Yesterday I lost my system and let me tell you I’m ticked off. I lost a ton of source code that I’ve been working on to develop an MMO.
I re-installed the system from scratch. (XP Pro). Loaded everything back up and whammo, I got nailed again. This time I noticed when and how I got it.
Win32:Trojano-1252 [trj]
It came right after I installed the distribution of Sun J2SE 5.0. When I got hit by this the last time it was also right after I installed the Java package from Sun’s website.
After a few minutes of logging into windows the trojan loads CMD.EXE and FTP.EXE. Then Internet explorer auto-complete stops working. Finally it prevents Windows Task manager from loading when requested via CTRL-ALT-DEL. The whole system lags and eventually you can’t run anything.
Each time I booted I immediately hit CTRL-ALT-DEL to bring up the task manager right away. After a few minutes CMD.EXE and FTP.EXE would pop up and the trouble would start. If you attempt to kill the either process they just come back. If you try to kill the files they come back.
Thats the last time I run anything related to Sun or it’s Java packages.
Avast picked it up. I ran a scan in administrator safe mode and it found it in the system32 folder as file named “.exe”.
A friend turned me on to Avast. I’ve used almost every major scanner out there (Norton, AVG, McCrappy, ect). They’re bulky, unreliable, and many act more like malware than protection. Most don’t scan before login, which is stupid. It’s hard to kill viruses if they get into memory first, regardless of the anti-virus software. Obviously the Avast developers thought about this.
Thumbs up Avast! Finally someone developed antivirus software that’s pro-active instead of re-active.
Did you download the file after installing windows or did you have it stored somewhere already in which case you had downloaded it before re-installing windows?
Windows XP Pro?
Is that with SP1, SP2 or nothing?
If you install windows without SP2 and it is able to install drivers for your network card connected to a dsl/cable/adsl modem that is active and no firewall is present you can become infected with something.
I noticed you said “you installed the system from scratch”
Therefore i assume you did format your hard drive?
If you have more than one hard drive are the others virus free?
I installed it onto a fresh install of Windows XP Pro SP2. I repartitioned and formatted my hard drive, installed Windows XP, then downloaded the distribution package right from Sun’s website. This was not taken from my own storage.
Let’s go step by step what I did.
-Booted from Microsft Windows XP CDRom
-Repartition and formatted all drives.
-Installed Windows
-Logged into Administrator in Safe-Mode with Networking.
-Installed Avast - Full system scan, all clean.
-Installed 3COM NIC drivers off Commercial CD. Avast all clean.
-Windows Update over the web. -Avast all clean.
-Installed NVidia TnT drivers off website. Avast all clean.
-Installed Creative SB Audigy drivers off CD. Avast all clean.
-Installed Lavasoft Adaware off website. Avast all clean.
-Installed Mozilla Firefox off website. Avast all clean.
-Installed Suns Java Package 5.0 off website. Avast finds the trojan.
Everything was clean until I downloaded the JS2E 5.0 package and installed it. I had accessed the web before then without any problems reported by Avast. The only time I had to turn off avast was when I installed the Creative Audigy Drivers. I rebooted and ran Avast to check but didn’t find anything.
I have 3 hard drives. (2) WD 60 gb drives are on RAID. The other is a external MAxtor 80 gb USB drive. All drives were repartitioned and re-formatted.
Could it have come straight through my DSL? Hmmmm. Hard to say. Avast didn’t notice anything at all until I installed the Sun package. If anything there is a security hole that immediately allows attacks after installation of the Java package.
I guarantee that if I go back on Sun’s website and download the package and reinstall it, it will pop back up again.
If anyone feels frisky, try it. My system has taken enough of a beating.
Although downloads from Sun Microsystems, Microsoft, and so on, may in theory be corrupted they will not install in that case because an encrypted security check is provided. In the free software community the MD5 checksum is used to see if the download is corrupted.
However, it is quite easy to interfere with the installation process ! The installer may be directed to the wrong file if it is in the same directory as the download. This happened with the Microsoft installer and as far as I know also with Java installers. There probably is another file already on your computer which generates the Trojan because of the Java install going on.
To be sure, place your downloads each time in a separate temp directory and install from there.
If you don’t need Java on your Win system, don’t install it. It’s, unfortunately, a major security risk.
By the way, I downloaded the same Java package on the same Win2k Pro (SP4) (fully updated) and did not have a problem.
I would find it hard to believe that Sun would release an infected file. Where the trojan came in before I installed java, I don’t know. It was a fresh system. It had to come in through IE or a security hole before I did the Windows updates.
I no longer require Java and have decided not to reinstall it. I’ve also switched my browser from IE to Firefox. IE just has too many exploits.
Java is only a very minor risk if the plug-in is updated when a patch is issued
I said it is a major risk in a windows system. It is the Java Virtual Machine or interpreter that causes the problems and security leaks. The same applies to all those nice systems from VB, OLE, to ActiveX, but to a somewhat lesser extent because these are not alien to windows. Great to have introduced a system enabling to write platform independent viruses. The .Net is claimed by Microsoft to offer better protection… ? How ?
If you have installed all the security updates - Sun Microsystems has as much of these as Microsoft - not very much is left from the marvelous abilities of the virtual machines and interpreters. What is left will sooner or later be exploited. Don’t underestimate those virus and spyware designers.
In spite of all possible security updates en devices installed, I got an email from a software vendor that did not even require me to click on it but at once started to act automatically: trying to connect me to them and to download their software. The (Sygate) firewall prevented this (Microsoft XP unidirectional firewall wouldn’t). In this case it was, fortunately, not malware. The code of the email is very interesting. Better not to tell here, but you may quess how they did it.
No, not Microsoft but one of their competitors.
A major risk in Windows systems? Only if you are still using the unpatched Microsoft Java Virtual machine, which could be exploited to download a Trojan. If you have patched the MS JVM or installed Sun’s JRE, the risk in windows systems is minimal. Java security is good; Java applets run in a sandbox and don’t have access to the system. Contrast this with ActiveX where a control can have access to the entire system as long as it’s been signed as safe.
Sun’s JRE has been patched, but JRE runs Java programs just fine. Like any other program, there’s always a possibility that another exploit will be found. So, like any other program, checking for updates is important. Don’t update, and you are taking a major risk; keep updated, and the risk is minor.
Are you saying that Sun JRE allowed a Java applet in an email to establish an internet connection and download software? That would be something I hadn’t encountered before and I would be interested to know more!
I have all this Java stuff (because I need it) and the patches as well - but most people don’t !
The danger of installing virtual machines is that you - so to say - delegate vital functions of your OS’ kernel.
This kernel facilitates the operation of your machine, sothat you don’t have to be a programmer anymore to make it work. It also keeps a registry of your files (FAT) and hardware. But it is still possible to operate the hardware directly, so you can circumvent the OS and the registries. The malware writer’s intention is to defacilitate the operation of the computer by you: he wants to be in control (never heard of a she).
For instance, programming in C enables direct access to the memory (the notorious “malloc” function) and to write hardware drivers the main OS uses. But in Assembler much more is possible. While modern programmers dwell in the spheres of C++ , Python and Object Oriented issues in general, hackers and virus writers learn Assembler. Using your OS, you often can’t even see what is hiding on your disks.
The virtual machine operates on standardized bytecode and can be mimiced by another little program which output will be accepted by the kernel of your OS - as you instructed it to do by installing the virtual machine.
The little program will flourish by all the security patches hampering the virtual machine.
The email I mentioned is activated by the email program itself (in case of Outlook Express, this is MSIMN.exe) and uses port 80. Standard protocol packages are sent. It uses an authentication option but you can be redirected by the source-server. Several other remote servers are tried if the connection fails. So, it is able to find out what your firewall lets through. In this way, security measures are circumvented, except a firewall for outgoing traffic (if properly set !). Take care XP users.
Thus, this method employs your ID and password indirectly and remains undetected by all virus scanners.
The code is in the header of the email, not in html. Hence, you don’t need to open it.
This is an example of a standard method designed to prevent abuse, but rather making abuse easily possible. More security often implies more vulnerability.
Anyone that wants to get you will get you, regardless of the antivirus software you use. Yes antivirus software is good for viruses but it’s VERY poor when it comes to trojans. It takes about 5 minutes to code a nasty trojan and another 30 seconds to wrap it in a dropper.
There is at least one method of hiding viruses that any novice user could employ. It’s existed for years and no scanner has ever attempted to counter it. It allows ANY virus, known or unknown to get into a system. After initial infection the replications may be picked up. I’m not giving anyone a guide on how to do it though. Wouldn’t be prudent.
In my younger days (oh… a long time ago lol) I was heavy into HPACV. My main motivation for learning ASM was to create viruses although I specialized in trojans and even created a stupid creation kit. There are a few viruses in the long list that are of my doing.
Thankfully I grew up. Otherwise I’d be in jail by now.
I think the information you send is very informative. Thanks for this contribution to the forum. I have two questions for you. At work we run XP pro with SP2 Hitman Pro installed. We also have additional virus screening of our e-mails in the form of a additional LSP-service (couple of bucks a month, or euro rather). An inside question - Does this LSP-service form an effective barier to above mentioned viruses. You’ll will never hear about this, but what viruses are invisible, or so cloaked that they unwittingly land onto the system of the end-users. I can imagine you will never get this information from your local LSP or the vendor. you or others have a hunch?.
Thanks for your nice reply !
The LSP service is effective but not perfect, like any other security system.
What ‘stmdk’ said above is true and well known. The most vulnerable gate to your system is of course the internet browser, which is also functioning as a virtual machine or interpreter. For this reason, the really vital and high security computer systems are not connected to the internet; they also employ specially designed operating and FAT systems. These machines cannot be hacked, may be the operators can… It is always advisable to have at least one computer completely isolated from the network.
So, sending droppers with viruses and trojans into the internet only harms you, me, the medium size and small companies - the powerful remain unaffected. Is there much difference with ordinary criminals ?
The little daughter of a friend managed to install MSN to chat with her girlfriends. They sent her a picture, she assumed. At once, Avast and firewall were disabled, the computer froze. All their pictures, the letters and work of her mother were lost. This is poor people and the damage done is irreparable.
It is from what you said, as I feared. There are lots of people, who use computers out of the box with the default settings, therefore the default vulnerabilities as well. In Holland the situation is a bit better as in the States, where there are hundreds of thousands so called zombie computers operating like machines for the Spam man, where the Stats man pays the Ad man. On the 15th of May last week a gigantic spam-run was started from the Sober-virus. The spam made use of some 30 different kind of Nazi propaganda messages. Sober O (alias P) was in this case installed on a system and automatically updated to send out spam from the infected site. At the height of the outbreak some dutch filtering firms found 50% of all spam to be this kind of spam.
So building browsers that are part of the OS, like with Internet Explorer and the access it gives Active-X is basically an accident-prone design from the boys in Richmond. On the other hand if a comp never send anything else but RTF (rich text format) there would not be viruses, and no need for this forum either.
Yes, Sober was pretty dominant here - and still is nasty.
But yesterday I got a new warning from the ‘Waarschuwingsdienst’ (warning service of the government):
WORM_MYTOB
Variant : Worm.Mytob.CG, Worm/Mytob.EA, Win32/Mytob.CZ,
W32/Mytob.gen@MM, Net-Worm.Win32.Mytob.bb,
Win32.Mytob.DM
Subject line of email:
DETECTED Online User Violation
IMPORTANT Please Validate Your Email Account
IMPORTANT Your Account Has Been Locked
WARNING Your Email Account Will Be Closed
Account Alert
Email Account Suspension
Important Notification
Notice of account limitation
Notice: Last Warning
Notice: Your email account will be suspended
Security measures
Your email account access is restricted
Your Email Account is Suspended For Security Reasons
Content of email:
Once you have completed the form in the attached file , your
account records will not be interrupted and will continue as
normal.
Please look at attached document.
Please read the attached document and follow it’s
instructions.
Please see the attachement.
The original message has been included as an attachment.
To safeguard your email account from possible termination,
please see the attached file.
To unblock your email account acces, please see the
attachement.
We attached some important information regarding your
account.
We have suspended some of your email services, to
resolve the problem you should read the attached
document.
We regret to inform you that your account has been
suspended due to the violation of our site policy, more
info is attached.
Attachment file name:
account-details
document
document_full
email-doc
email-info
info
information
info-text
instructions
your_details
Extension:
EXE
PIF
SCR
ZIP
In the private sector in Holland the situation may be worse than in the U.S.A. Much more second hand and not updated computers. The networks are infested with all kinds of viruses and trojans, some of these very outdated and easily blocked. When I connect to the cable network, I’m always greeted by “DCOM-Exploit blocked” Then various portscans are tried and the firewall pop-ups appear at about every 15 minutes.
In my opinion, the Microsoft initiative to integrate the browser (in fact the LAN) with the kernel might give better protection. Their .NET is also closely connected with the kernel. The explanation that it harms the competition does not convince me. However, better protection is not full protection.
The fact that the Sober virus distributed this kind of messages, which are thus as virus associated with much damage, may be coincidence or intentional. Many viruses and trojans are quite sophisticated and must originate from real specialists, knowing exactly the weak spots and how to exploit them. It takes many years of hard labour to become so familiar with the Windows operating system and Assembler.
It is undoubtedly much safer to use only RTF in emails. But what about the browser, for the internet is based on a universal binary code? Active-X is an almost general means of control. It has been modified now, in a restricted sense. The .NET system would be more secure. Just like Java it comes with a large library, but as usual with MS most is encrypted. Whether .NET and the associated Csharp programming language is really a breakthrough in security respect ? Rather it is just an improvement.
At this moment my MSTask. engine is being contacted and blocked from using port 1025: Listener, Remote File Sharing ! A known IP from a Taiwanese network. Business as usual.