Slashdot Mirror
Multiplatform Java Botnet Spotted In the Wild
It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.
No mention of linux support. Do we always have to come last?
If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.
FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.
Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.
Custom electronics and digital signage for your business: www.evcircuits.com
AFAIK, any OS that allows a user to install software is susceptible to malware.
Anyone smugly thinking they aren't is an idiot.
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
Read that again. Source code.
Also from the article:
In other words, it may be source compatible with Linux but there is no Linux binary in the wild. The jar files might run on Linux but the key component needed to download and install it is a Windows binary.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
So typical. Program is written in Java but packaged so it is Windows only defeating the main purpose of using Java in the first place.
Any insufficiently advanced magic is indistinguishable from technology.
I believe this thing is called a "javawocky."
You don't enable or disable Java. If it's installed on your system, it's available to use. You can, however, enable or disable the Java applet plugin for your web browsers, which is probably what you're talking about and isn't necessarily what this is about (TFA didn't mention applets or browsers). Java applications (not applets) can run on your system as long as you have Java installed, regardless of whether you have the browser plugins enabled or not, just like how you can open a PDF if Adobe Reader is installed, regardless of whether you have the Adobe Reader browser plugin enabled or not. So in theory, if they found an attack vector for your OS, having the Java plugin disabled wouldn't stop this from running on your system at all.
Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time.
That being said, I don't bother with the Java plugin either, because applets are crap and I have no use for them and agree with you about sites requiring them (and I'm a full-time Java developer)
They just gave Oracle a new slogan for Java, "Write once, pwn everywhere!"
Monstar L
In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.
Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
I am a linux user but the wife prefers Windows. On her Windows box I have installed Secunia PSI which automatically updates most of the third party software on the system. If it does not update something, it informs her so she can do it manually.
The Linux "installer" is called Firefox.
;).
Google for firefox exploit linux. Or firefox vulnerability.
As long as attackers can run arbitrary code of their choice they can install botnet software.
Even if it means tricking the user to run it... Which is what botnet operators do all the time to Windows users.
The "linux" fanatics just like to believe Linux is more secure when there are so many exploited Linux servers[1] out there.
Go ahead and blame the administrators and users, but just imagine the sort of users you have "administering" a typical Windows machine.
They are the very users botnet operators target.
If OSX and "Desktop Linux" become very popular, you might get malware written in perl for more cross platform goodness.
[1] There may not be as many exploited Linux desktops, but I suspect there may be more Linux servers than desktops in the world
I think my original point stands though. If it's so easy to compromise Linux, why isn't it being done? Why can't the very people who like to crow about how easy it is (and even hurl accusations of "security through obscurity") just put up or shut up?
I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.
Caveat Utilitor