Multiplatform Java Botnet Spotted In the Wild 203
It's fun sometimes to be smug because you are ("one is") using an operating system less susceptible to malware, or at least less targeted by malware creators, than is Microsoft Windows. Now, reader Orome1 writes with word of a Java-based, equal-opportunity botnet Trojan, excerpting from Help Net Security's report: "'IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms,' explains McAfee's Carlos Castillo." So far, no mention of a Linux version, though.
Typical. Bloody typical. (Score:5, Funny)
No mention of linux support. Do we always have to come last?
Re: (Score:2)
Re: (Score:3)
have you tried WINE [linux.com]?
Re: (Score:2)
have you tried WINE [linux.com]?
Seriously - you run Java under Wine?
Microsoft (Score:2)
Hello
If this is your first white screen of death
First contact Microsoft about this problem.
Then press the [any] key to continue.
If this screen still appear you are infected by a virus.
-----------
This white screen of dea
Re: (Score:2)
:%s/any/F5/g
Re: (Score:2)
I am sick and tired of these motherfucking rants on this motherfucking site!
um.... (Score:3)
"So far, no mention of a Linux version, though."
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
Re:um.... (Score:5, Informative)
If you rtfa, the software (trojan) has to be installed somehow. The payload has to get on a computer and be executed.
FTFA: The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs...However, we’ve seen only the PC version in a downloader/dropper in the wild.
Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.
Re: (Score:2)
so no linux "installer", but I'd assume you could still run the botnet software on linux if you desired to.
Re:um.... (Score:4, Informative)
Google for firefox exploit linux. Or firefox vulnerability.
As long as attackers can run arbitrary code of their choice they can install botnet software.
Even if it means tricking the user to run it... Which is what botnet operators do all the time to Windows users.
The "linux" fanatics just like to believe Linux is more secure when there are so many exploited Linux servers[1] out there.
Go ahead and blame the administrators and users, but just imagine the sort of users you have "administering" a typical Windows machine.
They are the very users botnet operators target.
If OSX and "Desktop Linux" become very popular, you might get malware written in perl for more cross platform goodness.
[1] There may not be as many exploited Linux desktops, but I suspect there may be more Linux servers than desktops in the world
Re: (Score:2)
Not that I'm saying that it's common or uncommon or anything about frequency. But you seemed to indicate that it was essentially impossible, and I know that to be unt
Re: (Score:2)
so many exploited Linux servers
Oh? Where?
We'd be hearing about it non-stop if it were happening. At the very least, Microsoft would be constantly gloating about it as loudly and publicly as possible.
Ever heard about Sony Playstation Network? They had a few servers compromised, through Apache.
Re: (Score:2)
Re: (Score:2)
NoScript.
Noscript is only an antidote for vulnerabilities that need Javascript. If it uses something else, like in the HTML or JPEG parser, than Noscript is no protection.
Re: (Score:3)
Even if you pwn a noscript user, that user is far more likely to notice that he/she is infected, and eventually fix that. These users are the minority, so the botnet operators don't care.
FWIW, I've written a cross platform agent (unix/linux) that scans for hardware/software, connects to a remote server, and can download new instructions. This is legit, for work and is for admins to do software and hardw
It also helps to have... (Score:2)
AppArmor.
Re: (Score:2)
i've become quite accustomed to typing sudo in front of everything these days.. i'm sure i'd be vulnerable to this if i didn't also watch what i clicked (or watched the computer's response to things i most certainly didn't click)
Re: (Score:2)
...What do you need to use sudo for other than installing apps, starting services, or mounting stuff? I certainly hope you wouldn't sudo before running some random crap you got in an email attachment or something. Only times I ever sudo are to install software from trusted repositories, to run scripts that I wrote myself (generally for sshfs mounts) and to start services that were installed from trusted repositories.
Of course, if my Pacman repository ever gets hacked, then I'm pretty much fucked....
Re: (Score:2)
So long as Nvidia's FTP server doesn't get hacked and I download a messed-with driver, I'm pretty safe. /one/ java applet ever runs through firefox: Runescape. Outside of that, Noscript blocks it all.
Only
I think I may have one or two other Java programs that run as user... but still, trusted software.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Obviously, you need to upgrade your wife!
Re: (Score:3, Insightful)
Re: (Score:2)
Heck, no need to make it a virus: Just add good functionality to your botnet client, and people will /intentionally/ install it! /keep/ it installed!
Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver?
I think the next wave of malware will be things that get the user to install it... and
Re: (Score:2)
Think: Do you know many people who wouldn't give up some cpu cycles and bandwidth if it meant, say, easier torrents or the latest movies/music easily downloadable? What about a really nice screensaver? /keep/ it installed!
I think the next wave of malware will be things that get the user to install it... and
At least it would be more functional than most of Sony's offerings! Ba-dum-pum.
Re: (Score:2)
Old news, Kazaa did this.
Re: (Score:2)
I agree, Windows has slowly become more secure. Not quite there yet, but a lot better than what it used to be. The largest part of the attack vectors, however - as you suggest at the end of your post - is still mostly Windows for the moment, though: stupid users. An onfortunate, but as logical as it is damaging consequence of that, is stupid admins.
And right there is going to be the eternal damnation of the computer world: the users. Oh, how wonderful our job would be without them. That is, if there would b
Re: (Score:2)
Android? The only thing it has in common with a Linux distro is the kernel, and even that is quite different from the mainline Linux kernel.
Re: (Score:2)
Yes, I can run a Java-based botnet client (it may be one of the first) but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector.
Or you can have a program that causes mischief while just running as a normal user. For example, it could participate in DDoS attacks or distributed hack attempts on a third party, or it could act as a file server for various types of nefarious data, or be part of a C&C network, or... There's a lot of things these systems can do without attacking the host per se, and for which running without significant privileges isn't a problem. (If it claimed to be a bittorrent client, it would even be awkward for m
Re: (Score:2)
" but I have to get it to run on a computer without user interaction or demands for passwords or administrative rights - Windows excels in that part of the attack vector."
By default, Windows Vista/7 will prompt you if a program requires admin privs to continue, Windows doesn't excel at it, Windows users excel at clicking OK.
If you're going to talk about "Windows", you shouldn't be talking about the old version that is 10+ years old and no longer supported.
Re: (Score:2)
Yes, because there are no exploits that bypass UAC, none at all. I don't need to put sarcastic tags in it right?
Re: (Score:2, Funny)
Read the article.
Re: (Score:2)
"but uses source code and libraries that can operate on other platforms,"
"So far, no mention of a Linux version, though."
Re:um.... (Score:5, Insightful)
Read that again. Source code.
Also from the article:
In other words, it may be source compatible with Linux but there is no Linux binary in the wild. The jar files might run on Linux but the key component needed to download and install it is a Windows binary.
Re: (Score:2)
Had the summary comment been "No mention of a Linux installer", it would be more clear. Saying there is no "Linux version" implies that you would need a special version of the software for linux, which is not true. The fact that this malware does not require platform specific versions is what makes it interesting, so saying (even unintentionally) that there is no linux version seems silly.
Re: (Score:2)
not if you RTFA.
Re:um.... (Score:5, Insightful)
Re: (Score:2)
As always, this perceived shortcoming is actually a feature of Windows, not a bug.
Re: (Score:2)
You can make a Linux executable quite easily using a similar trick to the Windows executable version. Just cat a shell script that tries to run itself as a JAR file with an actual JAR file.
Re: (Score:2)
You can make a Linux executable quite easily using a similar trick to the Windows executable version. Just cat a shell script that tries to run itself as a JAR file with an actual JAR file.
Sorry -- the shell script needs permissions to run. No Execute Bit Set.
Additionally, All of my applications -- Especially Java (iced tea), runs as a user of the same name & group. So, EG: my Java App called JOGL-BlockDrop is run as jogl-bd and only has access to jogl-bd or jogl-bd-perm grouped files, and that group is not allowed to make UDP or TCP connections (I give per application / group access to my network via iptables).
Note: The BlockDrop .jar file can't automatically add files to the jogl-
Re: (Score:2)
Re: (Score:3)
Re:um.... (Score:4, Informative)
In this case it can theoretically operate on other platforms, but it cannot propogate to them. One could install it intentionally perhaps, but it won't make its way onto the Linux box against the system administrators will.
Thus it's called a Trojan - not a virus. It won't self-replicate and transmit to computers on other OSes as well...
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Java is not Java if you use platform specific attack vectors as this botnet does. In this case it can theoretically operate on other platforms, but it cannot propogate to them.
Sure, so you end up having to muck around with bash for something as simple as installing some damn botnet. apt-get install this, /etc/init.d/restart that...
See, that's what I mean when I say that Linux is not ready for the desktop! ~
You mean people actually enable java? (Score:2)
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
Which is why I neverenable java, period. If a site requires it, they don't need my eyeball time.
Re:You mean people actually enable java? (Score:4, Interesting)
You don't enable or disable Java. If it's installed on your system, it's available to use. You can, however, enable or disable the Java applet plugin for your web browsers, which is probably what you're talking about and isn't necessarily what this is about (TFA didn't mention applets or browsers). Java applications (not applets) can run on your system as long as you have Java installed, regardless of whether you have the browser plugins enabled or not, just like how you can open a PDF if Adobe Reader is installed, regardless of whether you have the Adobe Reader browser plugin enabled or not. So in theory, if they found an attack vector for your OS, having the Java plugin disabled wouldn't stop this from running on your system at all.
Getting it onto your system is the trick, though. If they found a hole in the Java plugin's sandbox, they could potentially exploit that using an applet and get the code onto your system. Disabling the plugin prevents that possibility, but if they were trying to push this via browsers there are lots of other plugins and holes are found in browsers all the time.
That being said, I don't bother with the Java plugin either, because applets are crap and I have no use for them and agree with you about sites requiring them (and I'm a full-time Java developer)
Re: (Score:2)
Java is Java.. there generally would not be a "linux version", or any platform specific version.. sort of the whole point of this.
Given that all JREs are equal. Which they are not.
Re: (Score:2)
Java is Java
Except when its dalvik
Exactly what OS isn't susceptible to trojans? (Score:5, Insightful)
AFAIK, any OS that allows a user to install software is susceptible to malware.
Anyone smugly thinking they aren't is an idiot.
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
Re: (Score:2)
Perhaps not every OS... The much maligned iOS would seem to be a model which is very hardy to trojans.
Re:Exactly what OS isn't susceptible to trojans? (Score:4, Interesting)
None that you know about. You can hide a lot in a closed-source binary.
The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.
Re: (Score:3)
It only takes being discovered once to have it removed from the app store, and hence not reasonably installable. Imagine how many pieces of malware would exist on Windows if MS actively and persistently vetted all software... It would probably tend towards zero.
Re: (Score:2)
Wouldn't any OS API exploit allow said -now deleted- program from installing a real root kit within something that apple can't just wave a magic wand to clean up? One of the hardest entry vectors for virus writers is to run binaries on hardware. Since Apple's platform is one universal hardware platform, its a lot easier to exploit a single weakness for large impact effects.
Re: (Score:2)
MS - How long is a piece of string>
Re: (Score:2)
The only "security" iOS has is that you have to shell out $100/year to be a developer. Gives great protection against hobbyist programmers, does absolutely nothing against the Russian mafia.
Oh god, are you trying to tell me the billion fart apps, soundboards and shitty glorified flash applets from the early 2000s are written by professional programmers? Or that hobbyists don't have 100$ a year to spare for their hobby? Say it ain't so! :(
Re: (Score:2)
Wake me up when a worm has been discovered in the wild targeting OS X or Linux
Good morning! [wikipedia.org] I remember cleaning a worm from a client's system in the early aughts; as I recall they were old news even then.
Re: (Score:2)
I got a machine rootkitted a few months ago, and it apparently came in through Exim. Took some time to clean up the mess, and then discovered that the hoster set up the preinstalled Debian with their own copy of the security repositories. They had some problem around that time and were running a few days behind - the original repos already had an update for the packages. One more thing added to my checklist when setting up a new machine.
So yes, there definitely is malware out there in the wild. Not keeping
Re: (Score:2)
Indeed... what amazes me is how many people still fall for the old tricks. I guess there really isn't any antivirus that protects against stupid.
I'd be willing to bet OpenBSD is pretty tough... though, it still suffers from the weakest link (the user.) Here's to hoping the average OpenBSD user isn't as stupid as the average Mac/Windows/Ubuntu user. :)
Re: (Score:2)
Hey, I remember this (Score:2)
What took them so long? n/t (Score:2)
Oracle's marketing dept. should get on this (Score:4, Funny)
This is a case of (Score:3)
Totally misleading title (Score:3)
The original McAfee blog article [mcafee.com] says this (why not link to the original resource in the first place?):
So this is not different at all from the Java-based Facebook suicide Trojan horse which circulated in Spring 2010 (but was not spotted by most AV companies back then).
Old news, if news at all (Score:2)
Multiplatform Java-based Trojan? (Score:2)
> Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms ..
Is there a working demo in the wild that I can click on and get rooted on other non-Windows platforms?
Linux version (Score:2)
Re: (Score:2)
The botnet itself is multiplatform but the exploit and installation mechanism is Windows-only.
Re: (Score:2)
Converting a jar to an exe is difficult. I wish I could do it reliably on Linux, but I can't (gcj doesn't really work)
If you really-really need it, and need it so badly you can give away the distaste for commercial software, see here [excelsior-usa.com]
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
Wow that carries so much weight coming from an Anonymous Coward. Maybe when you grow up you'll have a slashdot account and everything!
Re: (Score:2)
Re: (Score:2)
If you're going to to state an opinion, you probably want to back it up when queried on it. Very few people should believe a statement that says "This is true because it is".
Re: (Score:2)
You *can't* unwittingly install and run arbitrary code on Linux the way you can on windows, unless you're incompetent and running as root all the time
Last I checked, most Linux distros don't have noexec on home, so you most certainly can install and run arbitrary code without having root. It's slightly more of a hurdle in that email attachments and downloaded files won't be immediately executable.
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions t
Re: (Score:2)
If that's the whole story and you're so knowledgeable then prove me wrong by whipping up a little malware for Linux and post the link so I can try it out. Oddly, after several years of proposing this obvious way to prove that "point", not one person has done it. Must not be as easy as you like to imagine.
Re: (Score:2, Funny)
Oh, I won't need a link for that.
If you want to see HOT NAKED LESBIANS though, I'll be happy to give you the link: right here [slashdot.org].
If it doesn't work, it's because your firewall blocks it. It's because your Ubuntu Linux, being such a secure OS as you surely know, is highly efficient at blocking various things deemed undesirable. Makes sense, right? But if you want to see HOT NAKED LESBIANS, you'll need to disable it just for this occasion. Luckily this is very easy to do. Just go to Applications -> Utilities
Re: (Score:2)
Re: (Score:2)
You didn't ask malware for Gentoo, though. You asked malware for Linux. 70% of Linux boxen out there run Ubuntu, and probably a half of people who run them don't know what they're doing (judging by the number of people burned every time someone posts a fork bomb or rm carefully disguised inside some Perl ASCII graphics).
Re:Significance (Score:4, Insightful)
I think we both know the answer to that. The PEBKAC is still there for the average user, no matter which system they use. But in Linux the system isn't designed to make it trivial to run any code from any location, as windows historically has been -- it's a bit better with 7 than it was previously, and XP SP3 is also a major improvement over previous versions. But it's still fairly trivial to generate windows malware, going by the sheer volume of infected machines. I personally have one person in my contacts running win7 whose machine is spamming me daily. Oops. Windows is still the lowest hanging fruit, and as criminals are pretty much always lazy people looking to get rich quick that's what they go for. When that's gone, they'll move on to other scams (assuming OS X has been locked down, otherwise that's hanging a bit low as it is). They will not learn to be 1337 for reelz and finally code that Linux virus. That's not the criminal MO.
Re: (Score:2)
Then again, in Ubuntu, for example, downloading a .deb package in browser and clicking "Open" will launch a GUI installer - and if user clicks "Yes, I want to install this", the .deb can run anything it wants as part of that installation, with root permissions too.
Bullshit, you'll get a gksudo prompt, assuming you have sudo privileges at all.
Re: (Score:2)
GP also ignores the huge number of attempted attacks that every single Internet-reachable Linux box faces every single day. There is no lack of interest, just a lack of success.
Re: (Score:2)
i'm using it now, buddy.
i could go into the fun i've had getting my USB sound card working.
linux is user-friendly if all you want to do is browse, tweet, IM or email.
as soon as you try anything else, you're in "this is unsupported. it's not our fault. there's a patch here, or is it here. you'll have to recompile the kernel, then recompile ALSA, then compile and install wineasio, jack-dev, and wine-dev, then configure everything. oh, you mean you're not running this really old kernel? well, there's no k
Re: (Score:2)
Re: (Score:2)
You've only looked at the two extremes. What about all the companies running plain-jane Linux servers with access to all their VoIP accounts and/or file shares? What about all the websites that aren't run by megacorporations with a team of uber-leet admins watching it like a hawk? And what about all the Windows servers that ARE watched like a hawk by uber-leet admins but get broken into anyways?
Re:RUN FOR YOU LIVES !! (Score:5, Funny)
Re: (Score:2)
I believe this thing is called a "javawocky."
...and I hear they've released it under the Grue Public Licence.
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Re: (Score:2)
Guys, guys... He did it intentionally as part of the IRONY! If he were really mistaking pi for e, he wouldn't be able to type the word "slashdot" in his browser to access this website.
His message here (not that I necessarily concur) is: "User 2.7182 is so stupid that he put this number as his username believing it was pi!"
Re: (Score:3)
It's in the wild !! A Java ... a what??
A java program that takes the 'Write once, run anywhere' mantra to the next level.
Re: (Score:3)
unix is where the term root for #1 user, hence rootkit comes from.
Minor correction: On unix systems, root is always the #0 user. The #1 user is typically "daemon", though not always.
(Unix was written by -- and for -- C programmers, who always start counting at 0. ;-)
Re: (Score:2)
(Unix was written by -- and for -- C programmers, who always start counting at 0. ;-)
Wasn't C written by and for Unix, rather?
Re: (Score:2, Insightful)
It is funny how the "They don't attack X because it's not popular" meme keeps popping up, no matter how often people show how wrong it is.
My favorite approach for debunking it is to point out that apache has been the overwhelmingly dominant web server since 1996 (according to Netcraft), and web servers are one of the most inviting targets that the computer business has to offer. But how many actual exploits have ever appeared for apache? When was the last story of a worm, virus, whatever making the roun
Re: (Score:2)
Re: (Score:2)
Recent versions of Wine would require the .exe to have executable permissions.