Slashdot Mirror
Java Web Attack Installs Malware In RAM
snydeq writes "A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. 'What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory. ... It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs.'"
If this malware resides exclusively in RAM without any footprint on the HDD or BIOS, then how does it survive a cold boot?
That's how you solve all problems in Winders, right?
It doesn't have to. It contacts the C&C server where someone presumably decides whether to install further bots or more resident exploits.
The exploit seems to be more about stealth distribution and about dropping other malware. This makes sense because if a dropper is detected as malicious, it becomes useless due to its detection. (You can safely assume anything using a dropper is malicious)
This means that anti virus software should in theory only be able to detect the actual dropped malware. Any new malware could have had a field day with this exploit because both the dropper and malware would not have been detected.
From my understanding of the article it actually dropped the Lurk trojan but I get the feeling it could drop anything the C&C wants it to.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
But how would it do that? Isn't Java sandboxed? Or is it only sandboxed on more recent operating systems (Win7 & OS X 10.7)?
"We can categorically state we have not released man-eating badgers into the area." - UK military spokesman, July 2007
After reading a bit on the referenced exploit((CVE-2011-3544) I find it hard to believe that the app was all in memory. The exploit involves and unsigned applet gaining higher privileges. Things may have changed since the last time I checked, but shouldn't the jar file for the applet that copied the DLL into memory be the new file sitting the the browser cache that you're looking for? The DLL could retroactively delete the trace but at some point the jar is what the anti-virus should be looking for since it has to be loaded before the DLL can be.
...all I need to do is reboot?
These are fairly common, actually.
Well, at least in the first steps of the malware - load a payload into memory that disables antivirus. Then you do the filesystem changes after the antivirus can no longer stop you.
Thus why antivirus isn't nearly as important as due diligence in using your computer. This means browsing without all of the fancy addons, generally. Or, at least, if you must have them, keep them up to date.
Every antivirus product I've used claims to scan memory for viruses (usually as the first step of a full scan). If it's not looking for these RAM based viruses, then what is it looking for?
Ever since those fucking banner ads starting using Java exploits to do redirects and run fake malware scans, I've kept Java off except for the incredibly rare occasion.
It doesn't mean much now, it's built for the future.
Okay, so it's java-based. Does this mean that blocking scripts on affected pages prevents the drive-by download?
Sounds like we need to write a GUI in VB6 to get rid of it...
Is this a virus, or a new Command & Conquer game we're talking about?
An antivirus company sends two messages: 1) Stay in RAM and be undetected; 2) Attach to a trustworthy process and they'll miss you. I wonder what are they not telling us?
Remember Commodore 64? Its boot record was kept separate from the OS. So no matter what you did when you mucked around, you could boot again. Microsoft should provide two modes: A) "Wreckless Compatibility Mode" -This is for legacy issues and B) "Secure OS mode", where no one can write to the boot sector or start up, and you enter a special boot mode for cases of drivers.
I think by making it impossible to write over the OS, or alter OS files, then when you boot you shouldn't worry of a virus hosing your boot. Sure, a virus could write over all your program files and screw with your data, but I think the OS itself should never be at risk. Someone else can figure out how to make program files secure. Maybe they could say things can't escape out of their parent install directory.
Am I naive to think this sort of thing should be possible?
God spoke to me
Why do we still use this shit?
The idea of loading malware into memory and not placing it in file is hardly new. In fact, the idea goes back over 20 years.
Back in the dark ages of networking, one of the earliest deliberately malicious worms was WANK (Worms Against Nuclear Killers) which was unleashed back in October of 1989. It was a VMS based worm that attacked via DECnet (no laughter...DECnet was more popular than IP at one time.)
WANK attacked systems on the old NASA SPAN (Space Physics Analysis Network) and the DOE HEPnet (High-Energy Pysics Network). It was quite effective in not writing into a file and both notified C&C of the successful attack and then launched attacks on other systems. If the authors, widely believed to be Australian environmentalists, had a very inventive way of downloading and bootstrapping into memory, but then made some dumb coding errors that greatly limited the damage and spread of the worm. The story of WANK is recounted in "The Underground" by Suzanne Dreyfus. and the worm itself is discussed in this article. Having contributed to the book and having done the first analysis of the worm in parallel with analyses by Ron Tencati and John McMahon of NASA, I believe that the information is correct. (That Julian Assange guy does get around, doesn't he.)
As the article points out this is a known vulnerability. And there has been a patch available since October 2011.
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
The infoworld article mentions that the applet used a "rogue" DLL. Where did that come from? If it didn't install any files on the system, why is there a "rogue" DLL on the system? Did it just "install" that DLL into memory also? And if the malicious applet code managed to get escalated privileges, why didn't it install something on the drive? And isn’t the term “install” being misused in the article? In fact, isn’t it true Mr. Infoworld Article person, that the alleged malware was merely “loaded” into memory? The truth is there was no flight leaving Guantanamo Bay, you doctored the flight logs, you ordered the code red, you framed OJ Simpson
FAQs are evil.
UEFI Secure Boot.
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."
https://trac.torproject.org/projects/tor/ticket/5417
Ticket #5417 (new defect)
RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on
Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation
Description
TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says
if [ "${debug}" ];
where it should say
if [ "${debug}" == 1];
or
if [ ${debug} -eq 1 ];
Move along, memory resident viruses/exploits/etc. are old hat.
Alot of motherboards have something like that already. Trying to write anything to the boot sectors gets an error and a prompt to continue. Unfortunatly most of them default to the off setting.
Your logic is correct but flawed. The C64 had the entire OS on a chip, And it never got changed at any point for the next boot. A HDD is a different story altoghether as it changes constantly when you install apps that startup on boot and updates etc. A C64 could never do that as it's BIOS / OS is read only.
UEFI isn't going to protect the operating system from being modified, it's going to prevent the computer from booting if said operating system if it gets modified, which is pretty much exactly the opposite of what we wanted.
This requires there to be no code that loads before the code that locks down the OS. UEFI Secure Boot is part way there, but there's still the option to write to keyboard/video memory and persist across a reboot, then automatically enter an insecure mode, install the rogue bootloader, and then load the expected OS on top, applying the appropriate secure patches as if the software was an external user.
As long as we've got buggy code, input devices and device drivers, there will be ways of shoehorning a bootkit onto a piece of hardware.
Of course, considering how doing this is orders of magnitude harder in effort spent than just fooling the operator into letting the software run, it will continue to mostly be done for industrial espionage/targeted reasons, not for adding home users to an uberbotnet.
As elsewhere, is it now slashdot policy to only mention '`computer` malware ..
"After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the" javaw.exe process
AccountKiller
âoebut do you know how to check and is there any point checking when we already know NSA/KGB, etc etc have the globe encircled with satellites?â
try lining your windows with tinfoil and check it after a few months. Youâ(TM)ll discover straight LINES and DOTS (tiny peep holes). This is with the tinfoil on the inside of the windowsâ(TM) surface, in-house/apartment. What causes this?
I believe most, if not all consumer computers and devices are, if not monitored, swept and mirrored by big bro using satellite technology.
One anonymous poster to pastebin, claiming to be representitive of Mossad, fired a shot across the bow of Anonymous and other hackers by saying, paraphrased, âoeAll of your hard drives are mirrored in (locations A,B,C as I forget which countries were mentioned) certain places on Earth anyway.
I find this to be true, Iâ(TM)ve used Microsoftâ(TM)s SysInternals programs to monitor processes and discovered my drives being swept, a chat program running I never installed and could find no trace of, files where they had the most interest were mp3 and graphics files, but they scraped the whole drive, and an iso creator/mirroring utility was running.
You only make it easier for them if you willingly install video streaming programs (VLC) with command line counterparts, music programs with command line counterparts, Office programs, which I noticed PDF files were being made in the background, and all of this activity was happening when I was monitoring a computer isolated from any wired/wireless/LAN network(s).
Google: Subversion Hack archive for a glimpse into this mysterious activity
Itâ(TM)s all about the waves.
*****
âoeWell, if this is true or not, I cannot tell, because I use GNU/Linux,â
The same is true for *nix, you just have to have the right monitoring tools and know what to look for inside binaries which are easily messed with by injecting malware into them and tools used by âoeTHEMâ to obscure the code injected into the ELF binaries so as to avoid being picked up as malware.
One simple command you can use to check for modifications to your files:
sudo find /usr/bin -mtime -60
That will search /usr/bin for files modified within 60 minutes, adjust the command as needed for other directories and time frames.
ALWAYS generate sha256sums or better (NOT MD5 or SHA1) of your initial install and the LiveCD and store them on a READ ONLY media like a once writable CDROM. The free utility known as âoemd5deepâ offers more than md5 checksum generation and unlike the simple tools like sha256sum, sha1sum, etc., md5deepâ(TM)s options offer RECURSIVE and directory stripping options, perfect for backup on CDROMs.
Hereâ(TM)s one example out of many mysterious *nix trojans floating about:
- Linux/Bckdr-RKC
â"- http://caffeinesecurity.blogspot.com/2012/02/linuxbckdr-rkc-still-undetected.html
âoeFor those who arenâ(TM)t familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojanâ: http://pastebin.com/DwtX9dMd
More questions without answers:
- Malware for Windows, *nux (and MacOSX?) which HIDES in FIRMWARE on routers, PCI and AGP cards and devices (including CD burners), system BIOS, MBRs, ethernet (nic) cards most if not all surviving hard drive wipes/formats and preloaded again and updated âoethrough-the-airâ mysteriously or when youâ(TM)ve plugged into the net.
- Ethernet cards using packet radio modules/protocols
- Linux distributions including LiveCDs including more modules than they need to run, especially for LiveCD purposes, including build essentials, dpkg-dev, ISDN drivers/modules (sometimes in multiple places, as binary f
OK. The usual question. Does this run on Linux? (or Mac)?
It mentions a DLL which is Windows only so I assume Windows only?
I don't read your sig. Why are you reading mine?
From tfa;
"The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service called AdFox."
This means that a service similar to doubleclick is the culprit. It is high time that the user should have a control surface in the browser that blocks add redirects in java pop ups. What would be really nice is if you could black list the bastards within a browser control interface....something like an about:config setting specifically for java with a text file black list that the user could edit and a cooperative system for blacklist information. For instance if I were able to block java based redirects from any site in a .ru domain then surfing Russian porn would be like wearing a condom. Apparently now if you surf Russian news sites you get hosed just as bad.
Thank God Google took over doubleclick and the Russian mob didn't!
I know I am talking old school pro-active work but it is high time that we get together and make these .ru domains behave in a civilised manor. You can bet if there was a way to quickly black list this kind of shit with java updates it would disappear overnight. But then again nowadays who knows Larry might be funding some of these guys, nothing about the wild wild web and how the Russian mob hackers work would surprise me!
Microsoft should provide two modes: A) "Wreckless Compatibility Mode"
While it would be good to have a mode that prevents wrecks, I think you meant "reckless".
this discussion about frequent java exploits and the consensus was to uninstall java, and then press on with life, and finally summing up with facts about the true amount of people who actually needed java installed to get their work done is extremely low, and out of them they could probably get by with installing java, get work done, uninstall java.
Remember
cripple/disable flash
uninstall java
block frame iframe xframe
cripple/disable javascript
uninstall silverlight
use a hosts file and block abc, bbc, cbs, cnn, fox, pbs, (ms)nbc, cnet, kaspersky, and threatpost
I remember. So, why are you browsing with java again?
yeah, have fun with win8 arm.
"what? I can't install a virtual cd device that'll look exactly like a real cdrom drive?"
(anyways, the files.. if they can't be altered, then ms can't hot update them either)
world was created 5 seconds before this post as it is.
Aren't they doing that with Windows 8, and getting slapped around by all the linux guys over it by saying "OMG they're locking us out of our own hardwarez by requiring the secure EFI bootz!"
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Except that you can repair it from the UEFI shell, or a UEFI binary written to replace the infected file with a clean one on the installation media / over the wire.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Window's really what the problem is here.
Why do we still use this shit?
Of course, considering how doing this is orders of magnitude harder in effort spent than just fooling the operator into letting the software run, it will continue to mostly be done for industrial espionage/targeted reasons, not for adding home users to an uberbotnet.
The interesting fact about software is that it only needs to be written once.
If corporations are people, aren't stockholders guilty of slavery?
The Atari 1040ST had its operating system on eproms, I have yet to see a computer virus that came eiqipped to erase and reprogram an eprom, it takes UV light to erase one! eeproms on the other hand are vulnerable to exploits! Of course TOS was quite small compared to modern OSes!
Interesting - I didn't know that bash worked that way. Contrary to C and PHP. But I usually use the == anyway.
The interesting fact about software is that it only needs to be written once.
Indeed... the continuing prevalence of Conficker shows us that. But what we're talking about here is targeted attacks using both exploits and social engineering. If I received an email containing a PDF claiming to contain the auditor's edits of Oracle's 2011 tax statement, for example, I'd probably suspect something fishy was going on. Plus, the rootkit likely wouldn't run on my computer, and the database it is attempting to gain access to sure isn't on my subnet.
The other interesting fact about software is that it only does what you tell it to.
The orders of magnitude of difficulty are to do with fooling the operator and exploiting the environment, not to do with writing the software.