about 2 years ago. It was attached to a domain run by an administrator that was pretty damned “by the book.” The GPOs and other configurations are pretty clear. WSUS automatically clears critical, security and definition updates for immediate install, and the user was diligent about keeping Java, Flash, etc up to date. Nobody played around with anything obscure because it simply was never required in this environment. It is as close to “off the shelf” as you can get for an SME install.

          That’s what’s so scary about all of this. I would like to be able to write a “well damn it Jim, such and such happened because users are stupid” article. They get nods and smiles and sympathy from the readers instead of vicious personal attacks from a pool of internet piranhas.

          Indeed, I have one such client that got slapped by their own stupidity on the same weekend. Nothing up to date, everything unmaintained, didn’t listen to my “disable java in your browser now” cries, and they run every user as local administrators. They got predictably pwned, but that’s not exactly interesting. (I like the billable hours, though!)

          No, the guys that did it “by the book” and then got run over by something that crawled in through the internet are interesting. The CFO in question is a pretty honest guy; I asked him if he used a USB key, CD or anything in recent memory and no, he had not. I’ve checked every other vector I can think of, and nothing presents itself. So either something crawled in through Java and then broke out, or I.E. itself has a truly abominable zero day.

          If I.E. has a zero day, the self-immolating Jars make no sense; why would Java anything be used as an intermediary there? Creating malware that requires something like Java be installed narrows your target availability unless Java itself is part of the vulnerability package you are exploiting to get the toehold into the system. This looks and smells like a Java vulnerability being exploited, probably in combination with something else. (http://arstechnica.com/security/2012/08/microsoft-defense-bypassed-in-2-weeks/ ???)

          This is the first time I’ve seen a malware attack on a system that is reasonably properly defended. There is no obvious way this could have or should have occurred. If anyone has a better explanation I’m all ears on this; but I’ve spent an entire long weekend looking for obvious vulnerabilities in configuration and found none so far.

  42. Fading
    Thumb Up

    Page bookmarked for future use.

    Now whilst I'm not a sys-admin (officially) I am the de facto sys-admin for friends and family and I suspect at some point in the future I will get "the phone call" and have to clear up a similar mess without resorting to nuking from orbit (the concept of backups will never make it into the domestic arena no matter how much I nag). So thanks for the all the tips - looking forward to my next battle.......... (not).

  43. Anonymous Coward
    Anonymous Coward

    Mr Pott, I tip my hat to you.

    Sir,

    I don't know if there are awards for perseverance in the face of malware based adversity but if somebody does create one you will have my nomination.

    I would have given up, f-disked and started again long before working out the process you have described in your article. If that wasn’t possible I may even have considered joining the foreign legion or signing on to a pacific crab boat.

    AC? Because I work in the industry and "should" be made of sterner stuff.

    1. Trevor_Pott Gold badge

      Re: Mr Pott, I tip my hat to you.

      Two things: 1) I don't get physical access to the system for another couple of days. 2) I write a sysadmin blog, and my readers are important to me. If I can figure out how to kill the damn thing, maybe I can help someone stuck in a bad situation. If it helps just one guy stuck on the wrong end of a Teamviewer session, it's worth my Friday. :)

  44. vic 4

    "appearance and disappearance of some malicious Java archive files"

    Out of interest any more info other than they came and went. I what way were they malicious?

    1. Trevor_Pott Gold badge

      Re: "appearance and disappearance of some malicious Java archive files"

      MSE flagged them as malicious, and this was logged. I had an app trawling writes to standard windows events at the time making a second copy, so it caught them being flagged as such. By the time I looked at the computer (about 15 minutes later) the Jars were gone, along with most of MSE, Avast, the Windows logs, browser history and so forth.

      So these jars showed up, MSE caught them as bad, but wasn't able to kill them. The rest you know. The following is what was seen:

      Java/CVE-2011-3544.gen![insert a letter here]

      Exploit:Java/CVE-2012-1723

      Exploit:Java/CVE-2012-4681[insert letter here]

      Exploit:Win32/Java (no qualifier?!?)

      Now, CVE-2011-3544 and CVE-2012-1723 should not have affected a fully patched copy of Java. CVE-2012-4681 is just new enough that I can believe it might have been exploited if the user had “patched but not rebooted” or some such. Install logs for this system say that Java was up to date (Java 6u35).

      What’s curious is seeing these together within a second of one another followed by the system going crazy. MSE lagged detection of CVE-2012-4681 by a day…so my working hypothesis is that the user went to a site that took a shotgun approach to Java exploits, at least one of which worked. (There may even have been more exploits to come; it is entirely possible that the payload went off before all the detections had been completed.)

      The payload that worked nommed all the evidence, except for my little logger which caught the mentions of the files that shouldn’t have actually been an issue. Now, you can flog me all you want for the one stupid thing I actually did during this exercise, but I think making the call that “this crawled in through Java” is backed by reasonable evidence.

      What I should have done was immediately image the system at a block level and get the image to Symantec/Kaspersky/etc with alacrity. Assuming the malware didn’t dban the blocks where it was stored, someone could have lifted the thing off of the recently deleted blocks and we might know more about it. Sadly, I got the call pre-coffee and simply set about trying to kill the thing. By the time I realised that I might actually be dealing with something totally unknown, it was too late; I’d made so many system changes that imaging the thing was likely pointless.

      So this is why I say that Java is the most likely candidate. Nothing else was untowards on this system. It looks to me like someone out there has an updated Blacole toolkit with some terrifyingly new exploits in hand and is using it with abandon. That said, I am not a security expert. I do not work for Symantec, Kaspersky or any of these other firms. I can only look at the evidence I have and say “well, this looks like the attack vector, this looks like the end result, here’s how you nuke the buggers.”

      I can only hope that by laying out a “how to kill it” in my post, someone is helped. If along the way a little bit of awareness is raised about the fact that Java in the browser is bad for us all, so much the better.

      Frankly, I don't think Java needs to be singled out as "the only bad thing to run in your browser." I think that any extensions in a browser need to be vetted for necessity. That includes Flash, Silverlight, .net, various toolbars and more. Shrinking the attack surface is always a good idea.

      In the case of Java, I have a particular hate on because of the frequency and severity of exploits, combined with the abysmal response from Oracle regarding patches. This gets combined with the sheer unavoidability of the product and the versioning issues that can and do crop up in real world use. It makes me ornery. Doubly so when the issues I described in my post – and the subsequent comments – occur.

      So if I hath insulted the almighty JVM, please accept my apologies. It sure looks to me like it is at fault here. I can’t even blame the user for this one, and that bothers the hell out of me.

      1. vic 4

        Re: "appearance and disappearance of some malicious Java archive files"

        +1 Thanks for the info

  45. Carin

    A bit after the fact but interesting to note...

    I just finished a bout with Zeroaccess (A, B & C) but it did not manage to proliferate on my network and I know why although not as clearly as I'd prefer to. Hopefully we'll get some better info about how it mobilizes itself at some point because after reading your account I'm surprised I got off as easy as I did.

    We have some very sensitive data that we simply cannot afford to have compromised (by any threat) and as such we have a hyper-paranoid firewall setup that involves multiple levels of scanning, not only for inbound connections and downloads but also for intranet packet exchanges. It requires a herculean effort on the part of the firewall(s) in terms of memory and processing but it stopped zeroaccess dead in its tracks; it managed to infect the ONE system on the network that was excluded from the inbound AV scrubbing. Ironically, it was the CEO that managed to infect himself because he complained that his internet wasn't as zippy as he'd prefer and so demanded that he be left with ONLY the end point protection of his choosing.. Symantec, because he said MSE wasn't good enough :}

This topic is closed for new posts.

Other stories you might like