Forgot your password?
typodupeerror
Botnet Java Security IT

Multiplatform Java Botnet Spotted In the Wild 203

Posted by timothy
from the semi-equal-opportunity dept.
It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.
This discussion has been archived. No new comments can be posted.

Multiplatform Java Botnet Spotted In the Wild

Comments Filter:
  • by martinux (1742570) on Thursday May 05, 2011 @08:14PM (#36043088)

    No mention of linux support. Do we always have to come last?

  • by LodCrappo (705968) on Thursday May 05, 2011 @08:16PM (#36043120) Homepage

    "So far, no mention of a Linux version, though."

    Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.

    • Re:um.... (Score:5, Informative)

      by guruevi (827432) <evi@smoking c u be.be> on Thursday May 05, 2011 @08:20PM (#36043150) Homepage

      If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.

      FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.

      Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.

      • by LodCrappo (705968)

        so no linux "installer", but I'd assume you could still run the botnet software on linux if you desired to.

        • Re:um.... (Score:4, Informative)

          by TheLink (130905) on Thursday May 05, 2011 @10:01PM (#36043806) Journal
          The Linux "installer" is called Firefox.

          Google for firefox exploit linux. Or firefox vulnerability.

          As long as attackers can run arbitrary code of their choice they can install botnet software.

          Even if it means tricking the user to run it... Which is what botnet operators do all the time to Windows users.

          The "linux" fanatics just like to believe Linux is more secure when there are so many exploited Linux servers[1] out there.

          Go ahead and blame the administrators and users, but just imagine the sort of users you have "administering" a typical Windows machine.

          They are the very users botnet operators target.

          If OSX and "Desktop Linux" become very popular, you might get malware written in perl for more cross platform goodness.

          [1] There may not be as many exploited Linux desktops, but I suspect there may be more Linux servers than desktops in the world ;).
      • by mug funky (910186)

        i've become quite accustomed to typing sudo in front of everything these days.. i'm sure i'd be vulnerable to this if i didn't also watch what i clicked (or watched the computer's response to things i most certainly didn't click)

        • by Urza9814 (883915)

          ...What do you need to use sudo for other than installing apps, starting services, or mounting stuff? I certainly hope you wouldn't sudo before running some random crap you got in an email attachment or something. Only times I ever sudo are to install software from trusted repositories, to run scripts that I wrote myself (generally for sshfs mounts) and to start services that were installed from trusted repositories.

          Of course, if my Pacman repository ever gets hacked, then I'm pretty much fucked....

          • So long as Nvidia's FTP server doesn't get hacked and I download a messed-with driver, I'm pretty safe.
            Only /one/ java applet ever runs through firefox: Runescape. Outside of that, Noscript blocks it all.
            I think I may have one or two other Java programs that run as user... but still, trusted software.

        • Time to make sudo require a password to get rid of that bad habit.
      • Re: (Score:3, Insightful)

        by hairyfeet (841228)

        You mean "Windows excels in that part of the attack vector a decade ago" FTFY. Seriously people Vista has been out nearly FIVE years, Windows 7 now for TWO years, did the DOS jokes continue into 2005?

        So the moral of the story little childrens is this: stop running decade old shite and if you ARE gonna run decade old shite have a fricking brain about it and run a decent free AV (I'd recommend either Avast or Comodo as both have default sandboxing) along with not running every damned bit of code found in the

        • Heck, no need to make it a virus: Just add good functionality to your botnet client, and people will /intentionally/ install it!
          Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver?
          I think the next wave of malware will be things that get the user to install it... and /keep/ it installed!

          • Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver?
            I think the next wave of malware will be things that get the user to install it... and /keep/ it installed!

            At least it would be more functional than most of Sony's offerings! Ba-dum-pum.

          • Old news, Kazaa did this.

        • by vegiVamp (518171)

          I agree, Windows has slowly become more secure. Not quite there yet, but a lot better than what it used to be. The largest part of the attack vectors, however - as you suggest at the end of your post - is still mostly Windows for the moment, though: stupid users. An onfortunate, but as logical as it is damaging consequence of that, is stupid admins.

          And right there is going to be the eternal damnation of the computer world: the users. Oh, how wonderful our job would be without them. That is, if there would b

        • Android? The only thing it has in common with a Linux distro is the kernel, and even that is quite different from the mainline Linux kernel.

      • by dkf (304284)

        Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.

        Or you can have a program that causes mischief while just running as a normal user. For example, it could participate in DDoS attacks or distributed hack attempts on a third party, or it could act as a file server for various types of nefarious data, or be part of a C&C network, or... There's a lot of things these systems can do without attacking the host per se, and for which running without significant privileges isn't a problem. (If it claimed to be a bittorrent client, it would even be awkward for m

      • by Bengie (1121981)

        " but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector."

        By default, Windows Vista/7 will prompt you if a program requires admin privs to continue, Windows doesn't excel at it, Windows users excel at clicking OK.

        If you're going to talk about "Windows", you shouldn't be talking about the old version that is 10+ years old and no longer supported.

        • by guruevi (827432)

          Yes, because there are no exploits that bypass UAC, none at all. I don't need to put sarcastic tags in it right?

    • Re: (Score:2, Funny)

      by John Hasler (414242)

      Read the article.

      • by LodCrappo (705968)

        "but uses source code and libraries that can operate on other platforms,"

        "So far, no mention of a Linux version, though."

        • Re:um.... (Score:5, Insightful)

          by John Hasler (414242) on Thursday May 05, 2011 @08:47PM (#36043378) Homepage

          ...but uses source code and libraries that can operate on other platforms,

          Read that again. Source code.

          Also from the article:

          The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files,...

          In other words, it may be source compatible with Linux but there is no Linux binary in the wild. The jar files might run on Linux but the key component needed to download and install it is a Windows binary.

          • by LodCrappo (705968)

            Had the summary comment been "No mention of a Linux installer", it would be more clear. Saying there is no "Linux version" implies that you would need a special version of the software for linux, which is not true. The fact that this malware does not require platform specific versions is what makes it interesting, so saying (even unintentionally) that there is no linux version seems silly.

          • Re:um.... (Score:5, Insightful)

            by jd2112 (1535857) on Thursday May 05, 2011 @08:58PM (#36043470)
            So typical. Program is written in Java but packaged so it is Windows only defeating the main purpose of using Java in the first place.
          • by psetzer (714543)

            You can make a Linux executable quite easily using a similar trick to the Windows executable version. Just cat a shell script that tries to run itself as a JAR file with an actual JAR file.

            • You can make a Linux executable quite easily using a similar trick to the Windows executable version. Just cat a shell script that tries to run itself as a JAR file with an actual JAR file.

              Sorry -- the shell script needs permissions to run. No Execute Bit Set.

              Additionally, All of my applications -- Especially Java (iced tea), runs as a user of the same name & group. So, EG: my Java App called JOGL-BlockDrop is run as jogl-bd and only has access to jogl-bd or jogl-bd-perm grouped files, and that group is not allowed to make UDP or TCP connections (I give per application / group access to my network via iptables).

              Note: The BlockDrop .jar file can't automatically add files to the jogl-

      • Wish I had some "Funny" mod points for you.
    • Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.
      • Re:um.... (Score:4, Informative)

        by LynnwoodRooster (966895) on Thursday May 05, 2011 @09:53PM (#36043770) Journal

        In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.

        Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...

        • No it isn't, but nice try.
          • Someone needs to re-read TFS: IncognitoRAT is one example of a Java-based Trojan . Sorry, it's a Trojan.
            • You completely missed the point. On linux it is NOT a trojan since tricking the user into running it does not result in a successful exploit. The admin would have to install it intentionally. Again, nice try, but understanding the subject matter beats reading a summary every time.
      • Re: (Score:3, Informative)

        Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them.

        Sure, so you end up having to muck around with bash for something as simple as installing some damn botnet. apt-get install this, /etc/init.d/restart that...

        See, that's what I mean when I say that Linux is not ready for the desktop! ~

    • Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.

      Which is why I neverenable java, period. If a site requires it, they don't need my eyeball time.

      • by Cougar Town (1669754) on Thursday May 05, 2011 @09:26PM (#36043646)

        You don't enable or disable Java. If it's installed on your system, it's available to use. You can, however, enable or disable the Java applet plugin for your web browsers, which is probably what you're talking about and isn't necessarily what this is about (TFA didn't mention applets or browsers). Java applications (not applets) can run on your system as long as you have Java installed, regardless of whether you have the browser plugins enabled or not, just like how you can open a PDF if Adobe Reader is installed, regardless of whether you have the Adobe Reader browser plugin enabled or not. So in theory, if they found an attack vector for your OS, having the Java plugin disabled wouldn't stop this from running on your system at all.

        Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time.

        That being said, I don't bother with the Java plugin either, because applets are crap and I have no use for them and agree with you about sites requiring them (and I'm a full-time Java developer)

    • by qmaqdk (522323)

      Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.

      Given that all JREs are equal. Which they are not.

    • by Chrisq (894406)

      Java is Java

      Except when its dalvik

  • by l0ungeb0y (442022) on Thursday May 05, 2011 @08:25PM (#36043200) Homepage Journal

    AFAIK, any OS that allows a user to install software is susceptible to malware.
    Anyone smugly thinking they aren't is an idiot.

    Wake me up when a worm has been discovered in the wild targeting OS X or Linux

    • Perhaps not every OS... The much maligned iOS would seem to be a model which is very hardy to trojans.

      • by mrnobo1024 (464702) on Thursday May 05, 2011 @09:16PM (#36043584)

        None that you know about. You can hide a lot in a closed-source binary.

        The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.

        • It only takes being discovered once to have it removed from the app store, and hence not reasonably installable. Imagine how many pieces of malware would exist on Windows if MS actively and persistently vetted all software... It would probably tend towards zero.

          • by ADRA (37398)

            Wouldn't any OS API exploit allow said -now deleted- program from installing a real root kit within something that apple can't just wave a magic wand to clean up? One of the hardest entry vectors for virus writers is to run binaries on hardware. Since Apple's platform is one universal hardware platform, its a lot easier to exploit a single weakness for large impact effects.

          • how many pieces of malware would exist on Windows if MS actively and persistently vetted all software..

            MS - How long is a piece of string>

        • by mr_da3m0n (887821)

          The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.

          Oh god, are you trying to tell me the billion fart apps, soundboards and shitty glorified flash applets from the early 2000s are written by professional programmers? Or that hobbyists don't have 100$ a year to spare for their hobby? Say it ain't so! :(

    • by Gerald (9696)

      Wake me up when a worm has been discovered in the wild targeting OS X or Linux

      Good morning! [wikipedia.org] I remember cleaning a worm from a client's system in the early aughts; as I recall they were old news even then.

    • by vegiVamp (518171)

      I got a machine rootkitted a few months ago, and it apparently came in through Exim. Took some time to clean up the mess, and then discovered that the hoster set up the preinstalled Debian with their own copy of the security repositories. They had some problem around that time and were running a few days behind - the original repos already had an update for the packages. One more thing added to my checklist when setting up a new machine.

      So yes, there definitely is malware out there in the wild. Not keeping

  • Wasn't this posted here a while back? I think it does run on Windows, Mac and Linux, but tests showed that Linux is the only platform that doesn't allow it to restart after a reboot. Can't find the story, could be wrong.
  • by antifoidulus (807088) on Thursday May 05, 2011 @09:32PM (#36043690) Homepage Journal
    They just gave Oracle a new slogan for Java, "Write once, pwn everywhere!"
  • by surveyork (1505897) on Thursday May 05, 2011 @09:57PM (#36043792) Journal
    "No OS left behind."
  • by Florian Weimer (88405) <fw@deneb.enyo.de> on Friday May 06, 2011 @01:18AM (#36044596) Homepage

    The original McAfee blog article [mcafee.com] says this (why not link to the original resource in the first place?):

    However, we’ve seen only the PC version in a downloader/dropper in the wild.

    So this is not different at all from the Java-based Facebook suicide Trojan horse which circulated in Spring 2010 (but was not spotted by most AV companies back then).

  • I used to run one of those what is my IP sites. Now it's IPv6 only because various botnets started (ab)using it. I get a few thousand hits by "Apache-HttpClient/UNAVAILABLE (java 1.4)" pr. hour. Other AV vendors have known for a while, searching for my sites lists several (not mcafee) who lists my site as something the bots use.
  • > Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms ..

    Is there a working demo in the wild that I can click on and get rooted on other non-Windows platforms?

  • Why would there be a "Linux version" of code that runs on multiple platforms? The "Windows version" IS the "Linux version."

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...