Multiplatform Java Botnet Spotted In the Wild

It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.

Re:um....

[guruevi]

If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.

FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.

Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.

Re:Significance

[clang_jangle]

How imaginative. Why, when this fallacious "reasoning" defeated in every single slashdot story in which it comes up, do people persist in trying to promote this myth? You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time (which incredibly, I do know of at least one person who does -- but it's rare).

Re:um....

[LynnwoodRooster]

In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.

Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...

Re:um....

[TheLink]

The Linux "installer" is called Firefox.

Google for firefox exploit linux. Or firefox vulnerability.

As long as attackers can run arbitrary code of their choice they can install botnet software.

Even if it means tricking the user to run it... Which is what botnet operators do all the time to Windows users.

The "linux" fanatics just like to believe Linux is more secure when there are so many exploited Linux servers[1] out there.

Go ahead and blame the administrators and users, but just imagine the sort of users you have "administering" a typical Windows machine.

They are the very users botnet operators target.

If OSX and "Desktop Linux" become very popular, you might get malware written in perl for more cross platform goodness.

[1] There may not be as many exploited Linux desktops, but I suspect there may be more Linux servers than desktops in the world ;).

Re:RUN FOR YOU LIVES !!

[mckorr]

2.7182 is e, not pi...

Re:um....

[shutdown -p now]

Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them.

Sure, so you end up having to muck around with bash for something as simple as installing some damn botnet. apt-get install this, /etc/init.d/restart that...

See, that's what I mean when I say that Linux is not ready for the desktop! ~

Re:RUN FOR YOU LIVES !!

[trapnest]

Whoosh