Multiplatform Java Botnet Spotted In the Wild

← Back to Stories (view on slashdot.org)

Multiplatform Java Botnet Spotted In the Wild

Posted by timothy on Thursday May 5, 2011 @12:01PM from the semi-equal-opportunity dept.

It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.

25 of 203 comments (clear)

Min score:

Reason:

Sort:

Typical. Bloody typical. by martinux · 2011-05-05 12:14 · Score: 5, Funny

No mention of linux support. Do we always have to come last?
1. Re:Typical. Bloody typical. by masterwit · 2011-05-05 18:02 · Score: 2
  
  have you tried WINE?
  
  --
  We should start a new Slashdot and return control to the geeks. It actually wouldn't be that hard to get some users to
um.... by LodCrappo · 2011-05-05 12:16 · Score: 2

"So far, no mention of a Linux version, though."
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.

--
-Lod
1. Re:um.... by guruevi · 2011-05-05 12:20 · Score: 5, Informative
  
  If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.
  FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.
  Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:um.... by Zero__Kelvin · 2011-05-05 12:30 · Score: 2
  
  Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
3. Re:um.... by John+Hasler · 2011-05-05 12:47 · Score: 4, Insightful
  
  ...but uses source code and libraries that can operate on other platforms,
  Read that again. Source code.
  
  Also from the article:
  
  The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files,...
  In other words, it may be source compatible with Linux but there is no Linux binary in the wild. The jar files might run on Linux but the key component needed to download and install it is a Windows binary.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
4. Re:um.... by jd2112 · 2011-05-05 12:58 · Score: 4, Insightful
  
  So typical. Program is written in Java but packaged so it is Windows only defeating the main purpose of using Java in the first place.
  
  --
  Any insufficiently advanced magic is indistinguishable from technology.
5. Re:um.... by LynnwoodRooster · 2011-05-05 13:53 · Score: 3, Informative
  
  In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.
  Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
6. Re:um.... by Snarky+McButtface · 2011-05-05 13:55 · Score: 3, Interesting
  
  I am a linux user but the wife prefers Windows. On her Windows box I have installed Secunia PSI which automatically updates most of the third party software on the system. If it does not update something, it informs her so she can do it manually.
7. Re:um.... by TheLink · 2011-05-05 14:01 · Score: 3, Informative
  
  The Linux "installer" is called Firefox.
  
  Google for firefox exploit linux. Or firefox vulnerability.
  
  As long as attackers can run arbitrary code of their choice they can install botnet software.
  
  Even if it means tricking the user to run it... Which is what botnet operators do all the time to Windows users.
  
  The "linux" fanatics just like to believe Linux is more secure when there are so many exploited Linux servers[1] out there.
  
  Go ahead and blame the administrators and users, but just imagine the sort of users you have "administering" a typical Windows machine.
  
  They are the very users botnet operators target.
  
  If OSX and "Desktop Linux" become very popular, you might get malware written in perl for more cross platform goodness.
  
  [1] There may not be as many exploited Linux desktops, but I suspect there may be more Linux servers than desktops in the world ;).
  --
  
  Too many replies beneath your current threshold
8. Re:um.... by hairyfeet · 2011-05-05 14:45 · Score: 2, Insightful
  
  You mean "Windows excels in that part of the attack vector a decade ago" FTFY. Seriously people Vista has been out nearly FIVE years, Windows 7 now for TWO years, did the DOS jokes continue into 2005?
  So the moral of the story little childrens is this: stop running decade old shite and if you ARE gonna run decade old shite have a fricking brain about it and run a decent free AV (I'd recommend either Avast or Comodo as both have default sandboxing) along with not running every damned bit of code found in the backwoods of the Internet offering you free titties or money from a Nigerian prince. is that REALLY so hard?
  As for TFA, count the days Linux guys, count the days. you already have the malware kit for OSX, and all those Android phones means malware writers finally have a reason to start snooping around. All those noobs you got on Ubuntu sure would be a nice little addition to their botnets wouldn't they? Count the days Linux guys, count the days until your DOOM!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:um.... by shutdown+-p+now · 2011-05-05 15:01 · Score: 2, Informative
  
  Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them.
  Sure, so you end up having to muck around with bash for something as simple as installing some damn botnet. apt-get install this, /etc/init.d/restart that...
  See, that's what I mean when I say that Linux is not ready for the desktop! ~
Exactly what OS isn't susceptible to trojans? by l0ungeb0y · 2011-05-05 12:25 · Score: 5, Insightful

AFAIK, any OS that allows a user to install software is susceptible to malware.
Anyone smugly thinking they aren't is an idiot.
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
1. Re:Exactly what OS isn't susceptible to trojans? by mrnobo1024 · 2011-05-05 13:16 · Score: 3, Interesting
  
  None that you know about. You can hide a lot in a closed-source binary.
  The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.
2. Re:Exactly what OS isn't susceptible to trojans? by digitallife · 2011-05-05 15:15 · Score: 2
  
  It only takes being discovered once to have it removed from the app store, and hence not reasonably installable. Imagine how many pieces of malware would exist on Windows if MS actively and persistently vetted all software... It would probably tend towards zero.
Re:RUN FOR YOU LIVES !! by 2.7182 · 2011-05-05 13:15 · Score: 4, Funny

I believe this thing is called a "javawocky."
Re:You mean people actually enable java? by Cougar+Town · 2011-05-05 13:26 · Score: 3, Interesting

You don't enable or disable Java. If it's installed on your system, it's available to use. You can, however, enable or disable the Java applet plugin for your web browsers, which is probably what you're talking about and isn't necessarily what this is about (TFA didn't mention applets or browsers). Java applications (not applets) can run on your system as long as you have Java installed, regardless of whether you have the browser plugins enabled or not, just like how you can open a PDF if Adobe Reader is installed, regardless of whether you have the Adobe Reader browser plugin enabled or not. So in theory, if they found an attack vector for your OS, having the Java plugin disabled wouldn't stop this from running on your system at all.
Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time.
That being said, I don't bother with the Java plugin either, because applets are crap and I have no use for them and agree with you about sites requiring them (and I'm a full-time Java developer)
Re:the ARE linux rootkits/viruses by jc42 · 2011-05-05 13:31 · Score: 2

unix is where the term root for #1 user, hence rootkit comes from.
Minor correction: On unix systems, root is always the #0 user. The #1 user is typically "daemon", though not always.
(Unix was written by -- and for -- C programmers, who always start counting at 0. ;-)

--
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Oracle's marketing dept. should get on this by antifoidulus · 2011-05-05 13:32 · Score: 3, Funny

They just gave Oracle a new slogan for Java, "Write once, pwn everywhere!"

--
Monstar L
This is a case of by surveyork · 2011-05-05 13:57 · Score: 2

"No OS left behind."

--
2019 is going to be the year of Linux on the desktop.
Re:RUN FOR YOU LIVES !! by mckorr · 2011-05-05 14:16 · Score: 2, Informative

2.7182 is e, not pi...
Totally misleading title by Florian+Weimer · 2011-05-05 17:18 · Score: 2

The original McAfee blog article says this (why not link to the original resource in the first place?):

However, we’ve seen only the PC version in a downloader/dropper in the wild.
So this is not different at all from the Java-based Facebook suicide Trojan horse which circulated in Spring 2010 (but was not spotted by most AV companies back then).
Re:Significance by clang_jangle · 2011-05-05 20:42 · Score: 3, Insightful

I think my original point stands though. If it's so easy to compromise Linux, why isn't it being done? Why can't the very people who like to crow about how easy it is (and even hurl accusations of "security through obscurity") just put up or shut up?

I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.

--
Caveat Utilitor
Re:RUN FOR YOU LIVES !! by AVee · 2011-05-05 20:46 · Score: 2

It's in the wild !! A Java ... a what??
A java program that takes the 'Write once, run anywhere' mantra to the next level.
Re:and the antidote is... by TheLink · 2011-05-05 22:05 · Score: 2

And noscript is not used by the "patients" who need it most, and are the main targets of botnet operators.

Even if you pwn a noscript user, that user is far more likely to notice that he/she is infected, and eventually fix that. These users are the minority, so the botnet operators don't care.

FWIW, I've written a cross platform agent (unix/linux) that scans for hardware/software, connects to a remote server, and can download new instructions. This is legit, for work and is for admins to do software and hardware asset management. The same agent runs on OSX, AIX, Solaris and many Linux distros.

A botnet client wouldn't need root access, sending spam or helping to DDoS does not need root permissions. Most unix/linux machines allow normal users to set their own cron and at job, so that takes care of rerunning the bot after a reboot (there are other ways too).

So anyone who thinks a linux/unix botnet client would be difficult to create or "install" is ignorant or delusional.

The fanatics have got their heads firmly stuck in the sand.
--
- Too many replies beneath your current threshold