Virus or whatever delivered through Java using Firefox

Discussion in 'other security issues & news' started by lynchknot, Dec 13, 2004.

Thread Status:
Not open for further replies.
  1. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I wanted to share this with the community. I wanted to investigate an app called Hacker Defense suite. I googled for it and upon clicking one of the website's titles I recieved a virus - just by visiting the site.

    I have confirmed this by disabling Java in Firefox and did not receive a warning - enabled it and again received the warning.

    Screenshot: http://img31.exs.cx/img31/3289/virus9qe.jpg
     
  2. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Are you talking about a rootkit trojan called Hacker Defender? Its a very deadly trojan, its a rootkit. Why did you take the risk by going to the trojan's website?
     
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    First, if you are going to visit the underbelly of the web and the crack/warez sites, always disable Java and Javascript. Do you have the latest SUN Java Runtime Environment? It is JSRE 1.4.2, there is also a beta 1.5. - What AVAST found may, but is probably not legit. There IS an exploit for earlier Sun JRE versions, but most of these classloader hits are false positives. Do you have other security software to check it with? An anti-Trojan would catch the legit classloader problem. You might try McAfee's free Stinger app and an online scan or two from Trend or McAfee. Let us know. If you're clean from the others, it was a FP from AVAST. But, better safe than sorry. This is an easy FP that is just now getting cleaned up by all of the anti-malware programs, though actually the real thing is extremely rare. Good luck.
     
    Last edited: Dec 13, 2004
  4. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    No, i'm talking about a virus distributed through Java. But as for as the app I was looking into:

     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Lynch, See my post above and let us know. I'm very interested to know if this was a classloader trojan or a js.classloader false alarm. Thanks. BTW, the screenshot looks like you clicked on a link, not for the program, but for a crack for the program. Those places can make for dangerous surfing.
     
  6. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    For one, there is no indication that it's a crack site or "underbelly of the web" It is the application's website.
    I'm using Java 1.5.0-b64
    I checked at jotti's - reported possible malware because of packers and length of time in sandbox. (the app itself, not the virus reported)
    I'll go check to see if it's quarantined

    **edit - I was wrong about it being the apps website. This website start off as tmr.net[edited] - still no way to tell what kind of site it is.

    **edit - I went back to the site and put it in Avast virus chest (loaderadv303.jar-12be7432-7b67d684.zip) - I went to jotti's - here are the results:

     
    Last edited: Dec 13, 2004
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Just so you know, I wasn't being serious about your surfing habits. That's why second post was saying you probably clicked on a link not for the program itself, but for a crack. It's easy to do and I didn't mean to say you were a careless surfer. Those sites are notorious for droppers and malware of all kinds. I'm going to look more into this and if I don't fall asleep I'll write back. If you really are infected, you need first aid right away. Do you use System Restore? Have a recent image you can slap on? The image would be a quick, painless way to rid yourself of this. I use a program called "Deep Freeze" which after a reboot, I am back to a perfect state. It actually renders most all other security software obsolete. Some people say it takes the fun out of messing with the security apps, but I'll gladly take the trade. I'll have to post a thread about it soon and share how I have it setup with all data on a separate partition and programs/OS frozen on C drive, any problems no matter how bad, I'm a reboot away from being back to my perfect system state byte-for-byte.
    Gerard
     
  8. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    hehe, I was careless in clicking the second link in google - thinking it was the application's website. Anyway, if you look closer at my post, it's in a zip file. I am not infected. Java allowed delivery of a zip file containing whatever it is without browser knowledge.
    I have an app called Winrollback that is similar - you have to disable it if you want to install anything though because when you reboot, it reverts back to when the computer was first protected. You can delete important files, get viruses, etc with no effect

    I think this is what some electronics stores and costco uses because i'm guilty of doing some pretty nasty stuff to demo computers (educational purposes only) - only to see them working later.
     
  9. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Where are the official websites for DeepFreeze and WinRollBack?
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,764
    Location:
    Texas
  11. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    So being that i'm using Java 1.5.0-b64 - we still got problems - should Sun be notified?
     
  12. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I may have spoke too soon. I rebooted this morning and many apps I allow to open on startup failed to start and/or failed to show up in tray. ALL of my security apps failed to show up in tray. Some are visible in taskmanager however. I had to manually start Process Guard and Prevx. Avast showed in taskmanager but not tray - Outpost as well. The curious thing about Outpost is the fact i'm using IE for an online virus scan but it's not indicated in Outpost. IE is shown as "System"?

    http://img54.exs.cx/img54/4323/out8ax.jpg


    ************edit********

    Yep, i'm infected I think. So far:

    C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

    All security apps failed. I should have been using "Winrollback" I would not be having trouble right now this is a true "drive by" infection that Firefox has no protection from - other than turning off Java.

    Most all my startups are missing. Does anyone know what I should do?
    http://img9.exs.cx/img9/8352/startups9lo.jpg
     
    Last edited: Dec 13, 2004
  13. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I system restored back to normal
     
  14. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    You may be interested in alerting the search engine you used about this.

    Jimbob
     
  15. lynchknot

    lynchknot Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    904
    Location:
    SW WA
    I don't think google can/will do anything. There are probably 1000's of questionable sites - take one down another will pop up.
     
Loading...
Thread Status:
Not open for further replies.