Slashdot Mirror

← Back to Stories (view on slashdot.org)

Brazilian Coders Are Pioneering the First Cross-OS Malware Using JAR Files

Posted by timothy on from the run-anywhere dept.

An anonymous reader writes: Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows, Linux, Mac, and even Android from the same codebase, instead of relying on 4 different versions. Right now, only the malware dropper, a component used to infect computers with banking trojans, seems to have been coded in Java, but security experts expect a full-blown banking trojan to soon follow.

124 comments

  1. Re:Does anyone actually install a JRE any more? by Todd+Knarr · · Score: 5, Interesting

    It wouldn't need to run as a browser plugin. The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application. I suspect a lot of people have it because Oracle's made deals to have it included on the manufacturer's images, and those people don't have a clue what Java is or how to remove it so that's a problem.

    I am, however, surprised it took them this long to come up with this idea. It's fairly standard on Unix systems, that's how cross-platform scripting of all sorts is done.

  2. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    Ah, but if the malware needs a Java Runtime Enviroment then it can just install that, too. :)

    The bigger question, though, is whether being the language of choice for writing malware is a plus or a minus for a language. I mean, let's say someone writes some very clever malware in C. Does that mean that C is a powerful and expressive language? Or does it mean that C is the devil?

    Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

  3. That's it, I'm switching to CP/M by Anonymous Coward · · Score: 5, Funny

    There's no Java for CP/M-Z80, so I'm safe from being target by cross platform malware [or being targeted by applications in general].

    1. Re:That's it, I'm switching to CP/M by Anonymous Coward · · Score: 1

      But what if they wrote it in Turbo Pascal? You should get an 8085 just to be sure!

    2. Re:That's it, I'm switching to CP/M by Anonymous Coward · · Score: 0

      Damn, just last month I threw out a copy of CP/M.
      But then, it was on a 5 1/4" floppy.

    3. Re:That's it, I'm switching to CP/M by cstdenis · · Score: 1

      So much for write once, run anywhere.

      --
      1984 was not supposed to be an instruction manual.
    4. Re:That's it, I'm switching to CP/M by Anonymous Coward · · Score: 0

      Z80 can mostly run 8085 binaries...

  4. Java: write once, test everywhere! by Anonymous Coward · · Score: 0

    But perhaps some day you'll need permission from Oracle to run the malwarez. That'd progress.

  5. So using Java exactly what it was designed for? by Anonymous Coward · · Score: 5, Informative

    Guess all those memories of viruses from the 80's containing executable code valid on multiple processors are all my fevered imagination. Who knew that the first cross-OS malware was definitely only being written now, in 2016, in Java.

    Wait, no, just the dropper. Congrats guys, you've discovered a platform-independent way of opening a stream from somewhere on the internet and dumping it to a file. Definitely pushing the envelope of Java to do that, I mean it's not like it comes with any sockets or file API specifically designed for stuff like that.

    Give me a break. I was hoping to hear about something actually creative, like PDF or jpeg with multiple exploits for common Windows/Mac/Linux viewers or decode libraries, that causes a jump into the appropriate shellcode for each platform depending on what it's viewed on. This story is a non-event.

    1. Re:So using Java exactly what it was designed for? by Anonymous Coward · · Score: 0

      lol'd @ your title

    2. Re:So using Java exactly what it was designed for? by TheRaven64 · · Score: 3, Interesting

      It is a bit of a stretch. There was a nice entry into the IOCC a few years ago that was a program that was valid as C program, a shell script, or a makefile. Running it as either a shell script or makefile would compile the C program, which would then print its output. There's been some interesting recent research involving isolating instructions that are NOPs on various architectures and writing exploit code that is a valid executable on both x86 and ARM (it doesn't have to be long, because you can encode a jump to the architecture-specific version in the portable code).

      It's worth noting that this is even (almost) the official and documented way of writing a cross-architecture Windows binary: you have a little .NET stub that P/Invoke's the native binary for the architecture that it detects.

      --
      I am TheRaven on Soylent News
    3. Re:So using Java exactly what it was designed for? by MachineShedFred · · Score: 1

      I was thinking exactly this. Glad to hear that only now are we seeing a 'cross-platform' malware, and that the untold numbers of Excel macro viruses, Outlook exploits, PDF exploits, Flash exploits, etc. don't count. Only when you use Java to do something it was actually designed to do (as you described) do you become 'the first cross-platform malware.'

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    4. Re:So using Java exactly what it was designed for? by Anonymous Coward · · Score: 0

      I use to have a kernel module rootkit that was executable as a shell script, upon execution it would automatically compile and load itself into the kernel.

    5. Re:So using Java exactly what it was designed for? by Anonymous Coward · · Score: 0

      These are Brazilian hackers, what did you expect from the cesspool of South America?

    6. Re:So using Java exactly what it was designed for? by Anonymous Coward · · Score: 0

      These are Brazilian hackers, what did you expect from the cesspool of South America?

      Why all the hate? We are brothers. What happens to us may happen to you. Bless your heart.

      From Brazil, with love.

  6. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    tl;dr: nearly all banks require jre here.

    As a Brazilian, i must say: a LOT of lazy coders rely on java for everything.

    i am not bashing java, i meant relying on it for EVERYTHING.
    (even on my cs graduation some teachers where promoting java as the only language you will ever use, forever)

    to make things worse, they usually make very sloppy code, that even rely on older, vulnerable and discontinued jre versions.
    (not kidding, the government is the main culprit and even run critical web stuff that still require i.e. 6.0 emulation to work)

    and well.. awkwardly speaking, nearly all banks require jre. (some do offer workarounds)

  7. First thing I do when I use Tails by Anonymous Coward · · Score: 0

    is to strip out all of the Java shit for each new session. Lots of Java shit probably for i2p but I don't believe in having Java on any system, Live or Installed.

    1. Re:First thing I do when I use Tails by Anonymous Coward · · Score: 0

      First of all: as one AC to another, let me tip my hat to the gentleman rocking "Tails". That's way more 1337 than the DHS-pwned(logjam) copy of "Kali" every scriptkiddie is running...

      Regarding ripping out Oracle's shit-ware: do you replace it with the OpenJDK package or just go without?

      I'd ask you if you were just a privacy/tinfoil-hat loon, or if you had "other reasons" to be engaging in such extreme levels of paranoia, but: there wouldn't be much incentive to answer that question honestly(regardless of your motives).

  8. "First Cross-OS Malware Using JAR Files" by Anonymous Coward · · Score: 5, Funny

    "First Cross-OS Malware Using JAR Files"

    I used to have that one. It was developed by Sun, and called the Java plugin.

    1. Re:"First Cross-OS Malware Using JAR Files" by ruir · · Score: 1

      Best comment so far!

  9. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 5, Funny

    Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

    Well, any reasonably skilled programmer have several deals with the devil, and for about half of them the devil feels he got the short end of the stick.

    My comments are usually ascii pentagrams, but they only show with a tabsize of 4.

  10. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    *cross-platform scripting* usually involves perl, sh or similar scripting language. There really is no need to use java for that. And no, it isn't standard at all. If I need java on a system for a new fancy software I always have to install it first. You get flash preinstalled more often than java.

    It also isn't that hard to deploy a miniperl to provide a runtime on systems without built-in perl (aka windows).

  11. JAR capable of being deployed to Linux by tetraverse · · Score: 3, Insightful

    How exactly does this JAR file get downloaded and executed on a Linux system, without enduser action.

    1. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 1

      So many dell dracs so little time lol

    2. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 0

      thanks to ubuntu/mint/android becoming popular, more and more stupid people use linux and do stupid things with it...

    3. Re:JAR capable of being deployed to Linux by MrCoke · · Score: 2

      "Press OK to enter our contest and win an iPhone 6/..."

    4. Re:JAR capable of being deployed to Linux by delt0r · · Score: 1

      Or any other system for that matter. Or just a plain exe file or .sh on unix? STUPID USERS. As always. PEBCAK

      --
      If information wants to be free, why does my internet connection cost so much?
    5. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 0

      Despite being the most deployed OS on the planet, it's still rare to see an active exploit in the wild on Linux based platforms. This is little to do with Linux, it's the decades old nix privilege escalation being rather resilient. Your poor trolling ignores the fact this "test case" fails at the first hurdle, just like the vast majority of nix-like exploits.

    6. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 0

      The word you're looking for is "automatically".

    7. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 0

      Despite being the most deployed OS on the planet

      To get at that conclusion, you'd have to include Android

      it's still rare to see an active exploit in the wild on Linux based platforms

      This is the proverbial "having your cake and eating it too".
      Android exploits are not a rare thing. It's often easier for malware to get root than for the user of the phone.
      Granted, this isn't the case for recent, fully patched kernels, but it's difficult to impossible (for an average user) to get those on your phone.
      Same problem with Linux in embedded appliances.

    8. Re:JAR capable of being deployed to Linux by edtice1559 · · Score: 1

      It may be the most deployed OS, but it's not the most-deployed end-user OS. If you are going to target Linux, using social engineering to install Malware may be very difficult. If you succeed, the person you targeted will most likely end up installing it on a Windows desktop even if they are the Linux admin. To attack infrastructure you use much different techniques.

    9. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 0

      Are you sure about that?

  12. So Brazilan criminals are by Anonymous Coward · · Score: 0

    Kinda like writing,

    German auto workers are faking emissions

    or

    Catholic priests are molesting children in London

    or

    Dice employees used to be the lowest form of life

    If you catch my drift. If not, the next elevator fart you smell was mine.

    1. Re:So Brazilan criminals are by silentcoder · · Score: 1

      >Dice employees used to be the lowest form of life

      Used to be ?!??!?!

      --
      Unicode killed the ASCII-art *
    2. Re:So Brazilan criminals are by KGIII · · Score: 1

      Well, they've sold /. so, presumably, they've moved up a notch.

      --
      "So long and thanks for all the fish."
    3. Re:So Brazilan criminals are by silentcoder · · Score: 1

      I think of it more as /. getting a shot of penicillin actually.

      --
      Unicode killed the ASCII-art *
  13. Java? good luck by Anonymous Coward · · Score: 0

    I haven't had Java installed for years, so good luck with the JAR.

  14. Java: write once by Kartu · · Score: 1

    "Java: write once, run anywhere"

    Sorry, couldn't help.

    1. Re:Java: write once by Anonymous Coward · · Score: 0

      Write once, debug everywhere.

    2. Re: Java: write once by Anonymous Coward · · Score: 0

      As compared to C? Write one, recompile everywhere, and debug segfaults & memory leaks & buffer overflows, etc -- everywhere.

  15. First? by Anonymous Coward · · Score: 4, Informative

    I don't think so.

    http://virus.wikidot.com/esperanto

  16. Re:Does anyone actually install a JRE any more? by Racemaniac · · Score: 1

    Anyone interested in arduino for starters?

  17. Like linux users needed by silentcoder · · Score: 1

    another reason to uninstall java.

    --
    Unicode killed the ASCII-art *
    1. Re: Like linux users needed by Anonymous Coward · · Score: 0

      Are you going to uninstall libstdc as well -- far more virus are written in C. A JAR contains executable code, just like PY, SH, EXE, and a hundred other file-extensions that represent executable code.

      Only idiots download random crap off the Internet and execute it.

    2. Re: Like linux users needed by Anonymous Coward · · Score: 0

      Which is why intelligent admins don't rely on Java based application. Its claims of sandbox security and "optimization" have been repeatedly disproven.

    3. Re: Like linux users needed by Anonymous Coward · · Score: 0

      What are you talking about, sandbox? A Java program can do anything/everything that a shell script or Python script or Windows EXE, or any other executable can do. And if running as 'root' it can access any file on the filesystem.

      Java is a Turing Complete programming language after all -- which means anything you can do in any other language, can be done in Java too.

      In Java's case, your code is automatically portable and can execute on any OS that has a JRE installed (write once, run anywhere).

    4. Re: Like linux users needed by silentcoder · · Score: 1

      I dont have a thousand other reasons not to install C support. Also, unlike java, C lets me run some actually usefull programs.

      --
      Unicode killed the ASCII-art *
    5. Re: Like linux users needed by silentcoder · · Score: 1

      And guaranteed to be 50 times as long as it should have been. Deep inside java was a functional, elegant and readable OO language trying to get out. Its name was python.

      --
      Unicode killed the ASCII-art *
    6. Re: Like linux users needed by jalet · · Score: 1

      > In Java's case, your code is automatically portable and can execute on any OS that has a JRE installed (write once, run anywhere).

      Thanks for the laugh !!!

      --
      Votez ecolo : Chiez dans l'urne !
    7. Re: Like linux users needed by Anonymous Coward · · Score: 0

      These Brazilian malware authors prove you are wrong.

    8. Re: Like linux users needed by Anonymous Coward · · Score: 0

      No, they prove that it's possible to write portable choice in Java, not that Java code is automatically portable, which was the claim being laughed at.

    9. Re: Like linux users needed by Anonymous Coward · · Score: 0

      That is the most moronic comment of the morning. You must be in high school.

    10. Re: Like linux users needed by Anonymous Coward · · Score: 0

      You have to go out of your way (ie: do something dumb) for your Java code to be NOT portable.

    11. Re: Like linux users needed by Anonymous Coward · · Score: 0

      As long as I code in purely C99 spec my C code is also just as portable. Arguably even more so as you don't need a runtime environment or external libraries.

      the total tinycc compiler toolchain clocks in at under 100k. You could include the entire prebuilt toolchain for all 3 major OSs and linkage scripts to build in real time depending on need and STILL be well under 2 Megabytes total. As for compile speed? The entire Links2 web browser was built in under 3 seconds on a single core P4.

      Remind me again what advantages java brings to the table besides encouraging mediocrity?

    12. Re: Like linux users needed by Anonymous Coward · · Score: 0

      Segfaults, buffer overruns, an 'int' is an 'int' regardless of the processor type -- I could go on all day.

      You have to go out of your way to write proper C code that is platform independent / portable -- with Java, you stay portable as long as you don't hardcode directory paths ( line "C:\\Windows...).

      It would only take me ten minutes to write a Java app that would encrypt (or delete) every file on every reachable filesystem -- and guaranteed to work fine on any system (any OS or processor type) as long as there is a JRE for it.

    13. Re: Like linux users needed by GodelEscherBlecch · · Score: 1
      In 10 years of developing combined J2EE/C++ systems on Windows and deploying them to Linux, I have seen precisely these differences running the same Java code in different operating systems:

      1) FS calls tend to be faster in Linux

      2) FS paths are different if you are too stupid to use the abstraction API properly

      3) One time a math function returned a different value. Turned out it was in the Wolfram .so file, which they patched.

      I know the hate bandwagon is a tempting position when you're not too bright, but you really should try to think about what you say before you embarrass yourself.

    14. Re: Like linux users needed by delt0r · · Score: 1

      As long as you don't do *anything* it is portable. Use a tcp socket, open a window, Use threads... and BANG, no longer portable.

      --
      If information wants to be free, why does my internet connection cost so much?
  18. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    You forgot to mention that a lot of people also use Java applications.

  19. New slogan by antifoidulus · · Score: 1

    Write once, pwn everwhere!

    --
    Monstar L
  20. First? My ass... by evilviper · · Score: 5, Informative

    2008: http://citeseerx.ist.psu.edu/v...

    2009: https://en.wikipedia.org/wiki/...

    2010: https://nakedsecurity.sophos.c...

    Look what some moron said about the same subject back in 2011:
    http://www.developers.slashdot...

    2012: https://www.intego.com/mac-sec...

    2012: http://www.zdnet.com/article/c...

    2012: http://www.infosecisland.com/b...

    etc., etc.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    1. Re:First? My ass... by gatkinso · · Score: 1

      You'd think the OP never played Minecraft.

      --
      I am very small, utmostly microscopic.
    2. Re:First? My ass... by Anonymous Coward · · Score: 0

      I love in that other Slashdot article where hairyfeet says some ridiculous crap about how Android popularity will lead to Linux vulnerabilities.

      As for TFA, count the days Linux guys, count the days. you already have the malware kit for OSX, and all those Android phones means malware writers finally have a reason to start snooping around. All those noobs you got on Ubuntu sure would be a nice little addition to their botnets wouldn't they? Count the days Linux guys, count the days until your DOOM!

      Whenever one needs something outrageously stupid said about Linux, one can always count on hairyfeet.

  21. Brazilian Coders by Anonymous Coward · · Score: 0

    That's a lot of coders. Gonna be a hard project to manage.

  22. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    Yeah, I've never installed jre.... until I started android dev roflmo. Shame on google for choosing this shit.

  23. Re:Does anyone actually install a JRE any more? by hairyfeet · · Score: 1

    Uhhh...last I checked everyone that has Minecraft has Java, that is a LOT of Java installs.

    That is why I hate the git that made Minecraft, after years of watching Java die on the desktop here comes this twirp that makes an insanely popular game in java and BAM! Piles of shitty Java installs cropping up everywhere.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  24. Re:Does anyone actually install a JRE any more? by beakerMeep · · Score: 2

    The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application.

    If malware gains local application code execution, then the target user is pretty much farked anyways -- the language used is irrelevant.

    --
    meep
  25. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    I only run Minecraft from the launcher, so I can still at least leave the browser plug-in disabled.

  26. Re:Does anyone actually install a JRE any more? by drinkypoo · · Score: 0

    That is why I hate the git that made Minecraft, after years of watching Java die on the desktop here comes this twirp that makes an insanely popular game in java and BAM! Piles of shitty Java installs cropping up everywhere.

    How about just how fucking incompetent a game programmer he is? There are at least three clones of minecraft which are more technically competent. They don't punch your computer in the nuts half as hard. It's a good thing he got rich on minecraft because he sure didn't have a second chance

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  27. Smells like a difamatory campain to me... by fbobraga · · Score: 1

    I'm a Brazillian that works with IT, and it's the first time that I'm hearing something about it: it seems to me like a pretty bad-made SCAM :/ * I may be wrong, but I doubt it :P

    1. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      I'm a Brazillian

      Huehuehue...

    2. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      shit happens all the time :P

      * I really like here ^^

      delayed post as AC explained:

      Call It A Night, Cowboy!
      Slashdot only allows a user with your karma to post 25 times per day (more or less, depending on moderation). You've already shared your thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, please email posting@slashdot.org with your username "fbobraga". Let us know how many comments you think you've posted in the last 24 hours.

    3. Re:Smells like a difamatory campain to me... by KGIII · · Score: 1

      En Inglés es "defamatory" y "campaign." Mí Español es malo, es muy mierda.

      --
      "So long and thanks for all the fish."
    4. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      sorry - it's "FUD" that I was thinking about ^^

      * post as AC explained:

      Call It A Night, Cowboy!
      Slashdot only allows a user with your karma to post 25 times per day (more or less, depending on moderation). You've already shared your thoughts with us that many times. Take a breather, and come back and see us in 24 hours or so. If you think this is unfair, please email posting@slashdot.org with your username "fbobraga". Let us know how many comments you think you've posted in the last 24 hours.

    5. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      En Inglés es "defamatory" y "campaign." Mí Español es malo, es muy mierda.

      You would be surprised to know that people in Brazil speak a strange romance language called Portuguese. Nadie habla Castillano.

    6. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      Brazil speaks Portuguese you insensitive clod!

    7. Re:Smells like a difamatory campain to me... by KGIII · · Score: 1

      Ah. No habla portugués! ;-)

      --
      "So long and thanks for all the fish."
    8. Re:Smells like a difamatory campain to me... by Anonymous Coward · · Score: 0

      Well, I live in Brazil and I have seen dozens of emails already that contain jar file packaged malware, specifically targeting Brazilians

    9. Re: Smells like a difamatory campain to me... by fbobraga · · Score: 1

      I duobt it, sr. Anonymous Coward * You must know that Brazilian Constitution explicitly forbids anonymity, huh?

  28. Its not even a real country anyway by Anonymous Coward · · Score: 0

    Who cares.

    1. Re:Its not even a real country anyway by Anonymous Coward · · Score: 0

      Who cares.

      Denialism, envy. We are facing troubles right now, but we are poised to take over the world anytime in the second half of the century. Your denial makes our job easier. Forget about China. The overlord's name is Brazil.

  29. Qubes and virtualisation by John+Allsup · · Score: 1

    This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life. Malware like this can work because it is given permission to work. There is no reason things need to be that way, except for laziness of programmers.

    --
    John_Chalisque
    1. Re:Qubes and virtualisation by tobiasly · · Score: 2

      This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life.

      When something that sounds great in a textbook never makes it to real life, there's usually a pretty good reason.

  30. Re:Does anyone actually install a JRE any more? by Flavianoep · · Score: 1

    Brazilians rely on JRE to process their income tax.

    --
    Linux is for people who don't mind RTFM.
  31. Re:Does anyone actually install a JRE any more? by Flavianoep · · Score: 1

    I wish our crackers were more patriotic. Last week, we learned about some malware that fails to work in computers located in Russia; why can't our malware coders create pieces of malware that *fail* when they find a JRE?

    --
    Linux is for people who don't mind RTFM.
  32. Odd editorial tone. by sabbede · · Score: 1

    It's written like a piece on an OSS project. When I got to the end, I was thinking, "Why are these researchers making malware?" Had to go back and re-read the first two words.

  33. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    Almost all internet banking systems in Brazil require the JRE to be installed. That's why it is so effective,

  34. Hardly the first jar based malware by gatkinso · · Score: 1

    Download some Minecraft mods, take a peek inside.

    All the more insidious because generally it is children installing said mods.

    --
    I am very small, utmostly microscopic.
    1. Re:Hardly the first jar based malware by cstdenis · · Score: 1

      What mods are you referring to? The mod community seems to be pretty safe overall from what I've seen.

      --
      1984 was not supposed to be an instruction manual.
  35. Code once, debug everywhere by Anonymous Coward · · Score: 0

    Well, at least it is an upgrade from MS Word macros.

  36. Re:Does anyone actually install a JRE any more? by randomErr · · Score: 1

    I need it to play Minecraft. So yes, yes I do.

    --
    You say things that offend me and I can deal with it. Can you?
  37. Modded minecraft malware? by Anonymous Coward · · Score: 0

    So here we go,

    mods for minecraft are jar files, I suppose this "hackers" will target the plethora of kids that install mods without checking if they come from proper source.

  38. Re:Does anyone actually install a JRE any more? by AchilleTalon · · Score: 1

    Almost every smart phone does. The browser thing is just irrelevant, you obviously do not understand anything about this ecosystem.

    --
    Achille Talon
    Hop!
  39. Macs? Really? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

    1. Re:Macs? Really? by Anonymous Coward · · Score: 1

      Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

      Last time I checked neither do most other popular desktop operating systems. What's your point?

    2. Re:Macs? Really? by Anonymous Coward · · Score: 0

      I guess nobody except Minecraft players still uses Java on their computers.

  40. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    and for about half of them the devil feels he got the short end of the stick.

    Correction, now they do contracting work for Him.

  41. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    I have to have Java at home for Arduino programming unfortunately. Otherwise it would not be on my machine. The plug in for the browser is, of course, disabled.. At work most people need it - it is amazing how many enterprise apps from vendors (and from banks like CitiBank) require it and require the browser plugin.

  42. Maybe, but by Anonymous Coward · · Score: 0

    ...anything would smell bad to a person living near Guanabara Bay.

    1. Re:Maybe, but by fbobraga · · Score: 1

      Full of shit! * but the drinking water, for the Olympics in Rio, is very well drinkable (the Guanabara Bay is not a source of drinking water :P) * I live in Rio Claro / SP (not really very near of Guanabara Bay, thought...)

    2. Re:Maybe, but by Anonymous Coward · · Score: 0

      ...anything would smell bad to a person living near Guanabara Bay.

      As it is in Porter Ranch, California.

      People in Rio drink pure water from the mountains around. Go educate your yourself.

      Captcha: discover

  43. Re:Does anyone actually install a JRE any more? by LiENUS · · Score: 1

    Almost every smart phone does.

    Almost every smart phone, except for Android and iPhone where the JRE isn't available at all...

  44. Not every container needs a JRE by Anonymous Coward · · Score: 0

    jar files will work in some places, but plenty of things' containers don't use anything written in Java, so they don't have Java installed.

    The container that runs the web browser and email client would be a good example of one that doesn't need Java. Maybe this malware would be compatible with the OpenHAB container, though. Good luck, guys!

  45. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    Do you also chmod 666 your every source file?

  46. These people have never worked in web hosting by mr_mischief · · Score: 1

    There are plenty of malware packages in PHP, Perl, Python, and Ruby that will search for vulnerable web apps, infiltrate a hosting account, then set up web-accessible shells written in the same languages and continue on to find more vulnerable apps and accounts.

  47. HI by Anonymous Coward · · Score: 0

    This is false
    it is a lie . WHY have about 2500 cross os malware......and some as old as 1999, in fact enjoy all the zombies and bots people....waves, they were made cross OS via hard work......

    all your stupid is belong to publshers

  48. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    JRE =! JVM. They still have JVMs (android even moved BACK to oracles and ditched Dalvik), properly crafted jars would still run.

  49. Re:Does anyone actually install a JRE any more? by dougmc · · Score: 1

    Does anyone actually install a JRE any more?

    Yeah, I didn't think it was very many.

    Yes, lots of people install JREs.

    The browser plugin isn't used much anymore, but there's lots of applications that use Java on a desktop (and lots, lots more that use it on servers, but I'll leave them alone for now.)

    Some ones that come to mind are Minecraft, Eclipse (and a bunch of other programming IDEs and tools), Roboforge, OpenOffice, Vuze, Runescape, FreeCol, JOSM, Genj ...

  50. The often overlooked XZ file fingerprint by Anonymous Coward · · Score: 0

    There existed for a while a packed program that appeared as a DMG and EXE using Alternate Data streams. On execution it would use assembly to determine the OS ran on and jump to affected payload (INTEL ONLY, not RISC/PowerPC). On MAC would prompt with OpenGL commands, in Windows, visual basic or the like did the same "please put in password" attempts. This virus which I played with personally - was later blocked as Unknown packager in most AVs, and never really shined... But windows and MAC cross platform is still one of the most interesting viruses I have seen. Inspection of the executable showed the packing application was based on an android/iphone SDk platform - heavily tweaked and made to produce the "XZ" file. I saw this in 2012... and did run on both (MAC/windows) and appeared as different file names on each platform.

  51. Re:Does anyone actually install a JRE any more? by JustAnotherOldGuy · · Score: 1

    Hell, I haven't had Java installed in years, maybe a decade.

    It was of limited use and screwed up other stuff, and it made my PC slow to a crawl.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  52. Re:Does anyone actually install a JRE any more? by LiENUS · · Score: 1

    They still have JVMs

    No they don't. all of he "JVM" stuff for ios runs on the development machine and does static translation to native code.

    (android even moved BACK to oracles and ditched Dalvik)

    No they didn't. They ditched the harmony project and started using the openjdk libraries.
    The VM itself is still dalvik only instead of going right from dalvik opcodes to native code it goes dalvik->llvm->native code.
    Android does not and has never supported java bytecode. You must recompile java bytecode to dalvik bytecode on your development ahead of time. Just like if you want to use java with ios. This means a jar file containing java bytecode will not and can not run on iPhones or android phones.

  53. JAR? For Android? Really? Which Browser by Cafe+Alpha · · Score: 1

    automatically converts and runs JRE files in Android?
    I don't believe it.

  54. Re:Does anyone actually install a JRE any more? by KGIII · · Score: 1

    You're kidding, right?

    --
    "So long and thanks for all the fish."
  55. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    It's much more efficient to write the malware to be cross-platform and write droppers for different systems than to write and maintain several versions of the same malware for different systems. Use your fucking head.

  56. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    It's quite easy to write a batch file that starts with shell shebang and a goto... No runtime, it works out of the box for most systems. Big problem with this approach is that you write the payload in two languages. Hence the jar which is a zip file, and can be shar-ed and uncompressed by either launchers.

    All you need is java, really.

  57. Re:Does anyone actually install a JRE any more? by delt0r · · Score: 1

    Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

    --
    If information wants to be free, why does my internet connection cost so much?
  58. If we assume they are written in Java... by theendlessnow · · Score: 1

    If we assume they are written in Java... then certainly we can do some profiling... just look for people with less hair.

  59. Re:Does anyone actually install a JRE any more? by drinkypoo · · Score: 1

    Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

    He wasn't the first to get the idea into a game, though. He was the first to make it popular. Sadly, popular and good are orthogonal axes on the chart.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  60. Re:Does anyone actually install a JRE any more? by Todd+Knarr · · Score: 1

    Or in Ruby, or Python, or any number of other languages. Java's just another entry in the list here. Frankly I'd've expected the first cross-platform malware to be in Perl, and to have shown up at least 10 years ago. I'm not sure AV tools would even recognize a Perl program as malware...

  61. Time to uninstall Java, no more Minecraft by Anonymous Coward · · Score: 0

    All the more reason to quit using Java. The only thing that even uses it is Minecraft, and THAT game runs like molasses compared to the Mobile/Console versions which aren't Java.

  62. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    If you write malware in C and compile in the CRT (C Runtime) then it doesn't need anything on the host OS to run as long as the host OS knows how to run it. So DOS/Win16, Win32, and Win64 all require separate binaries, but on the Mac "Fat binaries" can run on 64-bit, 32-bit, or PPC versions of OS X. Linux can technically run binaries meant for Mac, FreeBSD, or Windows so if the malware is designed to run on the common aspects of all the OS's (eg only uses raw sockets, no file i/o) it can technically run on anything.

    But that's oversimplification. The reality is that you're more likely to get Malware on Android/Linux than you are MacOS X, and you only get Malware on Windows if you're not paying attention. This is the difference between Linux/OSX/BSD users and Windows users. The Unix-like OS's make a lot of assumptions and give little or no warning about what is running in the background and what is launching it, and effectively you have to run things as root in order to do a lot of maintenance activities. Windows users on the other hand just get a "Do you want to run this dangerous thing?" and click OK anyway, because they have no other option because they aren't provided with a reason why they might not want to. For example downloading a codec pack from sharky007 triggers this "this software is dangerous" warning and even Chrome won't allow it to be downloaded. Does it contain malware? I sure hope not. But then again the same software codecs are often used to engage in piracy, so I wouldn't put it past users to ignore the warnings if they are into the piracy business. I only installed it to try and get an old game with a stupid indeo 5 codec to work, and it still didn't work. Turns out I can just play the video files from the game directly in VLC.

    This is what I mean though. The Indeo codec was disabled for security reasons, but because I want to play some damn game produced 18 years ago when Windows 98 was the OS everyone used and was totally swiss cheese for security, I can no longer play that part of the game without re-introducing the same security hole.

    If you want to see a way to blow a hole in all operating systems security models, ffmpeg (libav) is available on every operating system, and finding an exploitable bug in a video advertisement (usually 300x250) in all web browsers that use libav is probably the path of least resistance.

  63. Cross-Platform/OS Malware by Anonymous Coward · · Score: 0

    Isn't that sweet of them? I bet they like to boil babies for a hobby.

  64. Re:Does anyone actually install a JRE any more? by hairyfeet · · Score: 1

    Are you REALLY this fucking dumb or are you just such a giant fangirl that the thought of anybody pointing out that "ur fav game its bestest evar!" had a very poorly thought out backend make you rush to post without engaging your tiny brain? That is if it does exist.

    I don't give a rat's ass if he made a good game or not what I DO give a fuck about is he used the most dangerous runtime in existence to make the fucking thing, for fucks sake he may have well used ActiveX for the level of risk he put his customers in. in this day and age when there are literally dozens of game engines to choose from makes his brain dead fucking choice all the more egregious and the only nice thing I can say about it is since MSFT bought it I'm sure it'll end up porting off Java which will be a truly wonderful day for everyone...well except for you who are apparently too dumb to understand anything complex like PC security or risk factors. Sorry I don't have time to break out MS Paint and draw you some pictures to explain in a way you can understand but I have grown up things to do kid.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  65. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 0

    What the fuck are you talking about. The most dangerous run time environment? What the fuck are you talking about? because Someone finally after fucking years wrote a trojan in java? What about every buffer overflow, every other piece of malware ever written in the last 30 years! Yea because writing in C++ will be SOO much more secure? You are possibly the most technologically ignorant person on /.!