Page 1 of 2 12 LastLast
Results 1 to 15 of 20

Thread: Rare Java expoit discovered - even Firefox not safe

  1. #1
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

    Rare Java expoit discovered - even Firefox not safe

    I wanted to share this with the community. I wanted to investigate an app called Hacker Defense suite. I googled for it and upon clicking one of the website's titles I received a virus - just by visiting the site.

    I have confirmed this by disabling Java in Firefox and did not receive a warning - enabled it and again received the warning.

    Screenshot: http://img31.exs.cx/img31/3289/virus9qe.jpg

    So I reported it at a securty site:

    Lynch, See my post above and let us know. I'm very interested to know if this was a classloader trojan or a js.classloader false alarm.
    Quote Originally Posted by Gerard Morentzy
    First, if you are going to visit the underbelly of the web and the crack/warez sites, always disable Java and Javascript. Do you have the latest SUN Java Runtime Environment? It is JSRE 1.4.2, there is also a beta 1.5. - What AVAST found may, but is probably not legit. There IS an exploit for earlier Sun JRE versions, but most of these classloader hits are false positives. Do you have other security software to check it with? An anti-Trojan would catch the legit classloader problem. You might try McAfee's free Stinger app and an online scan or two from Trend or McAfee. Let us know. If you're clean from the others, it was a FP from AVAST. But, better safe than sorry. This is an easy FP that is just now getting cleaned up by all of the anti-malware programs, though actually the real thing is extremely rare. Good luck.
    For one, there is no indication that it's a crack site or "underbelly of the web" It is the application's website.
    I'm using Java 1.5.0-b64
    I checked at jotti's - reported possible malware because of packers and length of time in sandbox. (the app itself, not the virus reported)
    I'll go check to see if it's quarantined

    **edit - I was wrong about it being the apps website. This website start off as tmr.net[edited] - still no way to tell what kind of site it is.

    **edit - I went back to the site AV alerted me a virus was on computer. I put it in Avast virus chest (loaderadv303.jar-12be7432-7b67d684.zip) - I went to jotti's http://virusscan.jotti.dhs.org/ - here are the results:

    Service load:
    0% 100%
    File: loaderadv303.jar-12be7432-7b67d684.zip
    Status:
    INFECTED/MALWARE
    Packers detected:
    None

    AntiVir
    TR/Forten.Java.2 (0.25 seconds taken)
    Avast
    JS:Classloader-6 (1.52 seconds taken)
    BitDefender
    Java.Trojan.Exploit.Bytverify, Java.Trojan.Downloader.OpenStream.C (0.61 seconds taken)
    ClamAV
    Java.ClassLoader.24564 (0.59 seconds taken)
    Dr.Web
    Trojan.ClassLoader, Exploit.ByteVerify (0.92 seconds taken)
    F-Prot Antivirus
    destructive program (0.10 seconds taken)
    Kaspersky Anti-Virus
    Trojan.Java.ClassLoader.h, TrojanDownloader.Java.OpenStream.c, Trojan.Java.ClassLoader.d (1.00 seconds taken)
    mks_vir
    Trojan.Downloader.Java.Loader.H (0.37 seconds taken)
    NOD32
    Java/ClassLoader.H, Java/ClassLoader.B (0.65 seconds taken)
    Norman Virus Control
    No viruses found (0.21 seconds taken)
    Ultimately, it's just a zip file. I would have to unzip it and execute it.
    Last edited by lynchknot; December 13th, 2004 at 07:51 AM.

  2. #2
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    That "underbelly" will get you every time...

  3. #3
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    nice work lynchknot

    this might be the reason i had a trojan on my computer and my firewall was disabled

    bad java bad
    ------------------------------------------------------------



  4. #4
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    I must be missing something this is old and been around awhile.

    Firefox & Sun Java are ok

  5. #5
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I'm using the latest beta 1.5 Java and I AM INFECTED

    I may have spoke too soon. I rebooted this morning and many apps I allow to open on startup failed to start and/or failed to show up in tray. ALL of my security apps failed to show up in tray. Some are visible in taskmanager however. I had to manually start Process Guard and Prevx. Avast showed in taskmanager but not tray - Outpost as well. The curious thing about Outpost is the fact i'm using IE for an online virus scan but it's not indicated in Outpost. IE is shown as "System"?




    ************edit********

    Yep, i'm infected I think. So far:

    C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

    All security apps failed. I should have been using "Winrollback" I would not be having trouble right now this is a true "drive by" infection that Firefox has no protection from - other than turning off Java.

    Scan started at 12/13/2004 10:01:45 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...

    C:\Documents and Settings\ken\Desktop\loaderadv303.jar-12be7432-7b67d684.zip->Counter.class - Trojan:Java/ClassLoader -> Infected
    C:\Documents and Settings\ken\Desktop\loaderadv303.jar-12be7432-7b67d684.zip->Matrix.class - TrojanDownloader:Java/OpenStream.C -> Infected
    C:\Documents and Settings\ken\Desktop\loaderadv303.jar-12be7432-7b67d684.zip->Parser.class - Java/Bytverify -> Infected
    C:\Program Files\Alwil Software\Avast4\DATA\moved\loaderadv303.jar-12be7432-61642ae9.zip.vir->Counter.class - Trojan:Java/ClassLoader -> Infected
    C:\Program Files\Alwil Software\Avast4\DATA\moved\loaderadv303.jar-12be7432-61642ae9.zip.vir->Matrix.class - TrojanDownloader:Java/OpenStream.C -> Infected
    C:\Program Files\Alwil Software\Avast4\DATA\moved\loaderadv303.jar-12be7432-61642ae9.zip.vir->Parser.class - Java/Bytverify -> Infected
    C:\WINDOWS\system32\APIHookDll.dll - PWS:Win32/Hooker.P -> Infected

    Scanned
    ============================
    Objects: 92608
    Directories: 10022
    Archives: 13140
    Size(Kb): -1109693
    Infected files: 5

    Found
    ============================
    Viruses found: 4
    Suspicious files: 2
    Disinfected files: 0
    Mail files: 1037
    Last edited by lynchknot; December 13th, 2004 at 18:23 PM.

  6. #6
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    Most all my startups are missing. Does anyone know what I should do?


  7. #7
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    Quote Originally Posted by lynchknot
    Most all my startups are missing. Does anyone know what I should do?
    Yeah, quit going to Cracker/Hacker/Whacker sites

    Is system restore also broken ?

  8. #8
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I am running online scanners before trying system restore. My last resort will be to use True Image. I would still like to know which file controls startups (not user) because I can go into True image and copy the file and replace it.

    SS above not showing so repost SS:


  9. #9
    Nobody knows I'm a dog. TZ Veteran petard's Avatar
    Join Date
    Feb 2003
    Location
    Newspapastan
    Posts
    1,058
    I don't know.... if it's that deep into your system - I'd rebuild it.

    Many thanks to egghead for the cool .sig

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    Quote Originally Posted by FastGame
    Yeah, quit going to Cracker/Hacker/Whacker sites

    Is system restore also broken ?
    the seriousness of this is the fact the someone can get into your computer or run a program on it just by visiting a website.

    lastyear driveby spywar moved from underground websites to mainstream sites and had a hayday infecting the masses.

    lynchknot,

    you can try www.trojanhunter.com.
    it alerted me to a mysterious open port during a scan
    also do a online pandascan on the windows directory. something to consider is the fact that you are now infected and i have seen viruses that are undetectable by the virus companies and trojan makers usually sell undetectable versions of detectable trojans.

    my suggestion is to do the scans but ultimatly you should format. i did as soon as I found one.

    it all started when i noticed programs kinda running but actually wern't workiing

    any idea how the virus actually installed itself? and is this from the same website or somewhere else.
    kaspirsky let it install?
    Last edited by egghead; December 13th, 2004 at 19:24 PM.
    ------------------------------------------------------------



  11. #11
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I'm using Avast. Avast alerted me and I moved it to virus chest. I do not know what happend. My computer is running fine except the fact my startups are missing.
    heh, why do you guys keep saying, "reformat" - you know I hate that and I think you know I have True Image in a "Secure Zone" -

    I cannot use trojan hunter. I just installed it but my trial from 5 years (months) ago is expired - so it won't let me trial again.

    After I clean up i'm going to run Winrollback and never worry again.

  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    in tests i have watched friends(literally) scan for viruses and not detect the one that is monitoring them.

    you might keep rolling to a trojan hehe

    if you got infected you might want to stop using your antivirus program as it has a hole in it.

    can you tell us what is the safest way to disable the java in firefox?

    is it disable java or java script or both?

    btw if you disable java i could not post at this forum
    ------------------------------------------------------------



  13. #13
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    I think only if visiting unknown sites



    The guy in my first post says:
    First, if you are going to visit the underbelly of the web and the crack/warez sites, always disable Java and Javascript.
    - but when going to the site it was java enabled that allowed the infection
    Last edited by lynchknot; December 13th, 2004 at 20:32 PM.

  14. #14
    Hardware guy Super Moderator FastGame's Avatar
    Join Date
    Apr 2002
    Location
    Blasters worm farm
    Posts
    3,416
    Quote Originally Posted by egghead
    if you got infected you might want to stop using your antivirus program as it has a hole in it.
    He said his AVAST caught them, AVAST is fine

    And why are those virus on your desktop ? C'mon LK tell us what experiments you were trying.

  15. #15
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536
    They were retrieved out of avast virus chest so that I could run them at jotti. I still don't know what went wrong as it's only a zip file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •