Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Java Web Attack Installs Malware In RAM

Soulskill posted more than 2 years ago | from the movin'-on-up dept.

Java 98

snydeq writes "A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. 'What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory. ... It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs.'"

Sorry! There are no comments related to the filter you selected.

Persistence? (1, Redundant)

JDG1980 (2438906) | more than 2 years ago | (#39406709)

If this malware resides exclusively in RAM without any footprint on the HDD or BIOS, then how does it survive a cold boot?

Re:Persistence? (2, Funny)

Jeremiah Cornelius (137) | more than 2 years ago | (#39406725)

A: "Volume!"

Re:Persistence? (0)

Anonymous Coward | more than 2 years ago | (#39406833)

This is not new. The Core Impact pen test tool does this by default. Of course for Core, it's to reassure the client that all "malware" has been (or is easily) removed.

Re:Persistence? (3, Informative)

Anonymous Coward | more than 2 years ago | (#39406735)

"This type of malware is rare, because it dies when the system is rebooted and the memory is cleared.

However, this wasn't a problem for the cybercriminals behind this particular attack, because of the very high probability that most victims would revisit the infected news websites, Golovanov said."

From the linked article.

Re:Persistence? (3, Interesting)

Barbara, not Barbie (721478) | more than 2 years ago | (#39406999)

You can install programs in your keyboard that will survive a reboot. An old trick was to stuff the loader in the keyboard, then read out a page of video ram that had the actual code (notice how your video ram survives a warm reboot?). Cold booting is a bit harder, but not impossible.

In Soviet Russia, Java runs YOU!

Re:Persistence? (0)

Anonymous Coward | more than 2 years ago | (#39408671)

If malware has ring 0 access to hardware, there are a lot of places it can go live in. Keyboards can be one. Video cards are another. Heck, even HDD BIOS can be a third, and can be used for ransomware.

Re:Persistence? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39406737)

Oh noe! Programs have invaded my RAM!

I'm doomed! Time to call geek squad and have them reformat Windows!

Re:Persistence? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39407469)

Oh noe! Programs have invaded my RAM!

I'm doomed! Time to call geek squad and have them reformat Windows!

Have them install Linux. It's so awesome and secure it doesn't need RAM.

Re:Persistence? (2)

mcavic (2007672) | more than 2 years ago | (#39407845)

It's so awesome and secure it doesn't need RAM.

O rly? I agree, it needs very little. I have a Debian appliance with 32 megs of RAM, and a Unix server with 128 megs.

Re:Persistence? (0)

Anonymous Coward | more than 2 years ago | (#39407589)

I almost never give any mod points to AC, but my man you have earned it even being a coward.

It doesn't (5, Informative)

improfane (855034) | more than 2 years ago | (#39406757)

It doesn't have to. It contacts the C&C server where someone presumably decides whether to install further bots or more resident exploits.

The exploit seems to be more about stealth distribution and about dropping other malware. This makes sense because if a dropper is detected as malicious, it becomes useless due to its detection. (You can safely assume anything using a dropper is malicious)

This means that anti virus software should in theory only be able to detect the actual dropped malware. Any new malware could have had a field day with this exploit because both the dropper and malware would not have been detected.

From my understanding of the article it actually dropped the Lurk trojan but I get the feeling it could drop anything the C&C wants it to.

C&C server? (0)

Anonymous Coward | more than 2 years ago | (#39407185)

Is this a virus, or a new Command & Conquer game we're talking about?

Re:C&C server? (1)

Em Adespoton (792954) | more than 2 years ago | (#39408187)

This is not a virus, but it does use a command and control server.

Re:Persistence? (0)

Anonymous Coward | more than 2 years ago | (#39406767)

Maybe that's not necessary given many people leave their computers on.
Its like a scalable cluster, need more nodes infect more machines, nefarious activities done , send a remote reboot.

Re:Persistence? (1)

willaien (2494962) | more than 2 years ago | (#39406857)

Wouldn't necessarily need to, if it's an infostealer type malware. It's already gotten what it needs to, doesn't matter if it gets rebooted - your passwords belong to the guy on the other end already.

Re:Persistence? (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39407023)

If this malware resides exclusively in RAM without any footprint on the HDD or BIOS, then how does it survive a cold boot?

I didn't RTFA, so feel free to heckle me at whim:

1. How often do cold reboots really happen these days?

2. If Slashdot, for example, was a site that used this exploit, well there ya go.

Re:Persistence? (0)

Anonymous Coward | more than 2 years ago | (#39407355)

Oh no, a virus designed specifically for /. uptime-whores. We are doomed indeed!

Re:Persistence? (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39407389)

Yeah, I wonder what they'd call the effect of having lots of Slashdotters preventing other sites from working.

Re:Persistence? (1)

tehcyder (746570) | more than 2 years ago | (#39412055)

1. How often do cold reboots really happen these days?

Every night for most home users. It's mainly geeks who leave their computers on 24/7 you know.

Re:Persistence? (1)

cyberchondriac (456626) | more than 2 years ago | (#39413227)

I'd have to disagree, from what I've seen. Neighbors, family, friends, and most end users at work typically are scared to death of the OS, and the less they have to do to it (such as rebooting), from their perspective, the better. Half the issues they bug with me could be solved by a reboot but it doesn't occur to them -or, they're wary of doing it.

Re:Persistence? (1)

MobileTatsu-NJG (946591) | more than 2 years ago | (#39414121)

Do you have a statistic on that? My own experience paints a different picture.

Re:Persistence? (1)

knorthern knight (513660) | more than 2 years ago | (#39424665)

> Every night for most home users. It's mainly geeks
> who leave their computers on 24/7 you know.

I probably qualify as a geek, but... here in Ontario, Canada, condo buildings have separate electric meters for each suite. So I have a financial incentive to hibernate my linux machine when not in use.

And I haven't had Java on my linux machine for years. One less attack vector. Nothing is "unbreakeable" (I'm looking at you, Oracle), but not running Java sure helps. Ditto for replacing Acrobat with epdfview. Unfortunately, I can't get rid of Flash yet. NHL GameCenter Live won't display without it.

Re:Persistence? (1)

g0bshiTe (596213) | more than 2 years ago | (#39407205)

It hooks into a process say winlogon.exe when a shutdown event passes through it writes itself to disk before the computer is shutdown and adds what it needs to the registry to start back up and remove itself save the memory resident portion. On startup it gets reexecuted and put back into memory.

Why this is news is a wonder, other than it being Java. We've seen it before, think SmitFraud.

Re:Persistence? (1)

Tyr07 (2300912) | more than 2 years ago | (#39412687)

So much for virus removal services. It's going to really hurt business when people can just shut down their computers for a few hours
and it clears it up.....

Ctrl-Alt-Del (-1, Troll)

stevegee58 (1179505) | more than 2 years ago | (#39406729)

That's how you solve all problems in Winders, right?

Re:Ctrl-Alt-Del (1)

Hentes (2461350) | more than 2 years ago | (#39406815)

In this case it's more general, you have to press the reset button which is the most frequent solution to any computer problem on any platform.

Re:Ctrl-Alt-Del (5, Informative)

gstoddart (321705) | more than 2 years ago | (#39406913)

In this case it's more general, you have to press the reset button which is the most frequent solution to any computer problem on any platform.

Oh, if only that weren't true.

My wife does enterprise storage, used to do backups ... occasionally a server gets out of whack, and has all sorts of problems. Eventually she or someone on her team ends up saying "can we just reboot it?". This is usually after several days of troubleshooting and huge amounts of time spent.

It fixes a vast amount of issue in which nobody can identify what's going wrong. Though, it makes any proper form of root-cause impossible to track down. I've heard this referred to as "The Microsoft Patch".

I also know some old-school UNIX admins and mainframe guys who cringe at the notion that a reboot can be a viable way of troubleshooting/making the problem go away. Because they don't reboot unless God himself has filled out all of the right paperwork, and only then if he's got a really good reason and there are no alternatives.

Re:Ctrl-Alt-Del (2)

rrohbeck (944847) | more than 2 years ago | (#39406987)

That makes a whole lot of sense. If your system isn't opaque like Windows, you can dig down to the root cause of a problem and ascertain that it will actually be gone after a reboot or whatever fix is needed. Otherwise chances are that it'll come back.
That's what I do on my own Linux boxes too. As soon as I find the time I want to switch from Debian to Gentoo to have even more of that capability.

Re:Ctrl-Alt-Del (-1)

Anonymous Coward | more than 2 years ago | (#39407219)

"Old school UNIX and mainframes" are just as opaque as Windows, noob.

Re:Ctrl-Alt-Del (1)

rrohbeck (944847) | more than 2 years ago | (#39408223)

Linux users have [access to] the sources of all or at least most of what they're running. Old school UNIX users used to as well, until IBM, HP & co made their Unixes proprietary.

Re:Ctrl-Alt-Del (1)

Swave An deBwoner (907414) | more than 2 years ago | (#39410139)

Old school VM and MVS system programmers also had the source (in 370 assembler) available and they indeed used it.

Re:Ctrl-Alt-Del (2)

icebraining (1313345) | more than 2 years ago | (#39407481)

How does Gentoo provide more of that capability than Debian? Even if you need to change the source, it's not like running an "apt-get source" and then a "dpkg-buildpackage" is a difficult process.

(This isn't a dig on Gentoo, which is obviously a great distro)

Re:Ctrl-Alt-Del (1)

rrohbeck (944847) | more than 2 years ago | (#39408241)

I agree but Gentoo kind of forces me to use the source and it seems that some of the system management is simpler and more obvious.

Re:Ctrl-Alt-Del (0)

Anonymous Coward | more than 2 years ago | (#39409671)

Indeed, Gentoo taught me more about Linux configuration management than any of the 3 distros I had used before it. It's probably the only distro apart from Slackware that you could rebuild after running rm -r /usr/lib without treating it as a full reinstall and update.

Re:Ctrl-Alt-Del (1)

Minwee (522556) | more than 2 years ago | (#39407397)

I also know some old-school UNIX admins and mainframe guys who cringe at the notion that a reboot can be a viable way of troubleshooting/making the problem go away.

One way you can find out what the problem is and prevent it from happening again. The other way you just pour gasoline on it, throw a couple matches in and hope that whatever caused the problem isn't fireproof.

Doing the magic dance, pressing the red button and hoping that everything gets better on its own isn't that different from Cargo Cult science or faith-based economic policy. It shouldn't be that hard to see why people who are supposed to know better don't like it.

Re:Ctrl-Alt-Del (1)

gstoddart (321705) | more than 2 years ago | (#39407539)

Oh, I know why people don't like it, and certainly people don't like taking production outages for a mystery reboot.

But if you have spent a week on the phone with the vendor, involved several teams to trouble shoot, spent countless hours trying to identify the problem, and gotten nowhere ... If the reboot fixes the problem and it never comes back (which I have seen), then sometimes you have no better options.

The vendor just asks for logs. Nothing anywhere ever actually shows the source. And all you do is lose a lot of time to it.

I absolutely hate it, but there have been times when everyone just throws up their hands and says "bugger it, try rebooting".

Re:Ctrl-Alt-Del (1)

TheLink (130905) | more than 2 years ago | (#39412519)

But if you have spent a week on the phone with the vendor, involved several teams to trouble shoot, spent countless hours trying to identify the problem, and gotten nowhere ..

Yeah we had to reboot cisco core switches before. Initially we thought it was a firewall problem (was an active-active firewall cluster - which usually means it's more likely to be the culprit ;) ). But after spending a few nights in a freezing datacenter trying to figure out why it wasn't working, the decision was to reboot both the clustered switches (which took _everything_ down) and stuff started working again.

We were the support vendor for the firewall but not the switches. So we had to make sure it was not our problem and wait for the relevant parties to do it.

Linux, Solaris, Windows, Cisco. Sometimes you just have to reboot. Just make sure your cisco configs (running and saved) are backed up first though ;).

Re:Ctrl-Alt-Del (1)

Zaelath (2588189) | more than 2 years ago | (#39408199)

It's not old-school to avoid rebooting unix machines that have a fault but are still accessible, particularly remotely.

I've seen a number of instances, from people trying to email files that were bigger than the total RAM on the machine, to secondary drives that were dying, all of which would cause the machine to fail to come back up but could be corrected while it was still on and save hours of work and possibly a trip to the site.

Rebooting a windows server though, yeah, that's stage 1 troubleshooting....

Re:Ctrl-Alt-Del (1)

quintus_horatius (1119995) | more than 2 years ago | (#39412631)

I also know some old-school UNIX admins and mainframe guys who cringe at the notion that a reboot can be a viable way of troubleshooting/making the problem go away. Because they don't reboot unless God himself has filled out all of the right paperwork, and only then if he's got a really good reason and there are no alternatives.

I've seen issues where rebooting a Linux machine actually causes more problems than it solves.

As long as the kernel is still running nearly every other software issue on a Unix/Linux system can be fixed. And a few firmware/hardware issues, too.

Re:Ctrl-Alt-Del (0)

Anonymous Coward | more than 2 years ago | (#39420809)

This happens at Yahoo! sometimes.

Re:Ctrl-Alt-Del (1)

sexconker (1179573) | more than 2 years ago | (#39406839)

That's how you solve all problems in Winders, right?

CTRL+SHIFT+ESCAPE is infinitely superior.

Re:Ctrl-Alt-Del (1)

Rasperin (1034758) | more than 2 years ago | (#39407193)

Forget your ctrl+shift+esc and go for the real killer, windows+r+format C:+enter

Re:Ctrl-Alt-Del (1, Funny)

Anonymous Coward | more than 2 years ago | (#39407223)

Where's the format button?

Re:Ctrl-Alt-Del (1)

cpu6502 (1960974) | more than 2 years ago | (#39407523)

CTRL+AmigaLeft+AmigaRight is more superior.
(Unless you get a Guru Meditation error.)

Sandboxing (1)

ktappe (747125) | more than 2 years ago | (#39406809)

  • FTA: "In some cases, the instructions given out by attackers were to install an online banking Trojan horse on the compromised computers."

But how would it do that? Isn't Java sandboxed? Or is it only sandboxed on more recent operating systems (Win7 & OS X 10.7)?

Re:Sandboxing (1)

characterZer0 (138196) | more than 2 years ago | (#39406829)

It is sandboxed. If there was a DLL loaded there is a flaw in the sandbox, somebody got this code signed by a trusted certificate, or the user clicked "Run".

Re:Sandboxing (2)

rrohbeck (944847) | more than 2 years ago | (#39407011)

It is sandboxed as long as there is no bug to be exploited. And since there is no bug free software more complex than a "Hello, world!" program...

Re:Sandboxing (1)

Rasperin (1034758) | more than 2 years ago | (#39407225)

I see you forgot to free your character array containing "Hello World". Oh wait we're talking about Java, well I see you are running on this ultra complex virtual machine thingy. :D

Re:Sandboxing (-1)

Anonymous Coward | more than 2 years ago | (#39410323)

The elephant in the room is why browsers even allow Java plugins period. Unlike like Adobe Reader and Flash no one uses Java except as way to install malware on computers.

Re:Sandboxing (1)

Siridar (85255) | more than 2 years ago | (#39411121)

Unlike like Adobe Reader and Flash no one uses Java except as way to install malware on computers.

Not true, Oracle eBusiness Suite's front-end is written in java, and uses the java plugins.

Re:Sandboxing (1)

Rasperin (1034758) | more than 2 years ago | (#39422055)

Java could be good for a front end (esp post 1.6) but with html5 and everything else there really isn't a need for it. Esp with HTML5, flash was honestly worst than applets (by far), but they won the public on front end technology. Every language has it's place...

All in memory? (4, Interesting)

medv4380 (1604309) | more than 2 years ago | (#39406837)

After reading a bit on the referenced exploit((CVE-2011-3544) I find it hard to believe that the app was all in memory. The exploit involves and unsigned applet gaining higher privileges. Things may have changed since the last time I checked, but shouldn't the jar file for the applet that copied the DLL into memory be the new file sitting the the browser cache that you're looking for? The DLL could retroactively delete the trace but at some point the jar is what the anti-virus should be looking for since it has to be loaded before the DLL can be.

Re:All in memory? (2)

X0563511 (793323) | more than 2 years ago | (#39406933)

Could the jar pull the DLL remotely? If so, the only thing local that could be hunted for could be made to be innocuous, since pulling web resources is hardly an unusual process.

Re:All in memory? (2)

medv4380 (1604309) | more than 2 years ago | (#39407069)

But the Jar is the exploit and that has to be downloaded for the JVM to load it. You won't find the DLL but that's not really the exploit. Any jar that is designed to get out of the sand box without being signed should be locked up by the AntiVirus as a code exploit.

Re:All in memory? (1)

dkf (304284) | more than 2 years ago | (#39407445)

But the Jar is the exploit and that has to be downloaded for the JVM to load it. You won't find the DLL but that's not really the exploit. Any jar that is designed to get out of the sand box without being signed should be locked up by the AntiVirus as a code exploit.

Doesn't mean that the JAR has to hit disk. Java can load code out of memory just fine, though it has to go via the verifier on its journey from bytes to a loaded class. The problem comes when something messes up and gives code loaded from an untrusted source permission to do too much. Wasting CPU is irritating; turning into part of a botnet is much worse.

Re:All in memory? (1)

medv4380 (1604309) | more than 2 years ago | (#39407823)

Unless the JVM has been changed to stream in jar's for applets and for web start I don't see how what you describe works. Applets and Web Start need an initial bit of code to start that is supposed to be downloaded and will reside in ether the browser cache for applets or the web start cache for jnlp files. From the exploits description [microsoft.com] that is exactly what happens. It downloads a jar runs it gets out of the sand box though a known exploit then it download the DLL into memory. The jar is the actual dropper they are looking for because it's responsible for putting the DLL into memory in the first place. The jar should trip the AV if it's working properly which it should recognize it as code intended on downloading and executing additional code and trigger a full memory sweep.

See also Webstar: [java.com] The Java Web Start software caches (stores) the entire application locally on your computer.
Applets operate in a similar fashion and if there is a way to get web start or applets to load entirely by being streamed off the net then that's the bug that needs to be fixed. They always have the initial code downloaded. Sure they might do other things after that, but you're suggesting that they can get around that starting code that begins the exploit, and I don't see anything that says that's how it works. Until you break out of the Web Start/Applet Sand Box java doesn't have a full IO for you to play with.

Re:All in memory? (1)

Rasperin (1034758) | more than 2 years ago | (#39407269)

I assume (without reading the article) that they literally wrote out an object that represented itself as a jar/dll like fetching a jar off the internet with wget (but instead of writing it to the HDD, they wrote it to the memory which is essentially how live cd's work for OS's). There's no reason why that wouldn't work in Java, it has a full io structure.

So, to get rid of it... (1)

epp_b (944299) | more than 2 years ago | (#39406897)

...all I need to do is reboot?

Not too terribly novel. (2)

willaien (2494962) | more than 2 years ago | (#39406901)

These are fairly common, actually.

Well, at least in the first steps of the malware - load a payload into memory that disables antivirus. Then you do the filesystem changes after the antivirus can no longer stop you.

Thus why antivirus isn't nearly as important as due diligence in using your computer. This means browsing without all of the fancy addons, generally. Or, at least, if you must have them, keep them up to date.

Then what does a memory scan do? (2)

hawguy (1600213) | more than 2 years ago | (#39406975)

Every antivirus product I've used claims to scan memory for viruses (usually as the first step of a full scan). If it's not looking for these RAM based viruses, then what is it looking for?

Re:Then what does a memory scan do? (3, Interesting)

Baloroth (2370816) | more than 2 years ago | (#39407105)

AV software can scan memory in order to find active malware, yes, but it cannot do so constantly. For example, in order to make sure that your browser isn't getting owned, or that malware isn't otherwise being attached to an active process, it would have to scan every change to memory, which would be prohibitive in terms of processing overhead. Instead, they generally scan whenever files are written to the hard drive. Since any permanent virus needs to do that at some point (and most malware works by downloading a file then executing that), that will usually catch and stop most malware at the very beginning. And since writing is comparatively slow (next to RAM), the overhead is minimal.

What this seems to do is run exclusively in RAM, which can be caught by AV doing a RAM sweep, but not by most resident AV systems which don't do regular RAM sweeps (again, because of the performance impact that would cause). It will either have to download a permanent program to the harddrive later (ideally, after getting "trusted" status to bypass AV software) or simply steal info while resident. Either way, most AV software will have trouble detecting it. I think if the malware gets written to swap, the AV will detect it than, but I could be wrong.

Re:Then what does a memory scan do? (1)

Em Adespoton (792954) | more than 2 years ago | (#39408679)

I think if the malware gets written to swap, the AV will detect it than, but I could be wrong.

This is the case for most major AV vendors, but depends upon HOW it is written to swap. If it is polymorphic shell code that is stored encrypted in memory, it probably won't trigger a swap scan. If it contains an easy to identify javascript exploit in plain text and is stored at the top of a swap segment or cache file, it will be detected. If you have encryption enabled for your swapfiles and cache files, no AV scanner will detect it.

Re:Then what does a memory scan do? (1)

Em Adespoton (792954) | more than 2 years ago | (#39408689)

ick... reading comprehension out the window. S/javascript/Java

Ugh, keep Java off! (2)

Pope (17780) | more than 2 years ago | (#39407047)

Ever since those fucking banner ads starting using Java exploits to do redirects and run fake malware scans, I've kept Java off except for the incredibly rare occasion.

Re:Ugh, keep Java off! (1)

SplashMyBandit (1543257) | more than 2 years ago | (#39408493)

Lol. Java is not Javascript.

Re:Ugh, keep Java off! (0)

Anonymous Coward | more than 2 years ago | (#39409493)

No but for adware it presents many of the same issues. And fortunately, noscript stops 'em both, along with flash.

Re:Ugh, keep Windows off! (1)

lwriemen (763666) | more than 2 years ago | (#39412117)

Window's really what the problem is here.

NoScript (0)

Anonymous Coward | more than 2 years ago | (#39407053)

Okay, so it's java-based. Does this mean that blocking scripts on affected pages prevents the drive-by download?

Re:NoScript (1)

subanark (937286) | more than 2 years ago | (#39407267)

Java, not Java-script. Also it looks like Java is just the front for the payload.... The article says it uses a DLL, so you non-windows people are probably safe.

Java Web Attack Installs Malware In RAM (1)

Robert Zenz (1680268) | more than 2 years ago | (#39407059)

Sounds like we need to write a GUI in VB6 to get rid of it...

Conspiracy! (1)

mimino (1440145) | more than 2 years ago | (#39407289)

An antivirus company sends two messages: 1) Stay in RAM and be undetected; 2) Attach to a trustworthy process and they'll miss you. I wonder what are they not telling us?

Am I naive to think Microsoft should fix the OS? (2)

GoodNewsJimDotCom (2244874) | more than 2 years ago | (#39407341)

Remember Commodore 64? Its boot record was kept separate from the OS. So no matter what you did when you mucked around, you could boot again. Microsoft should provide two modes: A) "Wreckless Compatibility Mode" -This is for legacy issues and B) "Secure OS mode", where no one can write to the boot sector or start up, and you enter a special boot mode for cases of drivers.

I think by making it impossible to write over the OS, or alter OS files, then when you boot you shouldn't worry of a virus hosing your boot. Sure, a virus could write over all your program files and screw with your data, but I think the OS itself should never be at risk. Someone else can figure out how to make program files secure. Maybe they could say things can't escape out of their parent install directory.

Am I naive to think this sort of thing should be possible?

Re:Am I naive to think Microsoft should fix the OS (2)

monkeyhybrid (1677192) | more than 2 years ago | (#39407629)

UEFI Secure Boot [wikipedia.org] .

Re:Am I naive to think Microsoft should fix the OS (2, Informative)

Anonymous Coward | more than 2 years ago | (#39408519)

UEFI isn't going to protect the operating system from being modified, it's going to prevent the computer from booting if said operating system if it gets modified, which is pretty much exactly the opposite of what we wanted.

Re:Am I naive to think Microsoft should fix the OS (1)

MachineShedFred (621896) | more than 2 years ago | (#39411741)

Except that you can repair it from the UEFI shell, or a UEFI binary written to replace the infected file with a clean one on the installation media / over the wire.

Re:Am I naive to think Microsoft should fix the OS (0)

Anonymous Coward | more than 2 years ago | (#39408363)

Alot of motherboards have something like that already. Trying to write anything to the boot sectors gets an error and a prompt to continue. Unfortunatly most of them default to the off setting.

Re:Am I naive to think Microsoft should fix the OS (0)

Anonymous Coward | more than 2 years ago | (#39408405)

Your logic is correct but flawed. The C64 had the entire OS on a chip, And it never got changed at any point for the next boot. A HDD is a different story altoghether as it changes constantly when you install apps that startup on boot and updates etc. A C64 could never do that as it's BIOS / OS is read only.

Re:Am I naive to think Microsoft should fix the OS (1)

Em Adespoton (792954) | more than 2 years ago | (#39408739)

This requires there to be no code that loads before the code that locks down the OS. UEFI Secure Boot is part way there, but there's still the option to write to keyboard/video memory and persist across a reboot, then automatically enter an insecure mode, install the rogue bootloader, and then load the expected OS on top, applying the appropriate secure patches as if the software was an external user.

As long as we've got buggy code, input devices and device drivers, there will be ways of shoehorning a bootkit onto a piece of hardware.

Of course, considering how doing this is orders of magnitude harder in effort spent than just fooling the operator into letting the software run, it will continue to mostly be done for industrial espionage/targeted reasons, not for adding home users to an uberbotnet.

Re:Am I naive to think Microsoft should fix the OS (1)

DavidTC (10147) | more than 2 years ago | (#39414595)

Of course, considering how doing this is orders of magnitude harder in effort spent than just fooling the operator into letting the software run, it will continue to mostly be done for industrial espionage/targeted reasons, not for adding home users to an uberbotnet.

The interesting fact about software is that it only needs to be written once.

Re:Am I naive to think Microsoft should fix the OS (1)

Em Adespoton (792954) | more than 2 years ago | (#39433679)

The interesting fact about software is that it only needs to be written once.

Indeed... the continuing prevalence of Conficker shows us that. But what we're talking about here is targeted attacks using both exploits and social engineering. If I received an email containing a PDF claiming to contain the auditor's edits of Oracle's 2011 tax statement, for example, I'd probably suspect something fishy was going on. Plus, the rootkit likely wouldn't run on my computer, and the database it is attempting to gain access to sure isn't on my subnet.

The other interesting fact about software is that it only does what you tell it to.

The orders of magnitude of difficulty are to do with fooling the operator and exploiting the environment, not to do with writing the software.

Re:Am I naive to think Microsoft should fix the OS (0)

Anonymous Coward | more than 2 years ago | (#39411133)

Microsoft should provide two modes: A) "Wreckless Compatibility Mode"

While it would be good to have a mode that prevents wrecks, I think you meant "reckless".

Re:Am I naive to think Microsoft should fix the OS (1)

gl4ss (559668) | more than 2 years ago | (#39411203)

yeah, have fun with win8 arm.

"what? I can't install a virtual cd device that'll look exactly like a real cdrom drive?"

(anyways, the files.. if they can't be altered, then ms can't hot update them either)

Re:Am I naive to think Microsoft should fix the OS (1)

MachineShedFred (621896) | more than 2 years ago | (#39411731)

Aren't they doing that with Windows 8, and getting slapped around by all the linux guys over it by saying "OMG they're locking us out of our own hardwarez by requiring the secure EFI bootz!"

Re:Am I naive to think Microsoft should fix the OS (1)

DadLeopard (1290796) | more than 2 years ago | (#39423407)

The Atari 1040ST had its operating system on eproms, I have yet to see a computer virus that came eiqipped to erase and reprogram an eprom, it takes UV light to erase one! eeproms on the other hand are vulnerable to exploits! Of course TOS was quite small compared to modern OSes!

More Jave malware? (0)

Anonymous Coward | more than 2 years ago | (#39407525)

Why do we still use this shit?

Re:More Windows malware? (1)

lwriemen (763666) | more than 2 years ago | (#39412121)

Why do we still use this shit?

Memory-only worms are not new (1)

Anonymous Coward | more than 2 years ago | (#39407547)

The idea of loading malware into memory and not placing it in file is hardly new. In fact, the idea goes back over 20 years.

Back in the dark ages of networking, one of the earliest deliberately malicious worms was WANK (Worms Against Nuclear Killers) which was unleashed back in October of 1989. It was a VMS based worm that attacked via DECnet (no laughter...DECnet was more popular than IP at one time.)
 

WANK attacked systems on the old NASA SPAN (Space Physics Analysis Network) and the DOE HEPnet (High-Energy Pysics Network). It was quite effective in not writing into a file and both notified C&C of the successful attack and then launched attacks on other systems. If the authors, widely believed to be Australian environmentalists, had a very inventive way of downloading and bootstrapping into memory, but then made some dumb coding errors that greatly limited the damage and spread of the worm. The story of WANK is recounted in "The Underground" by Suzanne Dreyfus. [wikipedia.org] and the worm itself is discussed in this article. [wikipedia.org] Having contributed to the book and having done the first analysis of the worm in parallel with analyses by Ron Tencati and John McMahon of NASA, I believe that the information is correct. (That Julian Assange guy does get around, doesn't he.)

Oh no, Java scary! (3, Informative)

dgun (1056422) | more than 2 years ago | (#39407591)

As the article points out this is a known vulnerability. And there has been a patch available since October 2011.

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html [oracle.com]

The infoworld article mentions that the applet used a "rogue" DLL. Where did that come from? If it didn't install any files on the system, why is there a "rogue" DLL on the system? Did it just "install" that DLL into memory also? And if the malicious applet code managed to get escalated privileges, why didn't it install something on the drive? And isn’t the term “install” being misused in the article? In fact, isn’t it true Mr. Infoworld Article person, that the alleged malware was merely “loaded” into memory? The truth is there was no flight leaving Guantanamo Bay, you doctored the flight logs, you ordered the code red, you framed OJ Simpson

Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug" (0)

Anonymous Coward | more than 2 years ago | (#39408167)

"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417 [torproject.org]

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

Re:Tor Browser Bundle for Linux (2.2.35-8) "EVIL b (1)

mcavic (2007672) | more than 2 years ago | (#39427387)

Interesting - I didn't know that bash worked that way. Contrary to C and PHP. But I usually use the == anyway.

Nothing new here (0)

Anonymous Coward | more than 2 years ago | (#39408287)

Move along, memory resident viruses/exploits/etc. are old hat.

Re:Nothing new here (1)

SplashMyBandit (1543257) | more than 2 years ago | (#39408533)

They may be old hat, but an exploit that mentions "Java" suits Microsoft's purposes just fine (since it is trying to kill cross-platform Java and promote Windows-only .NET). Strange it made the news half a year after a patch has been available - what were the editors thinking? Wouldn't the article's title be more accurate if it was "Unpatched systems get malware in RAM"?

Never mention Windows .. (1)

dgharmon (2564621) | more than 2 years ago | (#39409213)

As elsewhere, is it now slashdot policy to only mention '`computer` malware ..
"After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the" javaw.exe process [securelist.com]

Where no Antivirus has gone before... (0)

Anonymous Coward | more than 2 years ago | (#39409225)

âoebut do you know how to check and is there any point checking when we already know NSA/KGB, etc etc have the globe encircled with satellites?â

try lining your windows with tinfoil and check it after a few months. Youâ(TM)ll discover straight LINES and DOTS (tiny peep holes). This is with the tinfoil on the inside of the windowsâ(TM) surface, in-house/apartment. What causes this?

I believe most, if not all consumer computers and devices are, if not monitored, swept and mirrored by big bro using satellite technology.

One anonymous poster to pastebin, claiming to be representitive of Mossad, fired a shot across the bow of Anonymous and other hackers by saying, paraphrased, âoeAll of your hard drives are mirrored in (locations A,B,C as I forget which countries were mentioned) certain places on Earth anyway.

I find this to be true, Iâ(TM)ve used Microsoftâ(TM)s SysInternals programs to monitor processes and discovered my drives being swept, a chat program running I never installed and could find no trace of, files where they had the most interest were mp3 and graphics files, but they scraped the whole drive, and an iso creator/mirroring utility was running.

You only make it easier for them if you willingly install video streaming programs (VLC) with command line counterparts, music programs with command line counterparts, Office programs, which I noticed PDF files were being made in the background, and all of this activity was happening when I was monitoring a computer isolated from any wired/wireless/LAN network(s).

Google: Subversion Hack archive for a glimpse into this mysterious activity

Itâ(TM)s all about the waves.

*****

âoeWell, if this is true or not, I cannot tell, because I use GNU/Linux,â

The same is true for *nix, you just have to have the right monitoring tools and know what to look for inside binaries which are easily messed with by injecting malware into them and tools used by âoeTHEMâ to obscure the code injected into the ELF binaries so as to avoid being picked up as malware.

One simple command you can use to check for modifications to your files:

sudo find /usr/bin -mtime -60

That will search /usr/bin for files modified within 60 minutes, adjust the command as needed for other directories and time frames.

ALWAYS generate sha256sums or better (NOT MD5 or SHA1) of your initial install and the LiveCD and store them on a READ ONLY media like a once writable CDROM. The free utility known as âoemd5deepâ offers more than md5 checksum generation and unlike the simple tools like sha256sum, sha1sum, etc., md5deepâ(TM)s options offer RECURSIVE and directory stripping options, perfect for backup on CDROMs.

Hereâ(TM)s one example out of many mysterious *nix trojans floating about:

- Linux/Bckdr-RKC
â"- http://caffeinesecurity.blogspot.com/2012/02/linuxbckdr-rkc-still-undetected.html [blogspot.com]

âoeFor those who arenâ(TM)t familiar with this trojan, an anonymous internet user has taken the time to put together a Pastebin post highlighting my research on this trojanâ: http://pastebin.com/DwtX9dMd [pastebin.com]

More questions without answers:

- Malware for Windows, *nux (and MacOSX?) which HIDES in FIRMWARE on routers, PCI and AGP cards and devices (including CD burners), system BIOS, MBRs, ethernet (nic) cards most if not all surviving hard drive wipes/formats and preloaded again and updated âoethrough-the-airâ mysteriously or when youâ(TM)ve plugged into the net.

- Ethernet cards using packet radio modules/protocols

- Linux distributions including LiveCDs including more modules than they need to run, especially for LiveCD purposes, including build essentials, dpkg-dev, ISDN drivers/modules (sometimes in multiple places, as binary files and as modules) and other modules including ham radio modules

- PCI and AGP rootkits which never leave (no antivirus scanner scans firmware on these cards and devices where most of the really serious malware resides)

Google on these topics for whitepapers and documentation up the yin yang, including ever popular DEFCON talks, papers, etc.

Also Google: Subversion hack archive (itâ(TM)s a website detailing mysterious trojans reinfecting computers NOT plugged into the net).

There are probably a ton of non-detectable Linux exploits in the wild. Many of the freely offered ones on some of the more whitehat/popular sites arenâ(TM)t detected. More are made and uploaded every day.

In my opinion, no electronic device is safe, especially not those whose builders FORCE your motherboard to have a preinstalled, unremovable network (nic) card, sound card (both can be exploited by ham radio modules/drivers/malicious related programs), video card, etc.

One possible solution to this madness would be to purchase ANCIENT computers (Apple II or Cmdre for example) and use open source networking code. Much of these older systems did not have a lot of built in networking devices and storage devices.

The ultimate solution is to avoid electronic devices completely (even TV and radio) and learn to love books and libraries again, but for most people that would be as painful as slitting their own necks like a chicken, they lust after their Facebook, smartphone, iphone, ipad, Twitter, Angry Birds, and other diversions.

Google the article: The Mind Has No Firewall (written by a solider, unless Iâ(TM)m mistaken), to expose how weak our minds are to (electronic) attack.

Visit: TheHiddenEvil.com : to learn more about âthe big gameâ which weâ(TM)re all enrolled in by birth.

Re:Where no Antivirus has gone before... (1)

Swave An deBwoner (907414) | more than 2 years ago | (#39410231)

sudo find /usr/bin -mtime -60

But the malware already ran "touch -t 0101011337 ./malware.exe", so maybe you won't spot it with this.

Windows only? (1)

mspohr (589790) | more than 2 years ago | (#39409279)

OK. The usual question. Does this run on Linux? (or Mac)?
It mentions a DLL which is Windows only so I assume Windows only?

Remote adds are the problem (0)

Anonymous Coward | more than 2 years ago | (#39410415)

From tfa;

"The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service called AdFox."

This means that a service similar to doubleclick is the culprit. It is high time that the user should have a control surface in the browser that blocks add redirects in java pop ups. What would be really nice is if you could black list the bastards within a browser control interface....something like an about:config setting specifically for java with a text file black list that the user could edit and a cooperative system for blacklist information. For instance if I were able to block java based redirects from any site in a .ru domain then surfing Russian porn would be like wearing a condom. Apparently now if you surf Russian news sites you get hosed just as bad.

Thank God Google took over doubleclick and the Russian mob didn't!

I know I am talking old school pro-active work but it is high time that we get together and make these .ru domains behave in a civilised manor. You can bet if there was a way to quickly black list this kind of shit with java updates it would disappear overnight. But then again nowadays who knows Larry might be funding some of these guys, nothing about the wild wild web and how the Russian mob hackers work would surprise me!

/ast discussion, DROP JAVA (0)

Anonymous Coward | more than 2 years ago | (#39411199)

this discussion about frequent java exploits and the consensus was to uninstall java, and then press on with life, and finally summing up with facts about the true amount of people who actually needed java installed to get their work done is extremely low, and out of them they could probably get by with installing java, get work done, uninstall java.

Remember

cripple/disable flash
uninstall java
block frame iframe xframe
cripple/disable javascript
uninstall silverlight
use a hosts file and block abc, bbc, cbs, cnn, fox, pbs, (ms)nbc, cnet, kaspersky, and threatpost

I remember. So, why are you browsing with java again?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?