Java-based Web Attack Installs Hard-to-detect Malware in RAM

[Hungry Man]

Quote:

A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.

What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory.

"The operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive," said Kaspersky Lab expert Sergey Golovanov, in a blog post on Friday. "However, in this case we were in for a surprise: No new files appeared on the hard drive."

The Java exploit's payload consisted of a rogue DLL (dynamic-link library) that was loaded and attached on the fly to the legitimate Java process. This type of malware is rare, because it dies when the system is rebooted and the memory is cleared.

http://www.pcworld.com/article/25209...ml#tk.rss_news

[EncryptedBytes]

Drive-by RAM bots interesting. I take it we most likely have a new botnet growing out of Russia? We technically growing, then dying, then growing again... Russia turning off their power grid for 2 minutes, then turning it back on should be the fix.

Quote:

The best protection against this type of attack is to keep the installed software on computers up to date, especially browsers and their plug-ins. In case exploits that target previously unknown vulnerabilities are used, it's best to have an antivirus product running that is capable of scanning Web traffic and detecting attack code generically.

I'd go the extra mile, VM or sandbox your browser, and default deny plug-ins etc. Though this malware is targeting the average user so even mentioning automatic update patching is probably too much to ask.

[m00nbl00d]

Interesting... a few weeks back I talked about this kind of threat in another thread, and I was practically slapped in the face, due to be talking about theoratical threats.

Now... what do we see?

[m00nbl00d]

Quote:

Originally Posted by EncryptedBytes

[...]
I'd go the extra mile, VM or sandbox your browser, and default deny plug-ins etc. Though this malware is targeting the average user so even mentioning automatic update patching is probably too much to ask.

Keeping Java up-to-date is specially problematic to millions of users. The built-in auto-update doesn't work, at all.

[Hungry Man]

@m00n, not sure who slapped you lol but I hope it wasn't me. ROP and "in-process" malware are some of my favorite concepts.

The thing about a VM is tha tthe mwalre won't necessarily care. It's working form within your browser anyways. A VM helps in that it can't read files on your system though but if it's onyl after that specific session that's enough.

It seems likely that at some point it's dropping an executable but as time continues I suspect we'll see more advanced forms of malware like this, that push the drop until the last possible moment, first using the hijacked process to take a look at the computer and possibly disable defenses.

[m00nbl00d]

It should also be noted that, this resulted from an hijacked ad network. So, blocking ads (third-party ads) is also a great solution to prevent many infections.

Google Chrome users should be on the safe side, though. Not due to the sandbox, because Java runs outside of the sandbox (Damn Oracle!! ), but because by default Google Chrome won't allow Java to run. The user needs to explicitely allow it.

I don't know if this behavior persists, but even if the user disables Java in Internet Explorer, it will still run. I don't know why this behavior happens. The only solution I've found a long time ago, is to block Java plugin execution using Group Policy Editor. This effectively blocks the plugin in IE.

Of course, I no longer got it in my system.

[Hungry Man]

Attacking Java definitely puts users at a disadvantage. Chrome limits IPC to Java... so maybe that would help? Impossible to say without knowing details.

But, yes, blocking ads would take care of this. Unfortunately that doesn't stop the exploit from being there.

The article doesn't say whether it's a 0day or not.

[xXDarkStalkerxX]

What about Google Chrome + EMET + Ad Muncher + Up to date OS and software?

[EncryptedBytes]

Quote:

Originally Posted by Hungry Man

The article doesn't say whether it's a 0day or not.

Not an 0day, the method the malware used has been known since 2011. Link to vuln used and exploit of it here

[Hungry Man]

Thanks EB.

@Dark,

If you're blocking ads it would stop this particular attack. If you're up to date with Java you won't be effected. EMET may or may not help, it doesn't actually look like it in this situation.

I think it's just an interesting attack. I would not be surprised if we see more attacks that stay in RAM for a while.

You're all talking about Java, not JavaScript, right? I don't run Java on any machine and I haven't missed it. All I have heard about are Java exploits, I'm not even sure what benefit Java would give me. To the folks that run Java, why do you use it?

[Rmus]

Quote:

Originally Posted by BrandiCandi

To the folks that run Java, why do you use it?

On my system, it's disabled globally, and white listed per site. I have only one site that requires it: my Insurance Company's Contact page uses a custom java applet to send messages to the Company. I had to upload a few documents, and I watched each attachment upload followed by a "wait" message. I assume it was being scanned at a central repository, for the adjusters don't have email addresses. Messages/attachments are forwarded to them internally when received via the Company's Contact Page.

You can see how more secure this is than normal email for an organization.

regards,

-rich

[Hungry Man]

Quote:

Originally Posted by BrandiCandi

You're all talking about Java, not JavaScript, right? I don't run Java on any machine and I haven't missed it. All I have heard about are Java exploits, I'm not even sure what benefit Java would give me. To the folks that run Java, why do you use it?

I require Java for programming.

[xxJackxx]

Quote:

Originally Posted by Hungry Man

I require Java for programming.

I'm glad we're not in that boat. All C# here so I made everybody get rid of it. Nobody seems to have needed it in the past year.

[Dark Shadow]

Have not used or needed java in yrs,but for those that do, its important to remember to keep it up to date as with anything else.People rarely need it and thats why its easly forgotten about.

[Hungry Man]

Quote:

Originally Posted by xxJackxx

I'm glad we're not in that boat. All C# here so I made everybody get rid of it. Nobody seems to have needed it in the past year.

Yeah, I never ever plan on programming in Java either lol learning C++ on the side.

[treehouse786]

"piece of malware that doesn't create any files on the affected systems"

surely this is bull? how can it not create any files?

[x942]

No java here so I'm safe interesting though.

[Hungry Man]

Quote:

Originally Posted by treehouse786

"piece of malware that doesn't create any files on the affected systems"

surely this is bull? how can it not create any files?

It lives within the exploited program and can hop between other programs. No need to ever touch the disk.

Fascinating- thanks. I will continue to ignore Java on my machines!

[Hungry Man]

Probably a good idea, though there's no reason why this type of attack couldn't happen in any program.

[trismegistos]

Quote:

Originally Posted by Hungry Man

Probably a good idea, though there's no reason why this type of attack couldn't happen in any program.

Yup. Metasploit's hard to detect Meterpreter and VNC's return command shells or servers, running in RAM and not written in disk(reflective dll injections), only require an intial exploit which could be for the most part a browser side vulnerability or any other client- side exploits and not just on Java's.


http://searchsecurity.techtarget.in/...ng-meterpreter
http://nullpointer.dk/?q=node/51
http://www.offensive-security.com/me...rowser_Exploit

[m00nbl00d]

Yeah, though the more crap one has in the system, the more attack surface you got.

I can say that I'm not worried about Java exploits (gone from my system) and not worried about Flash either. I only allow Flash in a dedicated Chromium profile, only allowing connection to Youtube. Unless Youtube itself gets compromised.

These are two less headaches.

[siljaline]

Kaspersky Lab Discovers Invisible Memory-Only Bot

Quote:

The clever Russian malware hides in RAM and spreads trough banners on news websites

Full article

[trismegistos]

Quote:

Yeah, though the more crap one has in the system, the more attack surface you got.

I can say that I'm not worried about Java exploits (gone from my system) and not worried about Flash either. I only allow Flash in a dedicated Chromium profile, only allowing connection to Youtube. Unless Youtube itself gets compromised.

These are two less headaches.

Totally agree. I have none of that crap too.

My main security tool only occupies a megabyte or so of surface on the disk with no known exploit in the wild because of security by obscurity and probably by being tightly coded with security in mind. And even though, I have used regularly tons of codes of old apps or softwares with known vulnerabilities and exploits giving me a kilometer of attack surface and with those running in unpatched testing and work machines which greatly multiplying the attack surface even more...
...yet, that security tool gives me the peace of mind of catching any payload executing or injecting into trusted processses.