Java-based Web Attack Installs Hard-to-detect Malware in RAM

Discussion in 'malware problems & news' started by Hungry Man, Mar 19, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.pcworld.com/article/2520..._hardtodetect_malware_in_ram.html#tk.rss_news
     
    Last edited: Mar 19, 2012
  2. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Drive-by RAM bots interesting. I take it we most likely have a new botnet growing out of Russia? We technically growing, then dying, then growing again... Russia turning off their power grid for 2 minutes, then turning it back on should be the fix.:D

    I'd go the extra mile, VM or sandbox your browser, and default deny plug-ins etc. Though this malware is targeting the average user so even mentioning automatic update patching is probably too much to ask. :cautious:
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Interesting... a few weeks back I talked about this kind of threat in another thread, and I was practically slapped in the face, due to be talking about theoratical threats. :D

    Now... what do we see? :D
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Keeping Java up-to-date is specially problematic to millions of users. The built-in auto-update doesn't work, at all. o_O
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @m00n, not sure who slapped you lol but I hope it wasn't me. ROP and "in-process" malware are some of my favorite concepts.

    The thing about a VM is tha tthe mwalre won't necessarily care. It's working form within your browser anyways. A VM helps in that it can't read files on your system though but if it's onyl after that specific session that's enough.

    It seems likely that at some point it's dropping an executable but as time continues I suspect we'll see more advanced forms of malware like this, that push the drop until the last possible moment, first using the hijacked process to take a look at the computer and possibly disable defenses.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It should also be noted that, this resulted from an hijacked ad network. So, blocking ads (third-party ads) is also a great solution to prevent many infections.

    Google Chrome users should be on the safe side, though. Not due to the sandbox, because Java runs outside of the sandbox (Damn Oracle!! :mad:), but because by default Google Chrome won't allow Java to run. The user needs to explicitely allow it.

    I don't know if this behavior persists, but even if the user disables Java in Internet Explorer, it will still run. I don't know why this behavior happens. o_O The only solution I've found a long time ago, is to block Java plugin execution using Group Policy Editor. This effectively blocks the plugin in IE.

    Of course, I no longer got it in my system. :D
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Attacking Java definitely puts users at a disadvantage. Chrome limits IPC to Java... so maybe that would help? Impossible to say without knowing details.

    But, yes, blocking ads would take care of this. Unfortunately that doesn't stop the exploit from being there.

    The article doesn't say whether it's a 0day or not.
     
  8. Nightwalker

    Nightwalker Registered Member

    Joined:
    Nov 7, 2008
    Posts:
    784
    What about Google Chrome + EMET + Ad Muncher + Up to date OS and software?
     
  9. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    Not an 0day, the method the malware used has been known since 2011. Link to vuln used and exploit of it here
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks EB.

    @Dark,

    If you're blocking ads it would stop this particular attack. If you're up to date with Java you won't be effected. EMET may or may not help, it doesn't actually look like it in this situation.

    I think it's just an interesting attack. I would not be surprised if we see more attacks that stay in RAM for a while.
     
  11. BrandiCandi

    BrandiCandi Guest

    You're all talking about Java, not JavaScript, right? I don't run Java on any machine and I haven't missed it. All I have heard about are Java exploits, I'm not even sure what benefit Java would give me. To the folks that run Java, why do you use it?
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    On my system, it's disabled globally, and white listed per site. I have only one site that requires it: my Insurance Company's Contact page uses a custom java applet to send messages to the Company. I had to upload a few documents, and I watched each attachment upload followed by a "wait" message. I assume it was being scanned at a central repository, for the adjusters don't have email addresses. Messages/attachments are forwarded to them internally when received via the Company's Contact Page.

    You can see how more secure this is than normal email for an organization.

    regards,

    -rich
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I require Java for programming.
     
  14. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I'm glad we're not in that boat. All C# here so I made everybody get rid of it. Nobody seems to have needed it in the past year.
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Have not used or needed java in yrs,but for those that do, its important to remember to keep it up to date as with anything else.People rarely need it and thats why its easly forgotten about.
     
    Last edited: Mar 20, 2012
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah, I never ever plan on programming in Java either lol learning C++ on the side.
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    "piece of malware that doesn't create any files on the affected systems"

    surely this is bull? how can it not create any files?
     
  18. x942

    x942 Guest

    No java here so I'm safe :D interesting though.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It lives within the exploited program and can hop between other programs. No need to ever touch the disk.
     
  20. BrandiCandi

    BrandiCandi Guest

    Fascinating- thanks. I will continue to ignore Java on my machines! ;)
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Probably a good idea, though there's no reason why this type of attack couldn't happen in any program.
     
  22. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Yup. Metasploit's hard to detect Meterpreter and VNC's return command shells or servers, running in RAM and not written in disk(reflective dll injections), only require an intial exploit which could be for the most part a browser side vulnerability or any other client- side exploits and not just on Java's.


    http://searchsecurity.techtarget.in/tip/Metasploit-tutorial-part-2-Using-meterpreter
    http://nullpointer.dk/?q=node/51
    http://www.offensive-security.com/metasploit-unleashed/SET_Metasploit_Browser_Exploit
     
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah, though the more crap one has in the system, the more attack surface you got. :argh:

    I can say that I'm not worried about Java exploits (gone from my system) and not worried about Flash either. I only allow Flash in a dedicated Chromium profile, only allowing connection to Youtube. Unless Youtube itself gets compromised. :D

    These are two less headaches.
     
  24. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  25. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Totally agree. I have none of that crap too. :)

    My main security tool only occupies a megabyte or so of surface on the disk with no known exploit in the wild because of security by obscurity and probably by being tightly coded with security in mind. And even though, I have used regularly tons of codes of old apps or softwares with known vulnerabilities and exploits giving me a kilometer of attack surface and with those running in unpatched testing and work machines which greatly multiplying the attack surface even more...
    ...yet, that security tool gives me the peace of mind of catching any payload executing or injecting into trusted processses.
     
    Last edited: Mar 22, 2012
Loading...
Thread Status:
Not open for further replies.