Re: privilege escalation?!

I wish I had a definative answer for you. I am 98% certain the initial attack was delivered through java in the browser to a non-administrative user. Then what? What does it execute? Is it using a java-native escalation, or some other exploit? How the hell did that bit of fail break out of its sandbox?

Then it ate itself. To me, this is the biggest indication that there was an unknown zero-day being used. The author of that malware did not want to initial payload to be examined by security companies. There are holes in the logs; I only even know that Jars appeared and dissapeared because I had a completely separate app on debug for a completely different reason. (Trying to debug something inovlving Office 365.) It caught the logs thrown by MSE before it was anhiliated (and all of it's logs, browser history etc) with it.

Something crawled in through Java. Then it ate itself, the anti-virus packages, the logs and installed new friends. The user was not running as admin. So I don't really care if it used a native flaw in Java to escalate privs enough to do that, or if it cascaded other flaws once the userspace code had been delivered. Java was the initial vecotr, and windows cracked like an egg after that.

Re: "have no idea what the initial vector was"

The user was not runnign as admin. Their antivirus was up to date. Their browsers were up to date. Their browser extentions were minimalistic. Jars showed up and then dissapeared; shortly thereafter the system was pwned.

If you have a different attack vector for that, I am all ears.

Re: ...for those running as root

sudo passwd root

Enter a pssword

Now you can log in to the GUI. What's so hard about that?

Re: ...for those running as root

Set a root password. Then you can log into the GUI as root.

Re: @ Trevor_Pott

If you are calling me a Linux fanboy, I'm going to ask you to back that statement up with some sort of evidence. For the record, these are the following things I am a "fanboy" of (in rough order):

1) My wife, close friends and selected coworkers.

2) Ninite.com (Just. Frakking. Works.)

3) Cyanogenmod (My phone. MINE.)

4) A significant chunk of The Register's writers, current and departed (I miss Sarah.)

5) Ars Technica's Nobel Intent (Science, bitches!)

6) Evidence-based legislation (Science, bitches!)

7) Mars Rovers (Science, bitches!)

8) Intel networking (Just. Frakking. Works.)

9) Jose Barreto (Awesome guy working for Microsoft's storage team.)

10) Classic Shell (I want my goddamned up button back!)

My definition of "fanboy" means I give those individuals, people, products and concepts on this list "the benefit of the doubt." It means I will accept at face value what is presented. I will trust what they have to say without the need for significant deep dives; this trust has been earned over time.

By nature however, I am a cynical person. I do the research, I question everything. So if you are suggesting that "Linux is the most compromised X on the planet" and that "anyone who believes otherwise is a Linux fanboy," I am going to call you on it. That goes against every scrap of evidence I have; prove your accusation.

Linux is not the most compromised webserver, despite being the most dominant. Various web APPLICATIONS (frequently, but not exclusively run on Linux) are vulnerable as hell...but these web apps lead to compromise on Windows as well as Linux. The actual underlying technology is significantly less assailable than the competition; shocking considering the many issues surrounding Linux governance and implementation.

So...prove it. Prove that Windows is "more secure" for the same tasks running the same apps. Especially when both are properly configured and hardened for a production environment. Prove also that those who disagree are "Linux fanboys," instead of people who have different - possibly more accurate - information than you are working from.

...you can prove that, can't you?

Re: The only use for java these days

Disables fine in Chrome and Firefox. Even when "disabled" in IE, the thing still can be called. How that works, well...comments, Microsoft? I'd love to hear the explanation.

Re: ...for those running as root

Do you have any idea how many Ubuntu users I catch runnign as root? It gives me a sad.

Given the complex web of how things are run in Windows, who knows what happened to allow infection? The user running this was not an administrator on the local PC. How then did this get the kinds of privs nessecary to install a rootkit? Browser glitch? Did it pop up a "run escalated" box? (Users says no, but...they're a user...)

I have no idea how something crawling through Java could install a rootkit on a non-administrative user. And yet, it did. So is this something that uses multiple vulnerabilities in multiple products, or is there a whole new zero-day at work here that we just don't know about?

I'm open to thoughts on this.

Re: even Microsoft Security Essentials can find and kill most variants

Try it in practice. You'll sing a different tune. MSE cannot kill a single rootkit under active development. It can eliminate very old rootkits. Anything actively maintained will go through MSE like a hot knife through butter. It won't even see them, let alone be able to defang them.

FFS man, don't come in here and spread propaganda; we're actually trying to help people cope with real world issues here. This is not the time or the place for you pro Microsoft crap; especially when so much of it is half truths wrapped in outright lies. The lack of context in everything you’ve ever written in the comments section of The Register is appalling.

Please astroturf elsewhere.

Re: Lets not just blame java here

Richto; who is paying you and how much? The amount of utterly bullshit FUD you spread about Linux is amazing. Honestly though, which company foots the bill? I'm really curious.

Re: even Microsoft Security Essentials can find and kill most variants

Oh? Do tell. It is an actively versioned bit of malware, so it is a moving target for everyone. But in my experience, is MSE can kill it, it isn't all that relevant. MSE cannot however kill rootkits like Zeroaccess. They are a threat.

Sirefef will be isolated by and contained by MSE unless we're talking about the very latest greatest variant. It won't get a chance to download buddies. Unfortunately, whatever the primary vector was murdered MSE before installing Sirefef.

Nope. I blame Java for lettine the bastard in the door and giving it escalted privs on an account not running as administrator. The facr that once in, the sattelite infections played merry hob with a Windows system is just par for the course. Protect the edges if you know that the center is soft and chewy. Nothing I can do about windows; but I can uninstall the inefection vector...Java.

Re: The only use for java these days

Um...what? OSX is actively under attack using these vulns...as is Ubuntu for those running as root...

Re: Hmm

How many PCs do you know of that you buy at the local electronics store come preconfigured for PXE boot? Not a large enterprise; systems are not configured for image-based dissemination. Main office has only 11 people! Everything is on the other end of wet-noodle VPN. Nah; these folks use Best-Buy specials and the previous admin left such a mess that two months later I'm still picking up pieces.

At this point, it wouldn't be an "image" either. It would be a clean install. And there is a lot of CFO-only software to get off that thing...

Re: question

The user was not a member of the administrators group on the local PC; unless one of the infections in question altered permissions post-infection...

Re: What we have here is a serious lack of comprehension...

Up to date Java...that's the thing...

(!) :(

Re: 12 steps

If only it were that simple, and the people who pay money for things didn't have say in their own environments...eh?

Re: At least there's the day rate.

This is the first thing in years I've seen simply waltz right on by MSE. It was actually Avast that caught the initial one. (Befor it was crippled, and MSE annihilated.)

Re: Why blame Java at all?

I can know the attack vector without knowing the name of the attacker. I don't have a clue what the initial Bad Thing was. I do know they were malicious. Jar files that set off the alarms. The browsers were up to date. No flash was installed. Moments after detection, the jars dissapeared. So did Microsoft Security Essentials, Avast and a large chunk of all thee browser histories. It looked to me like someone using a java exploit that didn't want a security researcher decompiling the attack vector.

I crawled all over the thing for three days. I was hoping for an awesome new browser zero day. Alas, "Java is still broken" is not much of a story. But I was able to get the "this is how you fix it" info out to people, in case they got hit. That was really my goal.

Not all of us are so lucky as to have full imaging gear and pre-vetted application stacks. This is a new client of mine; small, most IT descisions still taken directly by CEO, call for help as they need it. Remote cleaning was a priority. If it happened to me, it might happen to someone else in a similar position; worth the time then to write up.

Re: Hmm

Agreed; that's a next-week project; for when I have physical access. For right now, this works over Teamviewer, and everything I can throw at it comes back clean.

Re: Thank you for this.

The problem isn't the hammer. The problem is that we told an entire generation "all you need is a hammer" and they actually believed it. Now ****ing everything has hammer marks where other tools should have gone, and nothing quite works the way it should.

Re: Goodbye mouse button

My experience with the client in question says that right clicking on nearly every element in the UI works just fine.

I didn't want to be a "sysadmin" myself. I wanted to "make comptuers talk to eachother, and get them to do things in a coordinated fashion." (I later discovered that what I wanted to do with build beowulf clusters; sadly, I do not build beowulf clusters for a living.)

The rest just sort of...happened...

Not despising corporations is hard for me. There is an innate distrust that I hold against people who are financially motivate to screw me over and take all my money.

That said, I have an SII, a Samsung Netbook and who only knows what else from them...

Re: Python?

I never said Python was the best; I lack the diversity of experience to reliably choose a "best" language. Of the dozen or so that I, personally code in - including Java - Python is the one I enjoy coding in. Mostly because I enjoy the diversity of use cases for the code. It compiles - so I don't need an interpreter - and yet I can also use it as web scripts, shell scripts, etc.

It is a simple language that is easy to learn, code in a maintainable fashion and addresses all of the use cases I run across on a regular basis.

It isn't "the best," but it is my favourite.

"You will spend you life coding scripts and apps in two dozen languages, but also dealing with whinging users" is not how anyone sells the career of systems administration. Why would a fresh-out-of-high-school kid with no experience in systems administration know that beforehand? After all, it's derided as "digital janitors" and nothing more. Taking care of hardware and operating systems. "Simple, easy, unworthy of real effort." Sounded fun to an 18 year old; make money during the day, do real work as a hobby!

Hah.

Re: "Java was my first experience of object-oriented programming"

You poor bastard!

Amen.

Re: Your argument's flaw

Don't think "staying on at University" solves this; plenty of folks don't include the VM binaries with the application, still use applets or otherwise commit unpardonable sins. When I have to ship working Java code, these are not sins I commit...and I didn't finish University. It isn't the education; it's the asshat behind the keyboard.

Them folks with them fancy duh-grees still can't code for shit. The ability to pay attention to security, usability, lifecycle and maintenance isn't something that is easily taught. It's wrapped up in the deeper neuroses of "being able to think about people other than oneself." If you can't tear yourself away from the mitror for a moment, you never get time to think about the poor bastards that have to use your code.

Java amplifies douchebagitis because it's a secruity nightmare wrapped in a versioning problem.

I can code in Java just fine, thank you. I never did get the chance to stop doing so. Next?

Re: Thank you for this.

Mama said "one idea per article." And the answer is Python.

Re: Careful with your evolution mumbo jumbo.

Actually, you'd be completely wrong. All extant members of homo sapiens sapiens (the only subspecies of the only remaining species (homo sapiens) from genus homo) can trace their lineage to mitochondrial eve and y chromosome adam.

Mitochondrial eve - contrary to the biblical reference in her name - was not the only woman of her time. She was however the most "fit:" all extant humans are her descendants; no lineages survived from any of her contemporaries. Similarly, Y chromosome Adam - far from the only man of his day - was simply the most fit. Adam lived about 142,000 years ago, and we are all his descendants.

It is generally considered that this occurred before the “out of Africa” migration. Once out of Africa both European and Asian Cro Magnons interbred with other hominids. Europeans with Neanderthals and Asians with both Neanderthals and Denisovans. There is no evidence of gene transfer between Neanderthals or Denisovans to the Cro Magnons living in Africa at the time. (Though with modern intermixing this is becoming less and less relevant.)

So there are exceptionally small genetic deviations between the three primary populations of humans based on horizontal gene transfer between the three extant human subspecies shortly after the “out of Africa” migration, however it did not affect either our mitochondrial or Y chromosome lineages. (Which is to say, the genes are pretty dilute in today’s populations!)

You can always attempt to prove that you are a separate species. Go to https://www.23andme.com/ and get your DNA sequenced. If you are a separate subspecies (or if your mitochondrial DNA or Y chromosome differs from the rest of humanity) then I promise you, the geneticists will be all over you like white on rice. Until then, suppositions of subspeciation within humanity have no basis in fact. They are as erroneous as the bullshit Aryan race theories espoused by certain madmen, and potentially as dangerous.

There is simply no evidence whatsoever to support subspeciation within the only extant lineage of humans.

Re: Careful with your evolution mumbo jumbo.

Since all of genus homo is classified as hominidae (great apes), then it stands to reason that all of our antecedents up to (and perhaps slightly predating) the last common ancestor would also be considered “apes”.

All hominidae (including all members of genus homo) share certain physiological traits in common that differentiate us from other primates (and lemurs, to whom we are also closely related.) Homo is most closely related to pan (chimps and bonobos,) with gorilla and pongo (orangutans) rounding out the extant species.

Now, if you wanted to get into a debate about the inclusion of hylobatidae (gibbons) in “apes” then you are some good company. The current consensus is that “great apes” be restricted to true hominids; a distinction which excludes hylobatidae.

So yes, we did in fact evolve from apes. Which makes perfect sense, considering that genus homo are in fact still quite definitively apes.

But “we evolved from monkeys” is a trickier one. Where do you draw the line on “monkeys?” Simiiformes (which would be where you’d find the last common ancestor of all monkeys and apes) breaks down into platyrrhini (new world monkeys) and catarrhini. Catarrhini contains both cercopithecoidea (old world monkeys) and hominoidea (apes).

Although it is common to group all monkeys together as if they were a homogenous genetic lineage, there are in fact two very distinct groups. Catarrhini are as differentiated from platyrrhini as platyrrhini are from lemurs. Indeed: new world monkeys show a remarkable genetic differentiation, giving rise to several major families; something that neither catarrhini nor homonoidea seems to have managed.

But we are apes. There isn’t a lot of wiggle room here. We just haven’t diversified enough to be something “special, unique and different” yet. We area a separate species, but not yet a separate family, let alone superfamily!

So I’d ditch the whole “evolved from monkeys” thing altogether. “Monkeys” is meaningless. But you’ll not escape that we evolved from apes. My dad was an ape. So was yours. I’m an ape sir, and you are too.

Re: New Reg SPB project:

I'll pitch on the kickstarter for that...

Re: Choose conferences or events with real techies.

Sage advice. On my junket I was lucky to meet with the actual techies. My understanding is that both VMWorld and Build are like this. I wonder which others qualify?

Re: Where

Here's one: http://www.michaelgeist.ca/

Re: remind me what "freedom of speech" is

As a matter of fact, it is a world ideal. Defined in the United Nations Declaration of Human Rights. Signed by the overwhelming majority of nations in the world, it defines your rights as a human being, regardless of the government you live under. These are fundamental rights that are innate to being human, not rights "granted" by a government.

It is our duty as citizens the world over to uphold and defend these rights. It is through our collective defense of these rights against all who would attempt to suppress them – governments, corporations and individuals – that we as a species give these rights their meaning.

This isn’t a “Utopian Ideal.” This is the legacy – and duty – passed onto us by our forefathers. If we wish to remain free, to free others and to see our descendants enjoy freedom then we must indeed remain eternally vigilant. The rule of governments – and their laws, lawmakers and so forth – are granted by the governed. The rights outlined in the UDHR belong to every human being, no matter what any tin pot dictator – elected or not – chooses to say on the matter.

I am willing to die, if necessary, defending the above. What kind of person are you – how self important and entitled must you be – that you would not be? What must you believe that you would tell someone – anyone – that they are aught but chattle, granted rights as a whim, to be retracted just as effortlessly?

If that is what you truly espouse sir, then I think you are a terrible human being who is actively engaged in attempts to undermine one of the only great things our species has ever achieved…even if you are only doing through speech.

As a fundamental human right, however, I would still defend your right to air your opinion. No matter how contemptible I believe it to be.

Re: Trevor, would a new pair of

Adding a little bit of hardware to compensate for defects in the sensory apparatus can make the system more accurate. Unfortunately both the sensor design and the underlying system can only be corrected for so much.