Security

Recovering from a drive-by Java attack via fake security messages

Mark Underwood describes how he recovered a user's system from a drive-by Java attack. How do you protect users from fake security messages and deliver the security updates that they do need?

"Something isn't right with my computer," said the caller. "There's some sort of security message, but it's not one that I recognize."

As any good administrator would, I ran, not walked to the workstation and yanked out the Ethernet cable. Or, rather I tried to. The cable, which hadn't been moved for years, wouldn't come out. It seems the RJ45 connector tab had become lodged inside the MBO back panel. After several frustrating minutes with the worried system owner looking on and taking note of my frustration, I went to the switch and pulled out the workstation's cable from the other end. Then I returned with needle nose pliers and managed to free the RJ45.

I went to the screen to see what had been causing the worry. Indeed, it was an unfamiliar message asking to scan the system and then to install a security application - perhaps a fake, perhaps a legitimate one with a hidden payload. The malware had been busy. By the time Task Manager could be launched in this Windows Vista machine, the task manager had been disabled and was ignoring mouse and keyboard commands. An orderly Windows shutdown was not in the cards. This machine was using a fully updated (but version 1) Microsoft Security Essentials (MSE), but whatever defense MSE had mounted against the attack had been defeated.

After several fruitless minutes during which attempts were made to regain control, the Windows tray launched, or appeared to launch, a new message: "Primary master hard disk fail." A disturbing message from the innards of the OS to say the least, but hope was not lost; the malware had probably revealed itself unambiguously and would not go undetected, an even bigger concern than this particular infection.

Remediation

My anti-malware toolbox included Malwarebytes, SUPERAntiSpyware, and a bootable Kaspersky rescue CD. After pulling the plug (not trusting a hard reset) I tried to boot into the rescue CD. No dice; this machine boots from Intel's IHC9 RAID, and the Kaspersky CD of course didn't have that driver. Next up: a MalwareBytes full scan, which ran for quite some time before concluding that there was nothing more than adware installed on the machine. Then I tried the portable version of SUPERAntiSpyware and received similar results. So on to Windows Safe Mode, no networking.

Both of those tools have proven very helpful in the past, so I found the results so far surprising. Then MSE identified (apparently for the first time) a possible Java runtime corruption -- JAVA/CVE-2010-0840.

Figure A

Click thumbnail for full version.

The specific vulnerability, though not this particular site's exploit, has been classified on the Mitre list of Common Vulnerabilities and Exposures. A brief search didn't turn up instances of drive-by attacks that fit the profile of this occurrence, but there were other Java exploits delivered through Java web applets.

Because it had not detected the malware in full Windows mode, I didn't trust MSE to fully detect and quarantine it. From a different computer, I researched this vulnerability. While I didn't find any straightforward cause and effect relationship between the symptoms and that particular vulnerability, a drive-by attack seemed a distinct possibility. The user mentioned looking up song lyrics recently, and because many such sites are full of obnoxious ring tone download offerings, it seemed like the perfect candidate for hosting - intentionally or otherwise -- a bad Java applet or two.

My next strategy was to wind back the clock to a point in time where either the infection was not present, not activated, or could be detected by one of the tools - probably in safe mode. I temporarily disabled MSE and examined the available restore points. Luckily, there were plenty of restore points available (see sidebar). After consulting with the user, a restore point from 10 days ago was chosen. The restore succeeded, and I was able to launch Windows and quarantine and remove the infection with a now-enabled MSE.

No claim is being made that this was the only solution to remediation, and there is probably more that could be learned from Windows event logs or other evidence on this system.

Nuisance or pound of prevention?

Version 2 of MSE offers additional protection and integration with IE (though the user had been using Firefox), so that may be one conclusion from the incident. But the workstation's owner was part way into a complaint about Windows security when I pointed out that the underlying weakness was in the Java runtime, and this malware had already been observed attacking Apple and Linux machines as well as Windows. Had she updated Java when prompted to do so? "Oh, that annoying thing! Do I have to? It asks me so often, and doesn't say what it wants to update, that I can't tell whether the message is a new one. Besides, there are so many messages these days asking me to update things that I don't know which of them to trust."

I  agree.  "You need to update your security software" was in fact one of the invitations contained in the payload of this malware. The Java "Update Me" messages are annoying. The prominent and relatively poised integration of Windows Update with Windows is not shared by other applications needing security updates. Java, Adobe products (especially Flash), Wordpress, Joomla - each of these applications need to deliver patches, but are relegated to nuisance messages and pop-ups that are often crafted with much less care than is taken by the authors of fake messages.

A centralized security updating mechanism, perhaps delivered through Windows Update or the security ("antivirus") application, may be needed. Provenance checking would be performed by the central message provider so that bogus update requests would be harder to fake. Administrators could be notified and some such updates could be pushed. In the meantime, users will have to be encouraged to pay attention to those nag "Update Me" messages.

About

Mark Underwood ("knowlengr") works for a small, agile R&D firm. He thinly spreads interests (network manageability, AI, BI, psychoacoustics, poetry, cognition, software quality, literary fiction, transparency) and activations (www.knowlengr.com) from...

18 comments
mudson_gee
mudson_gee

'JavaScript and Flash have been shown to be fundamentally flawed (having a blemish) with respect to system security. Although both platforms have been around for many years and become as indispensible (necessary) as HTML, there are other ways of achieving the same functionality in web pages now, such as HTML5 and CSS.' Produce a technical discussion of the potential threat posed (introduced) by JavaScript and Flash. Illustrate your argument with suitable examples of exploits known to be associated with both technologies giving a good insight into how they work. I want to write a report, but am confuse with how to start. Can anyone provide me with some content outlines about this topic. My concept is: Introduction historical overview of javascript and flash understanding javascript flaws associated with javascript understanding flash flaws associated with flash conclusion I read some articles which make me so confuse, because they are discussing on xss associating both javascript and flash. please suggest the best way to discuss this topic.

bev
bev

I am a huge fan of Secunia CSI/PSI! I am also a huge fan of a Firefox and the Cocoon security plug-in at www.getcocoon.com - pretty much you won't get malware or drive-by-downloads when you use this plug-in. I also used NoScript (another great product) for quite some time - but the way it rendered ad-heavy websites was not eye-catching. Cocoon also blocks ad servers and renders the page quite well. Wow - this might just be my 4th comment here in 4 years :) Cheers /Bev

flreeber
flreeber

I have noticed that most of the drive-bys only effect the HKCU registry. Our systems are fairly well locked down as far as admin rights, so infections of the current user are the most prevelent. This can be verified by logging on as another user, (non admin preferred) if the pop-ups are not on the new user, then it is CU issue witht he infected user. You can rename the infected user profile, have them login to create a new, clean profile, copy over thier docs, pix, favorites ect, and delete the old profile (after a reboot to clear the NTUSER.DAT). This corrective measure has worked multiple times in the past and saves alot of headaches. Also of note, malware bytes, spybot, ect, don't seem to scan another users HKCU reg, so, loging in as yourself to get the admin rights to use the software defeats the scanning of the infected user, but, giving rights to the infected user could allow the payload to infect the HKLM reg...and then you have a real problem.

NetMammal
NetMammal

Go to Secunia.org. They have both on-line, and downloadable scanners which scan your entire system for out of date software for which there are security updates available. Turn the option off which warns you about software which has known security problems, but for which no update or fix is available. This may be useful info for somebody, but it prevents the user from getting the satisfaction knowing they have done all they can do. The best part: Secunia provides a link for each update, many of which I would not have found on my own (who would have know that there are two different flash plug ins, and you download them separately, I believe for the same version of flash.) ...As for the circuitous route the article writer took to ridding the machine of malware: thats the average now. Acting surprised that MSE (or any major anti-virus/malware package) did not prevent or find/eliminate the infection has been my experience now for at least a year. I wager that the machine referred to in this article still has a root kit installed on it, although it may not be active or able to 'phone home'. Even the old standbys MBAM and Super-AntiSpyware can no longer find or remove ALL the junk. I find I now have to either: 1. Do a full image backup (as protection), and then run the combofix tool (for which you will have to click through scads of warnings telling you not to use it without help.) 2. Or, find the malware using GMER, RootRepeal, plus SysInternals Autoruns, and Process Explorer, and any other tools, with lots of googling along the way. By the way, Secunia, combofix, and some of these other tools are not supposed to be used commercially, or you need to pay big bucks for the privilege. The Internet is global, the business of making money spreading malware is global. Until we have a global democracy with a global police force, this is only going to get worse. All I can say is when biotech gets to the place the Internet is now, I hope I'm dead, since kind this stuff will be in your body, and not just in your computer. Back to the present. Wndows 7 does seem to help, way fewer of my customers end up with malware using it... or they can get a computer running an O.S. from the second most-popular monopolistic vendor: Apple. Cheers!

Tank-at-Large
Tank-at-Large

I have seen several of the Drive-by attacks that drop Ransomware. If you are lucky enough to catch it in the very early stages, simply hit and hold the off button until the computer/laptop shuts down all the way. That will kill the thing before it gets nested, but it has to be done at the very first signs of infection. IF not, there are several free programs that you can load that will kill this, however, I run Exterminate It! On most of our Network systems. I dont care how infected the system is, this program will find and remove. What it finds, you can do ALL the work yourself to remove, or pay for the annual License and let it do a good quick removal. One point of interest here, go in and stop the Restore system on your computer...everything likes to hide in there for a later attack.

crtoner
crtoner

Look at Secunia's CSI offering for centralized updates to common apps.

jhinkle
jhinkle

I noticed that you immediately jumped into running 3rd party tools to fix your problem. I see these kinds of infections all the time and the first thing you should do is mark down the name of the fake security tool (it's usually right at the top of the fake infection warnings), then I look it up, find the corresponding registry keys, manually remove them, then start running 3rd party utilities. If you ever have issues finding information on the fake AV application then one of the best things you can do is run rkill to stop the rogue processes on the system, then run malwarebytes which should show you all of the problem files that normally would have been missed by the scans. I hate to be the a**hole this morning, I'm just not in a good mood today for some reason... But you should never fix a problem without studying and understanding it. By running some 3rd party tools and calling it a day you're skirting the source of the problem by not actually understanding it. One more thing to note on this. Exploits in Java are almost impossible at this point to get around. I've tried everything possible to deter drive by attacks and the only thing I've found that really helps the problem is to use something like the MVPS hosts file popup blocker. This will null route entries to known bad domains locally on the computer. http://www.mvps.org/winhelp2002/hosts.htm Sometimes the Spybot S&D TeaTimer for IE can help too, but it's better to avoid using IE. Not just because it's bloated and has security problems, but because it's not standards compliant.

jcitron
jcitron

I've seen probably 8 of these over the past few weeks at work. At first I did the ole' panic thing and reboot the PC, disconnect the cable, etc., but I've found that the basic tools work wonders. 1) Malwarebytes 2) Vipre PC Rescue from Sunbelt Sunbelt Software. www.sunbeltsoftware.com 3) System Restore, if it works. I've had like a 85% hit rate with this due to other techs turning this off and forgetting to turn it on again afterwards. 4) Clear out the randomly-named file in c:\documents and settings\local settings\All Users\application data. The randomly-named folder contains the malware which will reinstall it self. The A/V products will clean/quarantine any missed files and clean the registry. In 99.99% of the cases, I've been able to get the machines clean and up and running. The only machines that die afterwards are those that have some other issues that prevent them from operating because critical files have been munched.

jgarcia
jgarcia

I had a similar situations months ago in my home PC, I use COMODO CIS and from the Defense + window I could detect and stop all rogue processes and delete them. No antivirus detected anything because there were no virus in my PC. the risk was to click the link offering a free online scan that could kill the suposed malware installed in my PC. I asked my son what websites he was visiting and he said none special or particularly dangerous, just downloading some music.

RochSkelton
RochSkelton

Had a similar problem last year on my wife's Vista laptop after she downloaded some Facebook app... It got past the (fully updated) AVG antivirus system and infested the system just like described here, so bad that even Safe mode would not execute the virus scan or allow reloading a Restore Point. I eventually found Avira AntiVir (http://www.avira.com/en/support-download-avira-antivir-rescue-system), and the bootable linux system was able to scan and clean the system. After booting back into Vista, I was able to run AVG and MSE, which both found additional problems on secondary filesystems which I did not clean with Avira. After several scans, I was finally satisfied that all problems were found and removed. Avira AntiVir is now part of my toolbox!

Marc Erickson
Marc Erickson

Having dealt with users like the one described for a while now, I'm in total agreement with the writer that a central updating mechanism is needed for Windows. Non-techs have a lot of difficulty with knowing if a suggested update is legitimate or not and there *are* a lot of them. Dare we hope that this is included in Windows 8?

robo_dev
robo_dev

Also the 'Web of Trust' (WOT) add-on will help you to avoid going to a malware-hosting site in the first place. I hate to say it, but if you're closing IE quickly and running a virus scan, you're waaaaay late...you've been infected. I would say that even the latest and greatest AV software has only a 70% chance of catching and stopping a Java script that's pushing malware to you PC. A funny thing happened on my iPhone is that one of those sites did it's fake virus scan and posted a fake Windows Explorer page....it reported that my iPhone had 200 viruses, and even showed that my iPhone has two hard drives, and a CD-ROM, which is pretty cool. it then tried to install a virus, which did not work on the iPhone, obviously. I saved a screen shot of the fake scan....

sboverie
sboverie

I had a similar drive by mess things up so bad that I had to replace the hard drive. The message pops up and warns that there might be malware on my computer and it promptly finds hundreds (if I let it continue.) When I see this message, I shut down the browser and do a fast scan with MSE. The same kind of malware happened to a customer and that was harder to stop. One of many things that this drive by does is to disable the anti-malware application, stop Task Manager from launching and run interferance when browsing for online malware scan. I did a search for online scan, found a few that might help but I end up at the malware's site if I click on the search results. I found that I could cut and paste the real URL and go to the real online scan sites. I had to restore to a previous set point to be able to get a scan to run and search. I installed MSE on the customer's computer because it will update itself. I think that the new version of MSE does stop the drive by from starting, although it still shows the warning screen about possible infections.

epelowski
epelowski

Secunia does a nice job with PSI/CSI I have been using it for a while now and it seems to work great on my personal PC's.

specialfx63
specialfx63

He was doing what most kids do best, and that was looking for music and lyrics...Needless to say, his machine was hit with a rogue AV program "System Tool" I believe it was called. It took quite some time to nail down what it was, but some good products run from boot level like SAS Portable, Norton Power Eraser and then MBam run in safe mode eradicated the little b*stard....( the offending proggie, not my kid :p )

ultimitloozer
ultimitloozer

"After booting back into Vista, I was able to run AVG and MSE..." You've got 2 AV products installed on a machine? Why?

RipVan
RipVan

I activate only the most basic parts of any page I visit. I don't want to see anything but the content I came for...

RochSkelton
RochSkelton

AVG is my "running" antivirus software service. MSE is installed but not running, just available for manual scans if I feel the need. Personally, I found that MSE 1 brought my older server to its knees when running as a service, and I have not tried MSE 2 to see if performance problems have been fixed. For my needs, manual execution seems sufficient at this time. (and yes, I am using free products on my home desktop/laptops, rather than paying through the nose to license something for the half dozen such systems currently on my home network)

Editor's Picks