Mark Underwood describes how he recovered a user's system from a drive-by Java attack. How do you protect users from fake security messages and deliver the security updates that they do need?
"Something isn't right with my computer," said the caller. "There's some sort of security message, but it's not one that I recognize."
As any good administrator would, I ran, not walked to the workstation and yanked out the Ethernet cable. Or, rather I tried to. The cable, which hadn't been moved for years, wouldn't come out. It seems the RJ45 connector tab had become lodged inside the MBO back panel. After several frustrating minutes with the worried system owner looking on and taking note of my frustration, I went to the switch and pulled out the workstation's cable from the other end. Then I returned with needle nose pliers and managed to free the RJ45.
I went to the screen to see what had been causing the worry. Indeed, it was an unfamiliar message asking to scan the system and then to install a security application - perhaps a fake, perhaps a legitimate one with a hidden payload. The malware had been busy. By the time Task Manager could be launched in this Windows Vista machine, the task manager had been disabled and was ignoring mouse and keyboard commands. An orderly Windows shutdown was not in the cards. This machine was using a fully updated (but version 1) Microsoft Security Essentials (MSE), but whatever defense MSE had mounted against the attack had been defeated.
After several fruitless minutes during which attempts were made to regain control, the Windows tray launched, or appeared to launch, a new message: "Primary master hard disk fail." A disturbing message from the innards of the OS to say the least, but hope was not lost; the malware had probably revealed itself unambiguously and would not go undetected, an even bigger concern than this particular infection.
My anti-malware toolbox included Malwarebytes, SUPERAntiSpyware, and a bootable Kaspersky rescue CD. After pulling the plug (not trusting a hard reset) I tried to boot into the rescue CD. No dice; this machine boots from Intel's IHC9 RAID, and the Kaspersky CD of course didn't have that driver. Next up: a MalwareBytes full scan, which ran for quite some time before concluding that there was nothing more than adware installed on the machine. Then I tried the portable version of SUPERAntiSpyware and received similar results. So on to Windows Safe Mode, no networking.
Both of those tools have proven very helpful in the past, so I found the results so far surprising. Then MSE identified (apparently for the first time) a possible Java runtime corruption — JAVA/CVE-2010-0840.
Click thumbnail for full version.
The specific vulnerability, though not this particular site's exploit, has been classified on the Mitre list of Common Vulnerabilities and Exposures. A brief search didn't turn up instances of drive-by attacks that fit the profile of this occurrence, but there were other Java exploits delivered through Java web applets.
Because it had not detected the malware in full Windows mode, I didn't trust MSE to fully detect and quarantine it. From a different computer, I researched this vulnerability. While I didn't find any straightforward cause and effect relationship between the symptoms and that particular vulnerability, a drive-by attack seemed a distinct possibility. The user mentioned looking up song lyrics recently, and because many such sites are full of obnoxious ring tone download offerings, it seemed like the perfect candidate for hosting - intentionally or otherwise — a bad Java applet or two.
My next strategy was to wind back the clock to a point in time where either the infection was not present, not activated, or could be detected by one of the tools - probably in safe mode. I temporarily disabled MSE and examined the available restore points. Luckily, there were plenty of restore points available (see sidebar). After consulting with the user, a restore point from 10 days ago was chosen. The restore succeeded, and I was able to launch Windows and quarantine and remove the infection with a now-enabled MSE.
No claim is being made that this was the only solution to remediation, and there is probably more that could be learned from Windows event logs or other evidence on this system.
Nuisance or pound of prevention?
Version 2 of MSE offers additional protection and integration with IE (though the user had been using Firefox), so that may be one conclusion from the incident. But the workstation's owner was part way into a complaint about Windows security when I pointed out that the underlying weakness was in the Java runtime, and this malware had already been observed attacking Apple and Linux machines as well as Windows. Had she updated Java when prompted to do so? "Oh, that annoying thing! Do I have to? It asks me so often, and doesn't say what it wants to update, that I can't tell whether the message is a new one. Besides, there are so many messages these days asking me to update things that I don't know which of them to trust."
I agree. "You need to update your security software" was in fact one of the invitations contained in the payload of this malware. The Java "Update Me" messages are annoying. The prominent and relatively poised integration of Windows Update with Windows is not shared by other applications needing security updates. Java, Adobe products (especially Flash), Wordpress, Joomla - each of these applications need to deliver patches, but are relegated to nuisance messages and pop-ups that are often crafted with much less care than is taken by the authors of fake messages.
A centralized security updating mechanism, perhaps delivered through Windows Update or the security ("antivirus") application, may be needed. Provenance checking would be performed by the central message provider so that bogus update requests would be harder to fake. Administrators could be notified and some such updates could be pushed. In the meantime, users will have to be encouraged to pay attention to those nag "Update Me" messages.