Discussion in 'malware problems & news' started by Hungry Man, Mar 19, 2012.
Drive-by RAM bots interesting. I take it we most likely have a new botnet growing out of Russia? We technically growing, then dying, then growing again... Russia turning off their power grid for 2 minutes, then turning it back on should be the fix.
I'd go the extra mile, VM or sandbox your browser, and default deny plug-ins etc. Though this malware is targeting the average user so even mentioning automatic update patching is probably too much to ask.
Interesting... a few weeks back I talked about this kind of threat in another thread, and I was practically slapped in the face, due to be talking about theoratical threats.
Now... what do we see?
Keeping Java up-to-date is specially problematic to millions of users. The built-in auto-update doesn't work, at all.
@m00n, not sure who slapped you lol but I hope it wasn't me. ROP and "in-process" malware are some of my favorite concepts.
The thing about a VM is tha tthe mwalre won't necessarily care. It's working form within your browser anyways. A VM helps in that it can't read files on your system though but if it's onyl after that specific session that's enough.
It seems likely that at some point it's dropping an executable but as time continues I suspect we'll see more advanced forms of malware like this, that push the drop until the last possible moment, first using the hijacked process to take a look at the computer and possibly disable defenses.
It should also be noted that, this resulted from an hijacked ad network. So, blocking ads (third-party ads) is also a great solution to prevent many infections.
Google Chrome users should be on the safe side, though. Not due to the sandbox, because Java runs outside of the sandbox (Damn Oracle!! ), but because by default Google Chrome won't allow Java to run. The user needs to explicitely allow it.
I don't know if this behavior persists, but even if the user disables Java in Internet Explorer, it will still run. I don't know why this behavior happens. The only solution I've found a long time ago, is to block Java plugin execution using Group Policy Editor. This effectively blocks the plugin in IE.
Of course, I no longer got it in my system.
Attacking Java definitely puts users at a disadvantage. Chrome limits IPC to Java... so maybe that would help? Impossible to say without knowing details.
But, yes, blocking ads would take care of this. Unfortunately that doesn't stop the exploit from being there.
The article doesn't say whether it's a 0day or not.
What about Google Chrome + EMET + Ad Muncher + Up to date OS and software?
Not an 0day, the method the malware used has been known since 2011. Link to vuln used and exploit of it here
If you're blocking ads it would stop this particular attack. If you're up to date with Java you won't be effected. EMET may or may not help, it doesn't actually look like it in this situation.
I think it's just an interesting attack. I would not be surprised if we see more attacks that stay in RAM for a while.
On my system, it's disabled globally, and white listed per site. I have only one site that requires it: my Insurance Company's Contact page uses a custom java applet to send messages to the Company. I had to upload a few documents, and I watched each attachment upload followed by a "wait" message. I assume it was being scanned at a central repository, for the adjusters don't have email addresses. Messages/attachments are forwarded to them internally when received via the Company's Contact Page.
You can see how more secure this is than normal email for an organization.
I require Java for programming.
I'm glad we're not in that boat. All C# here so I made everybody get rid of it. Nobody seems to have needed it in the past year.
Have not used or needed java in yrs,but for those that do, its important to remember to keep it up to date as with anything else.People rarely need it and thats why its easly forgotten about.
Yeah, I never ever plan on programming in Java either lol learning C++ on the side.
"piece of malware that doesn't create any files on the affected systems"
surely this is bull? how can it not create any files?
No java here so I'm safe interesting though.
It lives within the exploited program and can hop between other programs. No need to ever touch the disk.
Fascinating- thanks. I will continue to ignore Java on my machines!
Probably a good idea, though there's no reason why this type of attack couldn't happen in any program.
Yup. Metasploit's hard to detect Meterpreter and VNC's return command shells or servers, running in RAM and not written in disk(reflective dll injections), only require an intial exploit which could be for the most part a browser side vulnerability or any other client- side exploits and not just on Java's.
Yeah, though the more crap one has in the system, the more attack surface you got.
I can say that I'm not worried about Java exploits (gone from my system) and not worried about Flash either. I only allow Flash in a dedicated Chromium profile, only allowing connection to Youtube. Unless Youtube itself gets compromised.
These are two less headaches.
Kaspersky Lab Discovers Invisible Memory-Only Bot
Totally agree. I have none of that crap too.
My main security tool only occupies a megabyte or so of surface on the disk with no known exploit in the wild because of security by obscurity and probably by being tightly coded with security in mind. And even though, I have used regularly tons of codes of old apps or softwares with known vulnerabilities and exploits giving me a kilometer of attack surface and with those running in unpatched testing and work machines which greatly multiplying the attack surface even more...
...yet, that security tool gives me the peace of mind of catching any payload executing or injecting into trusted processses.
Separate names with a comma.