Announcement

Collapse
No announcement yet.

Another good reason to exercise healthy paranoia

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Another good reason to exercise healthy paranoia

    News of a trojan in the wild that detects which OS (Windows, OS X, Linux) is running, then downloads a custom payload.

    More info here: http://arstechnica.com/security/2012...m-web-exploit/

    And here: https://www.f-secure.com/weblog/archives/00002397.html

    Personally, I'm immune to this one because I disable the Java plugin in all my browsers.
    sigpic
    "Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all."
    -- Douglas Adams

    #2
    Exactly, No Java, no problem.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      Even with Java, when it asks you to download and install the app, just say "No."

      Comment


        #4
        Originally posted by vw72 View Post
        Even with Java, when it asks you to download and install the app, just say "No."
        You mean "IF" it asks you...

        Java applets on websites are notorious for running in the stealth mode, with your privileges. IF you keep Java make sure your patches are up to date.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          While I don't remember installing Java, how does one make sure they don't have Java installed, and how does one remove it?

          Comment


            #6
            Originally posted by capt-zero View Post
            While I don't remember installing Java, how does one make sure they don't have Java installed, and how does one remove it?
            On your machine, what's the output of:
            Code:
            dpkg -l | egrep 'java|jre|icedtea'

            Comment


              #7
              Steve,

              Here's the output:
              ii plasma-scriptengine-javascript
              4:4.8.4-0ubuntu0.1
              JavaScript script engine for Plasma


              Thanx,
              capt-zero

              Comment


                #8
                Javascript and Java are two very different things.

                Comment


                  #9
                  Capt, you're fine -- there's no Java on your system.

                  As Jonathan mentioned, Java and JavaScript are very different. kde-runtime depends on that Plasma JavaScript package. Because the attack relies on Java, not JavaScript, you've nothing to worry about.

                  Comment


                    #10
                    Steve,

                    Thanks for the help. Now, just what did that script you had me run do? Trying to learn a little about the CLI.
                    Also, does the mentioned story now mean we have to be concerned about infections sneaking into our systems through some other means?

                    Thanx,
                    capt-zero
                    Last edited by capt-zero; Jul 11, 2012, 12:38 PM. Reason: gRammer, speeling

                    Comment


                      #11
                      Originally posted by capt-zero View Post
                      Thanks for the help. Now, just what did that script you had me run do? Trying to learn a little about the CLI.
                      dpkg is Debian's low-level package manager. Typically we're used to dealing with front-ends like apt-get or Aptitude that can handle dependency resolutions and download additional packages as necessary. dpkg allows you to interact with the packages that are already installed on your system, to inspect and manually install .deb files that you've downloaded, and many other things. As typical, man dpkg is your friend.

                      dpkg -l is actually a hand-off to dpkg-query -l, which lists information about packages in the database. man dpkg-query explains it in detail. Essentially, it displays packages that are not marked as not installed. That's somewhat tortured wording, I know, but packages can exist in states other than "installed" or "purged" (= not installed). The man page explains all the states. dpkg -l is a quick way of listing all packages that are installed, plus all packages (or their configuration files) that are somehow present on your machine.

                      I had you pipe that output through egrep, looking specifically for "java" or "jre" or "icedtea." These are the components that constitute a standard Java install. I always install the Java runtime and a browser plugin on my systems because I need them for a variety of things. I do this via:
                      Code:
                      sudo apt-get install default-jre icedtea-plugin
                      And here's the output of the dpkg-query command on my system:
                      Code:
                      steve@t520:~$ [B]dpkg -l | egrep 'java|jre|icedtea'[/B]
                      ii  ca-certificates-java           20110912ubuntu6                 Common CA certificates (JKS keystore)
                      ii  default-jre                    1:1.6-43ubuntu2                 Standard Java or Java compatible Runtime
                      ii  default-jre-headless           1:1.6-43ubuntu2                 Standard Java or Java compatible Runtime (headless)
                      ii  icedtea-6-plugin               1.2-2ubuntu1                    web browser plugin based on OpenJDK and IcedTea to execute Java applets
                      ii  icedtea-netx                   1.2-2ubuntu1                    NetX - implementation of the Java Network Launching Protocol (JNLP)
                      ii  icedtea-netx-common            1.2-2ubuntu1                    NetX - implementation of the Java Network Launching Protocol (JNLP)
                      ii  icedtea-plugin                 1.2-2ubuntu1                    web browser plugin to execute Java applets (dependency package)
                      ii  java-common                    0.43ubuntu2                     Base of all Java packages
                      ii  libatk-wrapper-java            0.30.4-0ubuntu2                 An ATK implementation for Java using JNI
                      ii  libatk-wrapper-java-jni        0.30.4-0ubuntu2                 An ATK implementation for Java using JNI (jni bindings)
                      ii  libswt-gtk-3-java              3.7.2-2                         Standard Widget Toolkit for GTK+ Java library
                      ii  openjdk-6-jre                  6b24-1.11.1-4ubuntu3            OpenJDK Java runtime, using Hotspot JIT
                      ii  openjdk-6-jre-headless         6b24-1.11.1-4ubuntu3            OpenJDK Java runtime, using Hotspot JIT (headless)
                      ii  openjdk-6-jre-lib              6b24-1.11.1-4ubuntu3            OpenJDK Java runtime (architecture independent libraries)
                      ii  plasma-scriptengine-javascript 4:4.8.90-0ubuntu1~precise1~ppa1 JavaScript script engine for Plasma
                      ii  tzdata-java                    2012b-1                         time zone and daylight-saving time data for use by java runtimes
                      If you would have had these "jre" and "icedtea" plugin packages installed, then Java would be present on your machine.

                      Originally posted by capt-zero View Post
                      Also, does the mentioned story now mean we have to be concerned about infections sneaking into our systems through some other means?
                      The story describes a malicious Java applet that incorporates a bit of intelligence. When the code runs, it detects which operating system you're using, and then downloads an additional malicious payload specificall for your operating system. What we should learn from this is that bad guys will target anything they feel they can find vulnerabilities in. No software is 100% secure.

                      Comment


                        #12
                        Thanks steve,

                        Very informative post. I have just finished a new install on a new(to me) machine. Reading this post reminded me to install and run 'firestarter' and 'clamtk'.

                        Thanx again,
                        capt-zero

                        Comment


                          #13
                          Happy to help.

                          Comment


                            #14
                            vinny@Vinnys-HP-G62:~$ dpkg -l | egrep 'java|jre|icedtea'
                            ii ca-certificates-java 20110912ubuntu6 Common CA certificates (JKS keystore)
                            ii default-jre 1:1.6-43ubuntu2 Standard Java or Java compatible Runtime
                            ii default-jre-headless 1:1.6-43ubuntu2 Standard Java or Java compatible Runtime (headless)
                            ii gcj-4.6-jre-lib 4.6.3-1ubuntu2 Java runtime library for use with gcj (jar files)
                            ii icedtea-6-jre-cacao 6b24-1.11.1-4ubuntu3 Alternative JVM for OpenJDK, using Cacao
                            ii icedtea-6-jre-jamvm 6b24-1.11.1-4ubuntu3 Alternative JVM for OpenJDK, using JamVM
                            ii icedtea-6-plugin 1.2-2ubuntu1 web browser plugin based on OpenJDK and IcedTea to execute Java applets
                            ii icedtea-netx 1.2-2ubuntu1 NetX - implementation of the Java Network Launching Protocol (JNLP)
                            ii icedtea-netx-common 1.2-2ubuntu1 NetX - implementation of the Java Network Launching Protocol (JNLP)
                            ii icedtea-plugin 1.2-2ubuntu1 web browser plugin to execute Java applets (dependency package)
                            ii java-common 0.43ubuntu2 Base of all Java packages
                            ii libaccess-bridge-java 1.26.2-9 Java Access Bridge for GNOME
                            ii libaccess-bridge-java-jni 1.26.2-9 Java Access Bridge for GNOME (jni bindings)
                            ii libapache-pom-java 10-2 Maven metadata for all Apache Software projects
                            ii libasm3-java 3.3.2-1 Java bytecode manipulation framework
                            ii libatk-wrapper-java 0.30.4-0ubuntu2 An ATK implementation for Java using JNI
                            ii libatk-wrapper-java-jni 0.30.4-0ubuntu2 An ATK implementation for Java using JNI (jni bindings)
                            ii libcommons-beanutils-java 1.8.3-2 utility for manipulating JavaBeans
                            ii libcommons-cli-java 1.2-3 API for working with the command line arguments and options
                            ii libcommons-codec-java 1.5-1 encoder and decoders such as Base64 and hexadecimal codec
                            ii libcommons-collections3-java 3.2.1-5 A set of abstract data type interfaces and implementations
                            ii libcommons-compress-java 1.2-1ubuntu1 Java API for working with tar, zip and bzip2 files
                            ii libcommons-digester-java 1.8.1-3 Rule based XML Java object mapping tool
                            ii libcommons-el-java 1.0-7 Implementation of the JSP2.0 Expression Language interpreter
                            ii libcommons-httpclient-java 3.1-10 A Java(TM) library for creating HTTP clients
                            ii libcommons-lang-java 2.6-3ubuntu1 Extension of the java.lang package
                            ii libcommons-logging-java 1.1.1-9 commmon wrapper interface for several logging APIs
                            ii libcommons-parent-java 22-2 Maven metadata for Apache Commons project
                            ii libdb-java 5.1.4ubuntu1 Berkeley Database Libraries for Java
                            ii libdb-je-java 3.3.98-1 Oracle Berkeley Database Java Edition
                            ii libdb5.1-java 5.1.25-11build1 Berkeley v5.1 Database Libraries for Java
                            ii libdb5.1-java-gcj 5.1.25-11build1 Berkeley v5.1 Database Libraries for Java (native code)
                            ii libecj-java 3.5.1-3 Eclipse Java compiler (library)
                            ii libequinox-osgi-java 3.7.2-1 Equinox OSGi framework
                            ii libhamcrest-java 1.1-8 library of matchers for building test expressions
                            ii libhsqldb-java 1.8.0.10-9ubuntu2 Java SQL database engine
                            ii libicu4j-4.4-java 4.4.2.2-1 Library for Unicode support and internalisation
                            ii libicu4j-java 4.2.1.1-1 Library for unicode support and internalisation
                            ii libjasper-java 5.5.33-2 Implementation of the JSP Container
                            ii libjavascriptcoregtk-1.0-0 1.8.0-0ubuntu2 Javascript engine library for GTK+
                            ii libjavascriptcoregtk-3.0-0 1.8.0-0ubuntu2 Javascript engine library for GTK+
                            ii libjaxp1.3-java 1.3.05-2ubuntu2 Java XML parser and transformer APIs (DOM, SAX, JAXP, TrAX)
                            ii libjetty-java 6.1.24-6ubuntu0.12.04.1 Java servlet engine and webserver -- core libraries
                            ii libjline-java 1.0-1 Java library for handling console input
                            ii libjsch-java 0.1.42-2fakesync1 pure Java implementation of the SSH2 protocol
                            ii libjtidy-java 7+svn20110807-3 JTidy
                            ii liblucene2-java 2.9.4+ds1-4 Full-text search engine library for Java(TM)
                            ii libregexp-java 1.5-3 Regular expression library for Java
                            ii libreoffice-java-common 1:3.5.3-0ubuntu1 office productivity suite -- arch-independent Java support files
                            ii libservlet2.4-java 5.5.33-1 Servlet 2.4 and JSP 2.0 Java library
                            ii libservlet2.5-java 6.0.35-1ubuntu3 Servlet 2.5 and JSP 2.1 Java API classes
                            ii libslf4j-java 1.6.4-1 Simple Logging Facade for Java
                            ii libswt-gtk-3-java 3.7.2-2 Standard Widget Toolkit for GTK+ Java library
                            ii libxerces2-java 2.11.0-4 Validating XML parser for Java with DOM level 3 support
                            ii libxml-commons-external-java 1.4.01-2 XML Commons external code - DOM, SAX, and JAXP, etc
                            ii libxml-commons-resolver1.1-java 1.2-7 XML entity and URI resolver library
                            ii openjdk-6-jre 6b24-1.11.1-4ubuntu3 OpenJDK Java runtime, using Hotspot JIT
                            ii openjdk-6-jre-headless 6b24-1.11.1-4ubuntu3 OpenJDK Java runtime, using Hotspot JIT (headless)
                            ii openjdk-6-jre-lib 6b24-1.11.1-4ubuntu3 OpenJDK Java runtime (architecture independent libraries)
                            ii plasma-scriptengine-javascript 4:4.8.4-0ubuntu0.1 JavaScript script engine for Plasma
                            ii tzdata-java 2012b-1 time zone and daylight-saving time data for use by java runtimes
                            most of it was instaled with Eclipse and android-sdk-linux ......WoW

                            VINNY
                            i7 4core HT 8MB L3 2.9GHz
                            16GB RAM
                            Nvidia GTX 860M 4GB RAM 1152 cuda cores

                            Comment


                              #15
                              I give this some serious consideration.
                              Yet there is fine line between usability and security. Been messing with PeerGuardian (https://launchpad.net/~jre-phoenix/+archive/ppa) last couple days its a pain to setup. Yet is more secure then IPList as it asks for sudo password rather than running as Root as IPList GUI does. Need to hammer on it some and see what gives.

                              Short story is I believe its best to take measures and up to date block lists from respectable sources like DShield, Spamhaus aren't a bad way to start. At least now that we're talking about little-known web-based attacks specifically. The hype about long term (estimated 10 yrs) development of Stuxnet, Duqu and Flame only show just how broad and well funded Cyber Warfare is today. The fact these have been used and allowed to be reversed and examined forensically seem to indicate obsolescence to a degree.

                              Comment

                              Working...
                              X