Web Exploit Found That Customizes Attack For Windows, Mac, and Linux

phaedrus5001 writes with this quote from Ars: "Security researchers have found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport website, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user's computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform."

Columbian transport website?

[Kenja]

Is that where the "domestic pharmaceutical procurement facilitators" meet?

Re:Columbian transport website?

This is an open source tool called SET its used for penetration testers -- Applet code here -- https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/

Re:Columbian transport website?

Yep, just more hype and FUD clickbait.

It's an ordinary Java applet, with all the rights and controls of every other Java applet, except this applet was a pen-tester written by TrustedSec, then found by "researchers" from F-Secure. It downloads a file specific to the OS it's running on and....
...no more information from F-Sec

This has beat up written all over it.

Blah

[mystikkman]

When are the malware writers going to support BSD?

Re:Blah

[leaen]

They do not support HURD

Re:Blah

[sconeu]

Never. Netcraft has confirmed it... BSD is dead.

Re:Blah

[MickyTheIdiot]

They don't support Plan 9? What BS.

Re:Blah

[kiriath]

Well, OS X is built on BSD so technically they kinda do?

Re:Blah

[Gerzel]

No it isn't. The largest BSD distro is Machintosh!

Re:Blah

[hairyfeet]

The sad part is the BSD guys would write them a thank you note for bothering to remember them.

So can we ALL just accept now there is no "Magical OS" that makes one immune from malware please? All OSes are EXTREMELY complex piles of code, having to support tens of thousands of drivers, scheduling and tasking, hell I doubt even Linus can tell you when you launch program Foo every single interaction that is taking place in the system, there is simply more there than any one person can know.

Now that the retard that made XP run by default as admin has been sent packing on the short bus all three major OSes have limited users, hell Windows even has the browser run as a low rights entity to help lower the risk. Now that all three major OSes have common sense defaults ultimately it all comes down to the USER and whether they will take the time to actually think or will simply allow anything to run. I've seen it a billion times in the shop, a fully patched and AVed machine get infected NOT because of the OS but because it was the USER that refused to listen to the warnings being given him/her and choosing instead to run it anyway.

At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run. i think we can all agree having some corporation own our machines would be a BAD thing so all we can do is warn users, try to make ever hardened systems, and be ready to clean up the messes when they happen. After Android became a hit it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here and I for one will be interested to see how the community reacts.

Re:Blah

[scialex]

We'll show them; The year of the Plan-9 desktop is at hand.

Re:Blah

[AliasMarlowe]

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

Re:Blah

[sconeu]

Whoosh.

Re:Blah

[Compaqt]

I haven't tried the exploit, but again:

On my machine, all the important stuff is in the /home directory.

There's nothing really interesting in the "system". I don't even really care about the system. It's just an ISO download away from reinstall.

My files, on the other hand, are what's important.

Re:Blah

[Compaqt]

What should desktop Linux users do to avoid the malware from the article?

Re:Blah

[Em+Adespoton]

They don't even support Linux properly. Even if it's actually effective on Linux, you'd have to explicitly agree to run the exploit and then type in your password to install the stupid thing. And that would only work if you're in the sudoers group or logged in as root; otherwise, it's no go. What kind of malware is that???

Interesting note: although example screenshots were given for the malware on Windows and OSX, there were none for Linux. Maybe it does not work at all on Linux, and the code people are foaming over is just a leftover fragment for identifying the client OS.

Same argument goes for Windows and OS X -- and the argument is wrong. You can have software that happily installs in your home directory and has full access to userland files -- which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

From what I've seen, the stuff normally dropped on Linux systems tends to be shell scripts and the like, and they don't tend to look like much in screen shots.

Re:Blah

[Em+Adespoton]

Never. Netcraft has confirmed it... BSD is dead.

Netcraft still exists?

Re:Blah

OS X has the same problem.

Re:Blah

Disable/remove the Java plugin from your web browser like you should have done ten years ago.

Re:Blah

[Pf0tzenpfritz]

Now that all three major OSes have common sense defaults ultimately it all comes down to the USER [...] and I for one will be interested to see how the community reacts.

Pah... We'll just patch the user each first tuesday of the month. No big difference...

Re:Blah

In Soviet BSD, Netcraft kills you!

Re:Blah

[wmbetts]

1) Disable Java by default. I have yet to have a website that I use regularly not work, because Java doesn't run. Whitelist the sites you want to Java on.

2) Don't blindly click and enter your password at every prompt

Those two things alone would make you immune to this.

Re:Blah

[lipanitech]

The problem with any OS is once it gains market share it becomes a target. Since Mac OS is running a stroked BSD would not take much to make a pure BSD hack.

Re:Blah

Include Adobe Acrobat and Flash Player on point one and you're saiyan.

Re:Blah

[Baseclass]

NoScript

Re:Blah

It sounds to me like desktop Linux users are already immune to this because they aren't or shouldn't be downloading stuff from the Internet. Users who would fall prey to this attack are users not capable of comprehending how to install something on GNU/Linux in the first place. For those slightly more technical they should know the only safe place to get software is through their repository (Ubuntu Software Center, etc). I'd be doubtful this is an issue for ANY GNU/Linux user. On the other hand I wouldn't for one minute be surprised if all Mac/MS Windows users were vulnerable. It's simply the design which makes them vulnerable. iOS users are not vulnerable to this attack because Apple cloned the repository system and locks out freedom. On the other hand that does make them more vulnerable to attack as there isn't an ability for third parties to monitor the source code and limited ability for Apple to pick up even unsophisticated malicious code (all one probably has to do is not have the malicious code activate until after a certain date by which time Apple has approved said program). In the repository system there is the opportunity to apply trust models whereby users don't become maintainers of code until they have two other maintainers trust them (this is how it works in Debian). Most others are commercial distributions derived from Debian/and or Ubuntu. Both of which we can assume have some level of trust given the derived versions, pre-screened developers (presumably Canonical requires some level of this- ie resume), and community oriented development model (on all critical pieces).

Re:Blah

[strikethree]

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

Re:Blah

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

If I understand, I think these people are worried not about losing their files..... but about something retreiving their files?

Re:Blah

[ozmanjusri]

it was only a matter of time before Linux got put in the crosshairs and now that day appears to be here

Perhaps.

But being in the crosshairs isn't the same as being hit. I haven't seen any evidence this "exploit" actually works on Linux.

For a start, there's only this one article with almost no real information, repeated all over the web. There are no Linux screenshots, and all I can glean from the text is that the malware is actually an open-source pen-testing tool called the Social-Engineer Toolkit (SET), which has always included the Linux compatibility code. In fact, it's no different from any other self-signed Java applet which a user can choose to run by accepting the prompt. SET is being used to download OS-specific payloads, but there's no information about the Linux one except that it's 1Mb in size. It could be a pic of the Colombian transport guy's nanna for all we know.

It's always disappointing to reports like this hyped up on Slashdot. I keep hoping people here would be a little more informed than average, because this isn't an advanced exploit, or really even an exploit. It's a Java applet.and the "advanced exploit" part is nothing but some if-else code to download an OS-specific file.There's nothing interesting or exciting about that - Java had that capability since it was first built..

There's no doubt it's possible to write malware for Linux, but the jury's not in on this one being it.

Re:Blah

[r_naked]

"At the end of the day the only foolproof way to get rid of malware is to take away the user's right to control their own machine, to instead stick them in a walled garden where only approved apps get run."

That is exactly what I had to do for my parents. I created four non-admin accounts:

1 - Games (this is for my mom to play online games)
2 - Mom (This is the account my mom uses for email (whitelisted), and dumping pics, etc). This account has no access to a web browser.
3 - Dad (ditto for this account).
4 - Bank (This account has a browser that is pointed at a simple web proxy that has a whitelist of addresses. They can only get to their bank, and various other bill pay sites)

I trained them to use the "Games" account if they want to browse the web for "fun". I told them to feel free to click on anything they want. If it prompts for an admin password, not only do they not have it, but if they did, they know they should hit cancel.

This setup has worked great. I was stopping by to check their machine about once a week just to be sure, but I haven't even had to wipe the "Games" account in a LONG time, but when I do the rest of the machine is clean.

Is this overkill? Maybe, but they are 70+ years old, and it makes my life a WHOLE lot easier.

Windows 7 is an outstanding OS, it is real shame that MS is fucking it all up with Win 8.

-- Brian

Re:Blah

[shutdown+-p+now]

~ or %HomePath% is where people keep their documents - including things such as, say, filled out tax returns, and other things that have tons of personally identifying information in them that is quite valuable for the kind of people that tend to run malware. Also, a lot of people either use webmail with saved password (or "stay logged in"), or a mail client configured to fetch everything by default with no password prompt, which again makes the contents of your emails directly accessible to any malware running under your account.

Re:Blah

[Alastair+Gilfillan]

They don't even support Linux properly.

If you can't get it to run normally, try WINE unstable. Possibly one less reason to keep a dual-boot...?

Re:Blah

Scripting again. Whose idea was it to trust random servers to run JIT code on the client?

Click on one link and a dozen ad servers run code locally.
Read one hundred pages a day and a thousand servers are contacted. why settle for a single point of failure or a single attractive nuisance...

No script does "break" sites including BofA who in their infinite wisdom has decided scripting *and* Flash are helpful. /facepalm.

 

Re:Blah

Actually the type of malware which aims at destroying your files or simply annoying you is the exception these days. What counts is whether the malware can run (most home directories are on file systems mounted with execute rights), has access to the network so it can be part of a botnet or communicate with some C&C server (if you didn't have network account, you wouldn't have gotten the web malware in the first place), possibly can intercept your keyboard for grabbing passwords (securing the keyboard for password entry on X seems to have gone out of fashion), and maybe can intercept other things.

It is still true that malware can do more things when getting root, though (e.g. changing the computer's DNS entriesis not possible on Linux without getting root).

Re:Blah

Netcraft cannot die. That's because if it were dead, Netcraft couldn't confirm it.

Re:Blah

I would recommend NoScript as well, but it seems like more and more, every site is running everything with scripts. For example, a site called "engadget" (not that anyone should read that crappy website) has so many scripts from several different domains that you don't see any content until you allow most of them. I can imagine other sides following suit. So your choice becomes "use NoScript, or actually be able to view web page content". What do other people think about this?

Re:Blah

[logicassasin]

Then don't visit that site. I run noscript on my Windows and Linux desktops, sites that refuse to play nice, don't get my traffic. If more people would stop visiting these sites, their ad revenue will start to be impacted. Once you hurt their bottom line, they will start to wonder why and may stumble across a post like this one and they may get the point.

Then again, they were stupid enough to do this int he first place... Their response might be "WE NEEDS MOAR ADS FOR TEH MONAYS SO I CAN BUY A NEW BENZ!!!"

Re:Blah

[Em+Adespoton]

which to be honest is everything that's actually important on your computer; non-userland stuff can just be re-installed from scratch if needed.

I keep seeing this meme which seems to be promoting the idea that userland infection >= system level infection by claiming (mostly correctly) that the only important files to the user are in the users own directory.

You have backups of /home right? So what is the problem with restoring it. Losing /home is NOT the worst thing that can happen to you. Having a virus that you can not detect is. Let's see how happy you are when your files start getting corrupted and keep getting corrupted and you have no idea why. System level infection is far worse than userland so can we let this meme die now please?

OK, now let's look at what I said and what you said.

Me: Most of what is actually important to you is accessible from userland
You: There's a meme right now about how the only important files to the user are in the user's own directory

See the difference?

What I was pointing out is that malware can do most of what it needs to do these days without ever leaving userland. For those tasks like setting up a rootkit, hosts poisoning, cross-user spreading, etc. that DO require more privileges (but which are a small piece of the attack space these days), there's always social engineering and privilege escalation.

The reason the "meme" is here is that it's not a meme -- these days, organized computer criminals are mostly using malware to exfiltrate data, hold data hostage ("ransomware"), run botnets, send spam, and mine bitcoins -- and NONE of these operations require root. The argument is a direct response to the longstanding "I run linux, and I set up my privilege separation properly, so I'm safe from malware" "meme" which turns out to be mostly beside the point these days.

It's kind of like saying "drunk driving is not an issue for me because I drive a tank, and no drunk driver is going to damage my tank" -- completely missing the point that you shouldn't (just) be worried about your vehicle (the OS) being damaged by an attack, but the contents of that vehicle, even when they're somewhere else.

Sure, rootkits are a problem. Securing your OS is a sensible part of layered security (just like securing your hardware). But someone stating that they're safe from malware attack while their userland security is virtually nonexistent is disingenuous at best.

System level infection is only far worse than userland if you've got a system level infection. If you keep getting userland infections, it doesn't really matter whether it's because the entire system is compromised or just that there's a hole in your userland security that keeps getting exploited remotely. The end result is the same (even if the potential damage from a system level infection is greater).

As an aside, I actually find that the main issue on Linux is not userland infection at all -- it's service-based infection; MySQL injections, compromised LAMP installs, etc. Same rule goes, as Apache is basically just another user: the attacker gains full access to this space, and can snarf the data, use the service for their own purposes, store their own stuff there, and generally use your computer service as if it was their own.

Re:Blah

[hairyfeet]

And that exact same advice frankly works just as well on Windows but if the user doesn't follow it you are screwed.

Ultimately there is only so much you can do technically against the dancing bunny problem because if the user WANTS to see the bunnies, and you try to stop the user from getting to the bunnies? they will happily thwart any and ALL security measures you put in their way to see the bunnies. Again I've seen this with my very own two eyes, i even had to throw a guy out of the shop once when he removed his fricking AV because it wouldn't let him have "The New Limewire" which I had ALREADY TOLD HIM was a fake trojan and had even gone so far as to give him eMule and BT so he wouldn't be needing it, but in the end he liked Limewire, refused to believe Limewire was dead, and when a malware writer offered him a fake that the AV pointed out was nothing but a trojan he simply removed the AV. His final words as I was pushing him out of the shop was "It says right there its the new limewire so you MAKE IT WORK!"

In the end OSes and AVs have frankly never been better, but if the user refuses to listen or show even the tiniest bit of common sense? Well you just can't fix stupid.

Re:Blah

[hairyfeet]

I do something similar for my customers, I always make them a low rights account for any friends/kids/etc that come over and when the owner is in their account while i can't lock them down as well as you can I give them Comodo Dragon with ABP, since Dragon runs in low rights mode, and on top of that I give them Comodo CIS AV which has sandboxing and scan before load on web pages. Both are free and since doing so my customers getting nasty bugs has frankly dropped right off the chart. You'd be surprised how much those three little steps help, ABP, low rights browser and sandboxing. you take the web out of the equation and there goes the bugs.

Re:Blah

[wmbetts]

I wasn't talking about javascript. He was talking directly about this attack. Disabling Java not Javascript is what would stop it. I just double checked BofA as well. It worked fine with Java and Flash disabled. It is pretty stupid it won't without javascript though. The only thing I can think of is maybe to try and stop bots, but even that is dumb. It's trivial to embed webkit, use the webbrowser object, etc to parse js.

Re:Blah

[npsimons]

I keep hoping people here would be a little more informed than average

Ah, see there's your mistake: not in assuming that the general crowd at slashdot is smarter than average (they are); you are overestimating the average level of intelligence.

Re:Blah

[Penguinclaw]

Wonder if it affects android? Users are much more willy nilly at installing anything if it looks cool.........

Re:Blah

[Penguinclaw]

Totally agree with Hairyfeet. Education is the best way to inform people about the real world of modern computing. The number of times I've had people ask for help and they didn't even know they needed to run AV software. I think schools should start this as they can educate parents. In the UK ITC as it's called just concentrates on word, excel etc. No concept of how a pc operates is taught. No basic security training or awareness of malware types and how to harden your system. No basic programming (apparently the first year in a computing degree is wasted by teaching students what they already should know!). Get real those that are responsible for education, we NEED better IT taught at school so that every child has a rounded background and those that want to take it further can do so. One of the IT terachers from a nameless local school hadn't heard of linux (shock in itself) but the schools server was ubuntu!!! Things need to change and hopefully soon.

lol

Java !

Re:lol

lol java, java lol

COLOMBIAN....not "Columbian"

Please learn how to spell.

Re:COLOMBIAN....not "Columbian"

Maybe it was a website about the bus lines in Columbia, South Carolina.

Re:COLOMBIAN....not "Columbian"

[MightyYar]

Since you are pedantic and might actually know why you are correcting someone - why is it that we can anglicize certain country names and not others. Why is it perfectly proper to Make Colon's name into Columbus, but the country named after him retains the "o" when spelled in English, even though place names inside of the US with the same origin are spelled with a "u"? We spell Brasil as Brazil, for instance.

Re:COLOMBIAN....not "Columbian"

[saveferrousoxide]

Because! Damnit. Though I would argue more for spelling proper nouns as the originator would spell them (assuming the phonetics work out -- and the alphabet, but transliteration is a whole different ballgame) since, ya know, it's their name an' all.

Re:COLOMBIAN....not "Columbian"

I'd say learn how to READ! The original article seems to have properly spelled the name of the country. I don't know why an editor or poster would have had to change it.

Re:COLOMBIAN....not "Columbian"

[Baloroth]

Ironically, "Columbia" is the correct spelling in English (taken from "Columbus"). "Colombia" is the Spanish spelling (taken from "Colón"). Since English doesn't have the "ó", we use a "u" instead. Now, being a proper name you can use either (English is very flexible), but the English spelling is "Columbia".

Re:COLOMBIAN....not "Columbian"

[Cinder6]

I initially read this as "Coulombian transport website", which had me confused...

Re:COLOMBIAN....not "Columbian"

Yeah, we germans are deutsch and live in Deutschland. Get it right!

Re:COLOMBIAN....not "Columbian"

[jsepeta]

or run by the dedicated fanbois of Christopher Columbus?

Re:COLOMBIAN....not "Columbian"

Care to show any sources to support this statement when referring to the country in South America?

Re:COLOMBIAN....not "Columbian"

[John+Hasler]

Perhaps, but in American "Columbia" refers either to the river or to the district while "Colombia" refers to the nation in South America. "Columbia" is also an archaic term for the USA, as in "Columbia Gem of the Ocean".

Re:COLOMBIAN....not "Columbian"

[sosume]

Wrong. Although both are named after Columbus, the US capital is the District of Columbia, whereas the South American country is Colombia. You have me feeding though.

Re:COLOMBIAN....not "Columbian"

[mcgrew]

Oh?

Re:COLOMBIAN....not "Columbian"

I just hope Colombian people start calling George Bush as Jorge Arbusto and George Washington as Jorge Güachinton.
If American can change the name of everything why the rest of the world can't?

Re:COLOMBIAN....not "Columbian"

Nope, wrong. In English, the *country* is spelled ColOmbia, other terms (such as the river, the US capital district, the famous university in NYC, etc) are spelled with a U. But it is unambiguously true that in English, everywhere, the country is spelled Colombia. Don't take my word for it, look it up in any proper encyclopedia, or look at the websites for the embassy (in English) and the US State Department:

http://www.colombiaemb.org/
http://travel.state.gov/travel/cis_pa_tw/cis/cis_1090.html

Re:COLOMBIAN....not "Columbian"

[KhabaLox]

Is that why we call him "Hugo Chavez" instead of "Oogo Shavez"?

Re:COLOMBIAN....not "Columbian"

Since English doesn't have the "ó", we use a "u" instead.

What was wrong with using an "o" ?

Re:COLOMBIAN....not "Columbian"

[dotbot]

Apparently travel is expensive as those Coulombians are always charged...

Re:COLOMBIAN....not "Columbian"

[gmhowell]

If American can change the name of everything why the rest of the world can't?

I have heard 'Estados Unidos' (sp?) more than once on Univision.

Re:COLOMBIAN....not "Columbian"

[Provocateur]

Anybody who watches the Miss Universe Pageant has always known Miss Colombia to at least make it as a semifinalist.

Re:COLOMBIAN....not "Columbian"

As a scientist, my preferred spelling is "Coulombia"

Re:COLOMBIAN....not "Columbian"

Completely Offtopic: Spanish "ó" does not sound like English "u" at all. Accents in Spanish are not phonetical modifiers, they just reflect where the tonic syllable is.
Way more Offtopic: English "flexibility" can be very subjectively tested. In general anglo-speakers have a lot of trouble with foreign pronunciation.

Re:COLOMBIAN....not "Columbian"

[Schmorgluck]

Duuuh, why bring Hugo Chavez in this discussion? Quite irrelevant.

Re:COLOMBIAN....not "Columbian"

[konaya]

Interestingly, this makes "Columbian" the only 100% correct and unambiguous denonym for a person from the USA. "American" could mean anyone from any country from any of the Americas, "North American" could also mean Canadian... Am I missing any candidate demonyms?

Re:COLOMBIAN....not "Columbian"

[KhabaLox]

He's as relevant as Bush and Washington. ;)

Re:COLOMBIAN....not "Columbian"

[metrix007]

Technically, North American would also include Mexicans. Something Americans and Canadians seem to forget.

Most Macs are probably immune.

Mac OS X doesn't ship with Java anymore.

Re:Most Macs are probably immune.

[Gr8Apes]

That'd be news to the millions getting new macs and using Java.

Re:Most Macs are probably immune.

[Jesus_C_of_Nazareth]

Yeah, all those SAP and Oracle users. Maybe it has wider usage than I'm aware of, but the vast majority of use I see is enterprise. Of course this doesn't mean that it's not a problem. There are plenty of business users who are one step away from using Typex on their screens.

Re:Most Macs are probably immune.

[EliSowash]

Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet. If you'd have said 'Mac users have to be running Rosetta in order to be infected' I'd give you your street cred back.

Re:Most Macs are probably immune.

[beelsebob]

Macs do indeed run apple's version of java... If you have jumped through the hoops of clicking the "disabled plugin" button that replaces the applet, then typing in your password. Macs absolutely do not have to be running rosetta (a tech that doesn't even exist any more) to get infected, as neither Java, nor the binary delivered is a PPC binary.

Re:Most Macs are probably immune.

Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet.

Because, as the OP said, Macs don't ship with Java anymore. It's not installed by default with the current version of Mac OS. Also, even if the user installs it, recent Mac OS security updates will actually disable it if it is not being actively used.

That is probably why the exploit only bothers to target obsolete versions of the OS X with Rosetta (or on PowerPC hardware.) A version for newer versions of OS X would be blocked before it could even get downloaded.

Re:Most Macs are probably immune.

[Yaztromo]

That'd be news to the millions getting new macs and using Java.

The GP is correct. Apple stopped shipping Java with OS X with the release of Lion.

That said, if you try to run something the requires Java, OS X will offer to download and install it for you. However with the latest OS X updates the Java browser plug-in and Java Web Start are now disabled by default, and have to be explicitly enabled by the user in the Java Preferences app. And if they do explicitly enable it, it will auto-disable itself again if it hasn't been used in some time.

That's a lot of extra hoops to jump through to get this to work on a modern, up-to-date Mac. Then again, the people who develop and propagate malware such as this tend to target those who don't keep their systems up-to-date, ensuring it is still a concern for many users (with those at most risk being the ones least knowledgable to do much about it, or even be aware that anything is wrong).

Yaz

Re:Most Macs are probably immune.

[Ossifer]

More correctly:

1. Macs ship with a hook that offers to install Java if you ever attempt to use it.

2. OSX does not disable Java itself, but the Safari application disables the use of Java applets. If you run Firefox, this doesn't happen at all.

Re:Most Macs are probably immune.

[Yaztromo]

Eh? How do you figure? Macs run Apple's version of Java...which means, they'd dutifully execute this applet.

With OS X Lion, Apple stopped shipping Java with OS X. And with the latest revision, the ability to run Applets or Java Web Start is disabled by default, and has to be explicitly enabled (and even then will self-disable if you don't use it for some time).

So to amend your statement, Macs run Apple's version of Java -- if you've tried to run something written in Java, responded to the resulting pop-up that you'd like to download and install Java, entered an Admin password (or username and password if you're not running as admin), waited for Java to download and install, then went into the Java Preferences app, turned on the "Enable apple plug-in and Web Start applications" setting, closed the Preference app, and then gone back and reloaded the infected page...at which point they'd dutifully execute this applet.

(Older versions of OS X are, of course, still at risk from this sort of Java applet based attack vector).

Yaz

Re:Most Macs are probably immune.

[hobarrera]

Most Linux distros don't ships the java applet thingy either.

Re:Most Macs are probably immune.

[Gr8Apes]

I was aware of the WebStart and applets being disabled - it was the first quick fix to the Flashback trojan and all related malware.

Not having upgraded to Lion except on a test system, I was unaware of the Java no longer being installed in Lion by default. I guess Apple caught up to the rest of the world. Still, that doesn't really bug me because I've been managing multiple versions of Java on my system for years, so I've had to download them myself anyways.

if (linux)

[Ynot_82]

if(linux) { exec 'su - root' || die 'shit, I had to try something...'; }

Re:if (linux)

[Mr+Z]

These days, shouldn't it also try "sudo ./pwn" and/or "sudo -s"?

Re:if (linux)

[TheGratefulNet]

no conditional checks for arduinos?

for shame! feeling so left out...

Re:if (linux)

cat /dev/urandom >> /dev/mem is more fun...

Finally some multi-platform support

[GameboyRMH]

Now if only the major business software companies were this considerate...

Re:Finally some multi-platform support

[Idbar]

Yay! And they actually have Linux support! How amazing is that!?

Java = security nightmare

"java applet".

So in other words, if you VOLUNTEER to run their malware, their malware runs. Wow. Whoda thunk it.

Java = security nightmare. javascript not much less so. Anyone halfway security conscious only runs scripts based on a whitelist of trusted sites.

Re:Java = security nightmare

[Gr8Apes]

"java applet".

So in other words, if you VOLUNTEER to run their malware, their malware runs. Wow. Whoda thunk it.

Java = security nightmare. javascript not much less so. Anyone halfway security conscious only runs scripts based on a whitelist of trusted sites.

Java is not a security nightmare any more than C or assembly is, and generally less so. Stop spreading FUD.

Re:Java = security nightmare

True, but you can't run C in your browser...

Re:Java = security nightmare

[MikeBabcock]

You can run straight up machine language with a stack overflow. Does that make machine language a security nightmare?

Jeez.

Re:Java = security nightmare

[amicusNYCL]

You're right, the Java programming language is not a security threat to computers in general. The Java Runtime Environment, and its various browser implementations, however, is definitely a threat. Just like PDF documents are not a threat, but Acrobat Reader is definitely a threat. See here for proof (spoiler: Java was the #1 infection vector, at 37%; Acrobat #2 at 32%).

Re:Java = security nightmare

Most Java exploits are exploits with the various prebuilt library functionality that comes with Java, so sure, as a language in itself it isn't more of a security nightmare, if you use none of the offered functionality, otherwise, not so much.

Re:Java = security nightmare

[Goaway]

You can with NaCl on Chrome.

At this point I wouldn't be surprised if it was safer than Java, too.

Re:Java = security nightmare

[HarrySquatter]

It's not FUD. The JRE is one of the most vulnerable and exoitable pieces of software on a machine. If you don't believe me see Secunia for the number of vulnerabilities per version. It averages to nearly 200 per major version which is more than the average of the last 3 major versions of Flash Player.

Re:Java = security nightmare

[Gr8Apes]

Really? J2EE in the last 12 months although that's not too telling, so we'll look at JRE 1.6, all systems, over a couple of years. Feel free to post other data. If you're talking about WebStart or Browser plugins, I'll note first that those are not part of Java, and second, that they are highly affected by their browser's integration and potential lack of security features there.

Re:Java = security nightmare

[Gr8Apes]

Even the JRE is not much of a threat. The browser plugins are another story entirely.

PDFs, IIRC, just recently were a threat in and of themselves. But that's neither here nor there.

Your link exposes that the browsers and the Java Deployment Toolkit appear to be the culprits, not the JRE itself.

Re:Java = security nightmare

[Gr8Apes]

(wish I could edit)

Actually, your statements really prove that C/Assembly are the real culprits, most of those are buffer overflows, a common problem with improperly managing your memory and pointers, something a whole lot less common for code written in Java.

Re:Java = security nightmare

[JonySuede]

The J2SE JVM should ship with a deny by default SecurityManager policies file instead, but it would only add a click between a guy and his purple rabbit...

Re:Java = security nightmare

[amicusNYCL]

Your link exposes that the browsers and the Java Deployment Toolkit appear to be the culprits, not the JRE itself.

The study specifically calls out the "Java JRE" (that's right, the Java Java Runtime Environment) as the vector for 37% of Windows infections. But I do see that in the partial list of vulnerabilities that some of the ones related to Java (but not all of them) call out the Java DT. As far as browsers go, the only browser listed as an infection vector is IE, and it was only responsible for 10% of infections. 85% of the infections were the "drive-by" variety exploiting JRE, Acrobat, or Flash.

PDFs, IIRC, just recently were a threat in and of themselves. But that's neither here nor there.

The document isn't the problem, it's the reader that opens the document and dutifully executes the code embedded in said document that is the problem. If the reader wasn't set up to execute that code, then there wouldn't be an infection. The Acrobat browser plugin can get exploited with a hidden iframe that loads a malicious PDF document. The user would never even see the PDF appear, and would never know they were infected. They might get some sort of Acrobat dialog to update or something, but still wouldn't see the document that got them.

The most surprising thing about that study to me is the fact that Flash is in last place among third-party plugins, I was expecting it to be a lot closer to the top. Still, the main takeaway for me is that if I do not have JRE or Acrobat browser plugins, I will not be affected by 69% of the vulnerabilities that are the top causes for drive-by infections. That's a pretty easy step to take in order to gain a lot of protection.

Actually, your statements really prove that C/Assembly are the real culprits

No, they don't.

Re:Java = security nightmare

[Gr8Apes]

Just for grins, I went through the entire list (I've got to find another hobby). The only item that is not either a JDT issue or related specifically to applet / externally provided code is CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability, which is a bug in the MIDI file processor.

Re:Java = security nightmare

[amicusNYCL]

Just like the Spanish Inquisition, the list of weapons you see in that study is "amongst" all of their weapons. That's not a complete list of exploits. They claim to have looked at 50 exploit kits. I believe that Metasploit alone contains a database of around 800 exploits. According to Secunia, JRE 1.6.x contains 274 vulnerabilities and 1.7.x contains 53.

Re:Java = security nightmare

[HarrySquatter]

Yes, really. Going back over 10 years of the JRE.

JRE 1.7: 53 vulnerabilities
JRE 1.6: 274 vulnerabilites.
JRE 1.5: 265 vulnerabilities.
JRE 1.4: 264 vulnerabilities.

That's 191 vulnerabilites on average and it's only that low since the 1.7 JRE is only 2 years old. And why did you bring up J2EE? What average user is running J2EE on their desktop?

Re:Java = security nightmare

[HarrySquatter]

JRE versions 1.4, 1.5 and 1.6 all have over 260 vulnerabilities listed on Secunia. Each one has more than the last 3 versions of Flash Player and more than any version of IE other than IE 6 which only has about 2 dozen more vulnerabilities. On the other hand if you look at something like .NET there are an average of maybe 40 vulnerabilities for each major version.

Re:Java = security nightmare

What companies server hasn't been compromised at some point?

Every time there is some small improvement in windows security web developers sabotage it with extra features. HTML5 is going to reopen the web to familiar attacks we thought were long past.

Re:Java = security nightmare

The difference is that a random program from the web written in C or assembly wouldn't automatically be run directly from your browser just because of a tag in a web page. However for Java, that's the default configuration.

Re:Java = security nightmare

You can run straight up machine language with a stack overflow. Does that make machine language a security nightmare?

If it were automatically downloaded and executed from web pages, it would definitely be.

Re:Java = security nightmare

[Gr8Apes]

Only if you've installed the browser plugin and enabled it. Amazingly, 3 of my browsers on my system do not have Java plugins, one does because I need it for a few items.

Re:Java = security nightmare

[Gr8Apes]

I dug further (I did mention that I needed a new hobby) - a long long long list of those are all related to the JDT, applets, and in general executing external code, not items related to processing files or operations that the JRE provides. (With exceptions like the one mentioned regarding the MIDI file in GP) So, most of the security issues are related more to someone providing a Trojan and the JRE sandbox not catching it than actual problems with the JRE itself. We can argue this all day, I"ll bet, but what it comes down to is given non-malicious code - ie, known code that you run yourself, can others subvert your JRE? I will argue that it will be exceedingly difficult to do so. Given malicious code, I propose that executing it is as dangerous whether it's Java, C, or even JavaScript. This is a different problem, and wrapping them together and calling the JRE unsound is disingenuous. Finally, what sites require Java that are "normal"? Very few that most people will come into contact with.

Re:Java = security nightmare

[Gr8Apes]

Yes, and a large, if not overwhelming portion of those are related to executing malicious code from external sources. The sandboxing failed in those cases. Running known code would have a very very small footprint of security issues.

Regarding .NET - IIRC, .NET has no real sandbox in the way Java does, so a host of items that would be vulnerabilities in the JRE have no corresponding vulnerabilities in .NET. If we strip out all the WebStart/Applet type vulnerabilities, we'll have a closer apples to pears comparison with .NET.

Re:Java = security nightmare

[amicusNYCL]

Exactly how Java ends up executing the malicious code isn't really relevant to end users. I don't have any parts of Java installed because I don't trust that it's going to be secure. I don't care enough about Java to go digging through the individual bits and pieces to identify which things are safer to install. It doesn't matter to me whether the DT is at fault, or the JRE, or J2EE or JDK or whatever else, I don't care. What I care about is avoiding infections, and since Java plays a part in 37% of infections, I'm not going to install any of it.

Given malicious code, I propose that executing it is as dangerous whether it's Java, C, or even JavaScript.

There's obviously a major difference there. My browser isn't going to happily download and execute a C application because some web page convinced it to. And I don't think there's anything that Javascript alone can do that's going to compromise anything on my system. But if my browser has the JRE set up with defaults then it will certainly be quite happy to download and execute that fine applet you've got there.

Finally, what sites require Java that are "normal"? Very few that most people will come into contact with.

Right, that's why I don't feel like I'm missing anything and, due to the fact that the Java ecosystem is the vector for so many infections, I don't see any reason why anyone should have it installed unless they need it for a specific part of their job.

Re:Java = security nightmare

[Gr8Apes]

Exactly how Java ends up executing the malicious code isn't really relevant to end users. I don't have any parts of Java installed because I don't trust that it's going to be secure. I don't care enough about Java to go digging through the individual bits and pieces to identify which things are safer to install. It doesn't matter to me whether the DT is at fault, or the JRE, or J2EE or JDK or whatever else, I don't care. What I care about is avoiding infections, and since Java plays a part in 37% of infections, I'm not going to install any of it.

Well, since browsers are responsible for 100% of the infections listed, I expect you don't have them installed, either? And since Windows was also 100% responsible for infections, you don't have that either? For that matter, what are you doing on the internet? It is responsible for 100% of those infections!!!

Given malicious code, I propose that executing it is as dangerous whether it's Java, C, or even JavaScript.

There's obviously a major difference there. My browser isn't going to happily download and execute a C application because some web page convinced it to.

I think you may need to revisit your assumptions.

Right, that's why I don't feel like I'm missing anything and, due to the fact that the Java ecosystem is the vector for so many infections, I don't see any reason why anyone should have it installed unless they need it for a specific part of their job.

Again, Java isn't the vector, it's the browser/plugin aspect that is. That's like blaming C for being a vector because windows is largely written with it. The JRE, in and of itself, is no more insecure than anything else your CPU executes. If you enable pieces that allow outside access and code execution, then there is much greater potential for problems. This is an apt comparison, as the JRE's primary purpose is to run specific java code, not random snippets from the web, at least for everything I'm involved in.

Re:Java = security nightmare

[amicusNYCL]

Well, since browsers are responsible for 100% of the infections listed, I expect you don't have them installed, either? And since Windows was also 100% responsible for infections, you don't have that either? For that matter, what are you doing on the internet? It is responsible for 100% of those infections!!!

Don't be obtuse. IE was only responsible for 10% of infections, and I don't use it. Windows help files were the vector less than 5% of the time, and I assume IE was used there as well, because my browser wouldn't automatically launch a Windows help file.

I think you may need to revisit your assumptions

Maybe you misunderstood me. When I referred to "my browser", I was not referring to IE. I don't use IE for the same reason I don't install Java or Acrobat Reader. That's 79% of infections that won't succeed on my machine after very little (or no) effort on my part. Go ahead, ask me about the last time I had to clean up an infection on my personal computer and how it got there.

If you enable pieces that allow outside access and code execution, then there is much greater potential for problems.

There's no need for me to have to do that when they're enabled by default. So yes, when Java is installed with the default settings, which includes browser plugins, you end up with something that is the single largest infection vector for Windows computers. This is a fact, this is not my opinion and it is not theoretical. It is reality. You can argue all you want, but this is what the reality of it is. The current implementation and deployment of the Java runtime is a malware author's dream. It's a full-blown high-level language able to interact directly with the system (and indirectly, due to the numerous vulnerabilities), and the code that it runs is downloaded by the browser and subsequently executed. You can't ask for a better infection vector.

the JRE's primary purpose is to run specific java code, not random snippets from the web, at least for everything I'm involved in.

Primary purpose for who? For you? For Sun or Oracle? For malware authors? What is the primary purpose of Java Web Start? Do you really want to have a discussion about "primary purpose" versus "unintended use"? Because I would direct you to WD-40, super glue, Teflon, Kleenex, SMS messages, etc.

You do realize that you're trying to argue that Java isn't a threat in a discussion on an article about a piece of cross-platform malware distributed via Java, correct?

Re:Java = security nightmare

[Gr8Apes]

Well, since browsers are responsible for 100% of the infections listed, I expect you don't have them installed, either? And since Windows was also 100% responsible for infections, you don't have that either? For that matter, what are you doing on the internet? It is responsible for 100% of those infections!!!

Don't be obtuse. IE was only responsible for 10% of infections, and I don't use it. Windows help files were the vector less than 5% of the time, and I assume IE was used there as well, because my browser wouldn't automatically launch a Windows help file.

I'm not being obtuse. You are berating a product for the flaws of a single component that resembles an appendix that 99% of Java users never encounter nor care about.

I think you may need to revisit your assumptions

Maybe you misunderstood me. When I referred to "my browser", I was not referring to IE. I don't use IE for the same reason I don't install Java or Acrobat Reader. That's 79% of infections that won't succeed on my machine after very little (or no) effort on my part. Go ahead, ask me about the last time I had to clean up an infection on my personal computer and how it got there.

mine was 98, IIRC, with Melissa, and I did not have it on my machine. I do have Acrobat Reader, Flash, and Java, including browser plugins installed. I just don't have them in my main browser, plus anti-ad plugins, like ad-block, noscript, and other plugins can keep you quite safe.

If you enable pieces that allow outside access and code execution, then there is much greater potential for problems.

There's no need for me to have to do that when they're enabled by default. So yes, when Java is installed with the default settings, which includes browser plugins, you end up with something that is the single largest infection vector for Windows computers. This is a fact, this is not my opinion and it is not theoretical. It is reality. You can argue all you want, but this is what the reality of it is. The current implementation and deployment of the Java runtime is a malware author's dream. It's a full-blown high-level language able to interact directly with the system (and indirectly, due to the numerous vulnerabilities), and the code that it runs is downloaded by the browser and subsequently executed. You can't ask for a better infection vector.

Only if you install the browser plugin(s). You don't have to, and IIRC, that's a question the user has to agree to. So, you are incorrect on both counts, they're not enabled by default, and it's not the default settings. The fact that Windows computers are so bullet ridden wrt viruses etc is not the fault of Java, the JRE, nor even the browser plugins, but actually lies deeper in the core of Windows and how it is fundamentally unsound security wise.

the JRE's primary purpose is to run specific java code, not random snippets from the web, at least for everything I'm involved in.

Primary purpose for who? For you? For Sun or Oracle? For malware authors? What is the primary purpose of Java Web Start? Do you really want to have a discussion about "primary purpose" versus "unintended use"? Because I would direct you to WD-40, super glue, Teflon, Kleenex, SMS messages, etc.

You do realize that you're trying to argue that Java isn't a threat in a discussion on an article about a piece of cross-platform malware distributed via Java, correct?

We could, but it doesn't matter. Sun/Oracle AFAIK don't use or promote the applet model in anything they did/do at this point nor in the relatively distant past. WebStart is an entirely different piece that was promoted for a time, and even used by some, but on the whole, when is the last time you saw a JNLP app that wasn't IT distributed? (Yes, there's a difference).

And yes, I'm aware of the se

Re:Java = security nightmare

[amicusNYCL]

I'm not being obtuse. You are berating a product for the flaws of a single component that resembles an appendix that 99% of Java users never encounter nor care about.

OK. Since you're the resident Java security expert, then let me ask you a question. Since Java is responsible for 37% of infections to Windows, and since the study specifically calls out the JRE, but you claim that the JRE is not the problem, then answer these two questions: which component is the problem, and why do end users care which component is the problem? The fact remains - Java is the #1 infection vector. You can claim that 99% of users never "encounter" the faulty components, but that leaves a hell of a lot of infections for the remaining 1%, doesn't it? Are you trying to tell me that only 1% of Java users are responsible for getting the majority of Windows infections from a single source?

Only if you install the browser plugin(s). You don't have to, and IIRC, that's a question the user has to agree to. So, you are incorrect on both counts

Am I now? Well, that's easy enough to test, isn't it? I open IE. I go to the page on java.com where it will test for Java. After a couple minutes it says it doesn't detect an installed version. I download the 20MB offline installer for Java 7 r5. I run the installer. The first screen has some basic information and tells me to click Next to accept the license and install Java. I click Next. Java installs. After it finishes, I open IE again and go to the same page. It now detects the correct version I just installed. I click on the Tools menu and select Manage Add-ons. Listed there I see Java Plug-in 10.5.0, I see Java(tm) Plug-In SSV Helper, I see Java(tm) Plug-In 2 SSV Helper, and ... what's that? I see Deployment Toolkit, from Oracle America, Inc., installed on 7/12/2012. The only thing I clicked in the installer was "Next". And now, I uninstall.

See, that was easy to test, and now we don't need to rely on your memory. Tell me again which of the components in Java is not secure and how 99% of users never encounter them.

Sun/Oracle AFAIK don't use or promote the applet model in anything they did/do at this point nor in the relatively distant past.

Who cares? They don't need to. Malware authors know it exists, that's all that matters. Users support it, malware authors use it, it doesn't really matter what Oracle wants to promote. What they want to promote, how they expect Java to be used, and how you personally use Java have zero relevance on the question of how so many people get infected via Java.

when is the last time you saw a JNLP app that wasn't IT distributed?

It's been my experience, with regard to drive-by infections, that it's the apps you don't see that are the problem.

They might as well have said there's a C exploit

But they didn't, did they? They used Java. The platform of choice for malware authors.

I do note however, that your argument list has gotten very short by this posting.

You may also note that I've only ever had one argument - that Java is the single largest infection vector for Windows computers.

And I'll restate the final point - if you don't install/enable the plugins, you won't have a problem

Now that we can agree on. I'm glad you agree with that statement.

Re:Java = security nightmare

[Gr8Apes]

You may also note that I've only ever had one argument - that Java is the single largest infection vector for Windows computers.

and I disagree. It's Windows that's the single largest vector for infection. Nothing more, nothing less. The fact that other systems run fine with Java really points out this glaring omission on MS's part. Why can't they secure their own software? (this is a rhetorical question, I already know the answer - if you can execute any program on windows, you can own the system. There is no way to secure it from a program run in user space if you can copy a binary file into the system, which is the only challenge you have)

And I'll restate the final point - if you don't install/enable the plugins, you won't have a problem

Now that we can agree on. I'm glad you agree with that statement.

At least that one's done. So you agree the problem is not the JRE, but the plugins/plugin framework.

Re:Java = security nightmare

[amicusNYCL]

At least that one's done. So you agree the problem is not the JRE, but the plugins/plugin framework.

The problem is that all of the components that people exploit are installed and enabled by default in the download package that Oracle labels the JRE (which is why the report specifically blames "Java JRE").

It's Windows that's the single largest vector for infection.

No, Windows is the target. Java is the hole that attackers go through to get there.

The fact that other systems run fine with Java really points out this glaring omission on MS's part.

OK, then let me ask you a question. Why do you think it's true that Java is used as the infection vector 37% of the time, while Flash is used 16%? Or that IE is used at only 10%? When a Windows machine gets infected, why is it almost 4 times more likely that the infection happened via Java versus the loathed and vilified IE?

(also, if you're going to try and point out how great Java works everywhere other than Windows, again, we're talking about cross-platform malware here)

Web exploit...

Oh noze... a web exploit for Linux! That asks you if you want to install it from within your web web browser. Yeah, your average Linux user will surely fall for that, even though it's not how we ever install software. Does it even work on Linux? The article had no screenshots of it running there, nor what version of Java (if any) it exploits.

Re:Web exploit...

[jedidiah]

The smug Linux user has likely taken steps to avoid running any random untrusted nonsense in a web browser.

Re:Web exploit...

[Zero__Kelvin]

You don't seem to have a strong grasp of what the word "average" means.

Re:Web exploit...

Your average linux user is pretty much your average Android user these days. That's where the real numbers are. And yes, the averge Android(linux) user may well fall for a web install.

Re:Web exploit...

[drinkypoo]

See that red color ? "Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."

You can see at a glance that most of these vulnerabilities require javascript. As the GP said, the smug Linux user has probably disabled Javascript from random sites. If not, they have no business being smug.

Re:Web exploit...

[smash]

Because of course all of your personal infromation is stored under your non-user account? Err... nope. Identity theft is far more useful these days than simply trying to own your machine. Who cares about owning the machine when they can own your personal data?

Re:Web exploit...

You can see at a glance that most of these vulnerabilities require javascript.

Feel free to ignore anything that doesn't suit your agenda. In any case that is irrelevant. The original point was about user explicitly allowing software to be installed. As has been shown again and again, this is not required due to the abundance of bugs in browsers and other software which accept unknown data from the internet.

If not, they have no business being smug.

Tell that to the admins of countless rooted/defaced LAMP servers running outdated versions or vulnerable configurations.

Re:Web exploit...

[jellomizer]

If someone is feeling smug, it is usually because they have no business feeling smug.

Linux

Good luck with getting far on Linux, most people on there are nerds and geeks who know NOT to hand over root passwords just cos some program claims it needs it, and on up-to-date systems there won't be any known privilege escalation exploits.

Re:Linux

[benjymouse]

... and on up-to-date systems there won't be any known privilege escalation exploits.

Think again. An attacker following the kernel source tree will be able to figure out when exploitable bugs are being patched. While such bugs/fixes are generally not called out as security fixes at that time, they are nevertheless identifiable given a small investment.

And for many distros it takes weeks (sometimes months) for the fixes to come through to the "consumer". During that time (dubbed "high-risk days" by some researchers) the vulnerability information is in the open but systems have not yet been patched. Precisely because some patches are *not* called out as having security implications it has happened that some of the more stable distros have delayed the patch because they didn't see the urgency.

Someone determined to take down Linux desktop systems has recurring windows of opportunity because of the open nature of the kernel and the distro system.

Re:Linux

[HarrySquatter]

You mean like the Linux kernel dev who had a trojan installed on his system and subsequently got kernel.org rooted by getting the trojan on two of the servers? Yeah, geeks never get malware on their systems. *rolls eyes*

Re:Linux

Your post is pure fantasy land. I hope you were humming the "Mission Impossible" theme while you were writing it.

Re:Linux

Think again. An attacker following the kernel source tree

omeone determined to take down Linux desktop systems has recurring windows of opportunity because of the open nature of the kernel and the distro system.

BWahahahahahahahaha...yeah, if it's so easy then why don't you go do it and show us. We'll be waiting, troll.

Re:Linux

Never say never. The OP avoided an extreme example by using "most", while you countered with an extreme of "never". OP is correct, if vague, in that the potential for infection is far less given both the nature of the system and the people most likely to embrace/use it. You are attempting to change the scope of his argument by adjusting the language to a level of granularity that the OP did not imply.

Re:Linux

[Lorien_the_first_one]

Very interesting analysis.

Re:Linux

Yes. Even if patched by the distro, there is often a large window of opportunity since Linux is usually used in mission critical applications where downtime windows to boot into a new kernel are few and far between. Kexec may help here, but last I tried it wasn't exactly ready for prime time (most of the servers I manage have uptimes measured in years). Things like grsec patches help to avoid issues in the first place, and this is part of the mitigation we use. Userspace stuff is patched regularly, since no downtime associated.

There is a group that made an automatic exploit generator for windows that automatically looks at the binary released patch, from windows update, and nearly instantly generates an exploit. Even on windows folks don't want to reboot every day to apply a patch, so while typically shorter (most windows boxes are rebooted at least monthly-- userspace patches on windows all seem to require reboots too), these windows, after patch released to public, exist on that platform too.

To the other respondents to parent, fanboism is just as annoying for Linux as for windows or mac (_exclusively_ linux desktop user since 1993, so no, I am not an anti-linux troll!).

Re:Linux

[wmbetts]

I had a friend that did a demonstration of just that. He built an exploit while he was up there doing the talk. It took a couple hours, but when he was done he had a functional 0day. Believe it or not people actually do what he's describing. If the good guys are doing it for pentesting I'd guess the bad guys are doing it as well.

Re:Linux

[jvillain]

I remember when the slammer worm came out. We were all excited that we were finally going to be able to see a real piece of malware on linux. We opened up the apropriate port to a number of test machies to try and get inffected so we could disassemble it. Within a couple of hours there was a patch available for Linux. Every one upgraded (patch fast patch often) and it died out before we could get infected. Open source software is a horrible platform to attack because there are hordes of people who can provide a patch if we know what the problem is.

Re:Linux

[smash]

You don't need to be root to steal someone's shit.

wasn't that nice of them

[slashmydots]

Well, at least they made it run on Linux. Most software writers just don't bother to put in that kind of effort. Must be one classy virus writing operation over there to not leave any of the major OSes out lol.

Only older Macs.

[used2win32]

Quoted: "Surprisingly for such an advanced exploit, it was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out about five years ago. Rosetta is no longer even supported on Lion, the most recent version of OS X."

Rosetta not supported on Lion and not installed by default in Snow Leopard.

So no current Macs and only older Macs that use Rosetta risk infection. That number has to be pretty low...

I don't any *nix user has much to worry about either...

Improvised Cyber Exploitation Device

This is really nothing new. I wrote an article called "Improvised Cyber Exploitation Devices" (http://infiltrated.net/index.php?option=com_content&view=article&id=33&Itemid=39) that followed similar rules. In fact, anyone using mod_security or mod_rewrite can do the same. Redirect based on operating system/browser/etc. to a loaded page

Signed?

[mj1856]

If it was signed, go after those who signed it!

Re:Signed?

[wmbetts]

They use fake names when getting it signed.

Just Checking

[carrier+lost]

So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?

Re:Just Checking

[Zero__Kelvin]

"So, if I haven't ordered any cocaine in the last couple of weeks, I should be okay?"

If your stash isn't getting low, you should be fine for a while, but if it is then you're headed for big trouble bud. I recommend you stock up on some serious opiates post haste!

Mac users got shafted

Actually, Mac users got a message that the malware developers were still working on the port and that no firm release date was yet available.

Who Allows All Java Applets?

I'm immune to this. I have to explicitly declare the host name that applets will be allowed from. If it's not configured, then the applet tag gets replaced with an HTML comment as it passes through the HTML filter. I'm doing this with an old client side firewall program called atguard, but I'm sure there are many others that do the same. As a result, I only run applets from web sites that I want to run. I see "download plugin" or grey boxes where all the applet ads would be or that are coming from sites that I didn't specifically go to. Why hostname-specific applet blocking isn't built into browsers is beyond me. Maybe it is on some of them...?

Interesting author in source code

[sl4shd0rk]

If you google getParameter( "ILIKEHUGS" ); from the screen shot in TFA, you can find a java file which looks suspiciously like the one in TFA. I lold at the header comment. I don't think this is a 'new' exploit:
/**
  * Original Author: Thomas Werth
  * Modifications By: Dave Kennedy, Kevin Mitnick
  * This is a universal Applet which determintes Running OS
  * ...

Re:Interesting author in source code

Why does it need Java to determine the platform? It's right in the browser headers (most of the time anyway).

Re:Interesting author in source code

[amicusNYCL]

The exploit isn't determining which OS they are running. The dropper determines the OS and then delivers the payload for that OS. The exploit in the payload may be new, or it may be exploiting unpatched JREs.

Re:Interesting author in source code

But Kevin Mitnick isn't a bad guy anymore. He's just practicing "Adaptive Penetration Testing ..."

Re:Interesting author in source code

Since it depends on java in the first place it would be more effort to push the browser's info to the applet than to just re-detect it there.

Re:Interesting author in source code

Java runtimes don't lie to the same level. It's trivial to alter a browser's USER-AGENT string.

Re:Interesting author in source code

https://www.trustedsec.com/july-2010/thomas-werth-java-applet-open-sourced/

for reference

Re:Interesting author in source code

But Kevin Mitnick isn't a bad guy anymore. He's just practicing "Adaptive Penetration Testing ..."

Isn't that what they were doing in Debbie Does Dallas?

Source

Only a matter of time before trojans are distributed in source format, then compiled on the target machine.

Re:Source

[tylutin]

Right, because most Windows machines have a C compiler installed ...

Re:Source

[tylutin]

woops, of course if the code is JAVA, then ...

Re:Source

C compiler, python, perl, lua, wine. selinux, tripwire, apparmor half enabled, binary signing are an afterthought. Ugh! the perfect storm is on the horizon and no one cares to look.

Malware for Linux?

The year of the Linux desktop has arrived!

Anonymous Colombian

It is Colombian not Columbian...
It is in the title of the F-Prot document: "Multi-platform Backdoor Lurks in Colombian Transport Site".

How did you got that wrong?

Re:Anonymous Colombian

*F-Secure.

Re:Anonymous Colombian

[jjjhs]

About 100 or so people pointed that out already.

WTF

[medv4380]

A whole commented class file for what? 1 line of code. Why would I comment something that should look like System.getProperty("os.name"); It's over coding like this that makes OOP worthless.

Re:WTF

You can do this "over coding" (aka useless comments) on structured languages too.

crap

They stole my idea! Maybe I should hire apple's legal team.

Re:Infected Linux?

[marcosdumay]

F-Secure wans't eager to tell us the details. It doesn't work anymore on OSX, no word about Linux.

Anyway, it wasn't a proof of concept. It was found on the wild.

openjdk

implying that i would have java installed on my linux pcs

Re:Infected Linux?

[jsepeta]

because nobody in the wild tests their proof of concepts. programmers always use a sandbox feature for that.

not.

Is it just me or...?

I keep reading a lot of these security reports (not just here but on wired and stuff as well) and I can't help but laugh and go: "I thought this was *obvious*!?".

In this case I'm more inclined to say: Well, duh, this is why we use stuff like NoScript. To stop suspicious looking sites from doing bad stuff. So... Why is this such big news? O.o

So BSD users are safe?

[BLToday]

FreeBSD FTW.

Re:So BSD users are safe?

[jakemann]

Not as safe as I am running VMS Mosaic on OpenVMS!

very convincing

[Cyko_01]

On linux you need to download the source code from the repository and compile it yourself

Re:very convincing

The source code is available here: https://svn.secmaniac.com/social_engineering_toolkit/src/webattack/java_applet/ -- Its an open framework.

Re:very convincing

Uh oh, you are still living in 1995. It is now the year 2012, where installing Linux is easy as 1-2-3.

Re:very convincing

[PuZZleDucK]

I'm too lazy... could someone wrap this up in a .deb package for me?

Bastards

Where's the love for BeOS?

My Amiga 500 is safe

Commodore Business Machines FTW!!

Re:My Amiga 500 is safe

Commodore Business Machines FTW!!

No! Fuck CBM!

They killed the Amiga!

This is The Social-Engineer Toolkit

This is the Social-Engineer Toolkit -- It's open source and available for free for penetration testers.

Re:Advice anyone???

[Jeng]

It really is not complicated.

Get up, go to the bathroom, go to a stall, take off your underwear, wipe yourself off, put pants back on without your underwear, get out of the stall, throw away your soiled underwear and get back to work.

Re:Infected Linux?

Uhh not accurate, this is built into the Social-Engineer Toolkit and is open-source... It works on OSX and Linux.

Re:Infected Linux?

Yeah, the "in the wild" part is the countless rooted Linux web servers on the internet , serving primarily windows clients through hacked advertisements which attempt to inject malware via browser bugs.

http://www.exploit-db.com/platform/?p=linux&pg=38

STOP MAKING SHIT UP

[rgbrenner]

In English, Colombia is spelled with an O. Not a U. SO STOP MAKING SHIT UP.

Here, look it up for yourself:
https://maps.google.com/
https://www.cia.gov/library/publications/the-world-factbook/geos/co.html
http://en.wikipedia.org/wiki/Colombia
http://www.state.gov/r/pa/ei/bgn/35754.htm
http://www.colombiaemb.org/
http://news.bbc.co.uk/2/hi/americas/country_profiles/1212798.stm

Re:STOP MAKING SHIT UP

[konaya]

Yup. Colombia is spelt with an O and Columbia is spelt with a U. Why are we stating obvious things?

Web exploit drops a different trojan

[dgharmon]

"a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform".

I typed 186.87.69.249:8081 into the address bar and this came up. Besides which, explain to me again why I would run a Java Applet from an unknown source and give it my root password?

Re:Web exploit drops a different trojan

[Riceballsan]

well the greater concern is what the virus is and intends to do. Something doesn't need a root password to say, run an individual keylogger for what that user types, ftp that log file in addition to everything in ~/Documents to a server in sealand, or whatever. If just ruining someones day is the goal rm -rf ~ would pretty much be the kiss of death. Linux's greater strength in the more robust, harder to break root privileges compared to windows, actually doesn't really come into play until linux hits a point where it is targeted well enough to use antivirus software. The main thing I see windows virus's doing with admin rights, is disabling windows updates and preventing AV software from getting the new updates, to ensure it's own position at being ahead in the arms race, stays the same.

Re:OSX does NOT have common sense default

Firewall still off by default in OSX, even brand new machines running Lion. That's still a heinous "common sense default" failure on Apple's part.

welcome, Linux

[smash]

To becoming relevant enough to malware authors.

Truth modded down

Typical slashdot.. if this was a comment bashing windows with the exact same text, it would be at +5. Oh well.. I guess people just like to maintain a fake sense of superiority here.

Total crap!!! Re:Blah

Your post is junk! My Time-Sinclair never had a virus :->

IT Support

[minstrelmike]

That sounds way kewl. I wish our IT support group could detect which browser/os a user was using but that's apparently waaaaaaay beyond their expertise. (It requires two functions instead of one).

MacOS hole:

[metaforest]

Userland apps should never request admin rights.
If they do request escalated privileges you should abort the installation and confirm with the publisher and demand that they explain in gory detail WHY they chose to require escalation to install their app.

Blackbox drivers and middlewear should not be tolerated. If you want to have wheel/admin rights on my machine you'd better be damn clear on why you need those rights and what you do with them. IN WRITING.
If I find out later that you lied to me.... you can expect to get sued.

At the end of the day it is the users and reviewers that determine what gets accepted in the market. We need to put our collective foot down on apps that demand privileges that they really don't need, just because it makes their development process cheaper, or enhances their DRM.

not that hard...

[hesaigo999ca]

There is a way with a browser identification script on the server side, to then realize a redirect based on the type of browser....that would be a very mundane thing for any adept web developer to do.... in any language.

Re:OSX does NOT have common sense default

[smash]

lol. stating fact = troll :D