Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Patched your Java yet?

Published: 2012-11-01,
Last Updated: 2012-11-01 00:22:55 UTC
by Daniel Wesemann (Version: 1)

21 comment(s)


Yes, there's some irony to this diary entry. In the past, I have been suggesting repeatedly that organizations who do not have an all-out requirement to keep a Java JRE runtime installed, should get rid of it. Yet, here I was, a couple of days ago, reviewing some SIEM events at a Community College where I help out with IT Security, when something caught my eye  (URLs defanged to keep you from clicking):


src='192.168.36.25' media-type='application/x-jar' url='GET hxxp://outdrygodo.mine. nu/finance/etzko5.jar'
src='192.168.36.25' media-type='-' url='GET hxxp://outdrygodo.mine. nu/finance/qkefaw.php'
src='192.168.36.25' media-type='application/octet-stream' url='GET hxxp://outdrygodo.mine. nu/finance/e32ezw.php?category=/&news_id=314214&date=1012&gen=j&lam=true'


Basically, a user here is getting an unsolicited Java Applet. A little while later, the same workstation gets an "octet stream" (think: executable). This can't be good. But why isn't anti-virus alerting on it?  [Yes, this is a purely rhetorical question :)]

Turns out, the workstation in fact has been infected. The JAR contained an exploit for CVE-2012-4681. And there is a "skype.dll" sitting in C:\ProgramData, and, even "better", it apparently happily talks to some server in the Ukraine:

src='192.168.36.25' media-type='-' url='POST hxxp://195.191.56. 242/posting.php?mode=reply&f=72&sid5=0ef2884d693eadc605e9bf726c1b9881'

Checking through the logs in detail now, we determined that the PC was talking to this server in the Ukraine whenever the user was logging into some web page. User goes to GMail? PC talks to the Ukraine. User goes to Amazon? PC talks to the Ukraine. User goes to online bank? Yup: you get the drift.  In between, the spyware kept mum. But whenever the user happened to enter some password, the spyware merrily ratted him out.

Looking through the logs even further back, we were able to determine that the original infection had happened when the user visited a - perfectly benign - newspaper web site, which at the time apparently was featuring a poisoned advertisement banner somewhere within the page content.  The entire attack happened compeletely stealthily, there is nothing the user could have seen or done  (maybe with the exception of Java popping up in the tray, but who pays attention to that?)

In short, if your Java JRE is unpatched, you will get hacked. Silently and stealthily. The bad guys will grab all your passwords for a week or so. And then, they will move in, and change your life.

In the case at hand, it was an e-banking application, of all things, that did not yet work with Java JRE 7, and had kept the user from upgrading his Java JRE.  From other users, I hear that some releases of enterprise software from large vendors like SAP, Oracle, etc, are also not fully compatible with the latest Java JRE, and thus force their users to remain exposed to attacks like the one described above.
 

Bottom line:
If you don't need Java JRE on your PC, get rid of it.
If you need it, patch it.
If you can't patch it because some silly application is not compatible with the patch, kick the [beep] of whoever supplies that application.

In case you are in the latter situation, feel free to share in the comments box below. Maybe there are other ISC readers similarly affected, and if you join forces, the vendor might be more inclined to listen.


 

Keywords: java malware
21 comment(s)
Top of page

Top of page

Comments

Sadly it seems like the Oracle and SAP monolithic ERP systems are platforms that don't get upgraded frequently either, causing a catch-22 trap with old Java version requirements. More than a few companies I have worked for are 'trapped' on Oracle 10 databases and elderly ERP versions due to the effort and expense of updating, which in turn traps them on old JREs so the ERP client apps will continue to work.
posted by Paul, Thu Nov 01 2012, 01:14
Beyond keeping things fully patches, I assume AdBlock Plus can be a further tool of prevention in this arena, since it blocks the infected ad in the first place, right?
posted by techvet, Thu Nov 01 2012, 02:05
Oracle HR and E-Business are the ones that keep breaking when we try to run the current JRE. And we are running current versions of those applications. Even worse, we deal with a lot of local government websites and they always have outdated applets with expired code-signing certificates and break when we update the JRE. We actually have one application used to manage our payment cards and the bank that supplies it embeds JRE 1.3 (not a typo) in the current version. We virtualized it but it had problems so we had to publish it as a Citrix application where the Citrix server can't get to anything on the Internet except that bank's site. What a waste of our time.
posted by JJ, Thu Nov 01 2012, 02:34
I have no need for java on websites, but I have a requirement to run a JDE as part of a scripted software testing setup. Texas Instruments supplies their Code Composer (Code Composter!) variation of the eclipse IDE together with a jar file that interfaces to their hardware JTAG debug pod. I need the JDE to interface extensions, such as the National Instruments Data Acquisition devices, or DAQs, and some of our own interface libraries, all written in C/C++. I use SWIG to do this, but I still need to keep the JDE around to make this possible. Is there some way I can prevent that JDE from "poisioning" my browser? I am forced by client standards to run win7 and Internet Explorer, and the test stuff runs on the same machine.
posted by Moriah, Thu Nov 01 2012, 04:36
If only I had a dime each time I heard a vendor saying "You need to have this _old JRE version_ if you want to call for our support" :-(
posted by Denis, Thu Nov 01 2012, 09:01
Is there any benefit to using multiple browsers - one associated with the old JRE that is only used for the craptastic legacy app, and one associated with the current (or preferably no) JRE?

I seem to recall reading a few years back that Java applets can actually request to use older JREs if they are installed, but can't remember the details or if this was fixed.

Appreciate any insight.
posted by mr, Thu Nov 01 2012, 11:23
This looks like the g01pack exploit kit.

The DNS entries are very short-lived, and the exploit and payload URIs are one-time and restricted to a single IP. The landing page is usually full of random junk words and includes the Java exploit and some encrypted payload URLs (the encryption varies once or twice a day).

The payloads include a random extra byte at the beginning which is used to XOR the rest (hence no AV - though I think an AV could check for this!).

Other favourite domains at the moment are *.homelinux.com and *.homeip.net

BTW - CVE 2012-4681 is the 0-day from August AFAIK. I haven't seen an exploit for the vulnerabilities in Java 1.6.0_35 and 1.7.0_07 yet, though I expect we'll see some very soon :-(
posted by Chris W, Thu Nov 01 2012, 11:48
Our organization was losing so much time to testing patches against an increasing number of third party solutions and rebuilding infected machines (quarantine or deleted, we pull the drive and rebuild the PC.) We recently locked down Internet access to a handful of sites critical for business use -- even in the IT department. Users have to have sites approved by their manager, be able to prove that it is a site they access daily, and that it meets a critical business need.

For all other Internet access, we set up a separate, isolated wireless network with dedicated stations used for all other browsing and its own dedicated Internet connection. It's a serious pain, but for once BYOD is being a big help (users can use smartphones and tablets to browse the Internet), we've seen a significant drop in infected PCs, and our business-needs Internet connection runs much quicker for everyone. Even better, the dedicated browsing PCs are much easier to keep up to date since there's far fewer restrictions on specific versions that need to be installed for specific in-house systems.
posted by Dennis B, Thu Nov 01 2012, 12:43
Another solution is to use Firefox Portable and JPortable as a standalone Java-web client and keep the global plugin off other browsers. I use this for apps that use Java and my other browser (without Java) for everything else. One can even have separate copies of it with different Java versions.
posted by jbmartin6, Thu Nov 01 2012, 13:11
And yet SANS vLive still requires Java.

Java Delenda Est!!!
posted by JohnnyS, Thu Nov 01 2012, 13:29
It would help a lot if the Java updater for Windows (jusched.exe?) worked a bit better. Unless things have changed since I last tried it, it hasn't yet come to terms with the possibility that you might not be an administrator on your machine. So it starts up, asks if you want to update, looks happy when you say "yes", rumbles away for a while, and finally comes up with an error(!) message something like "The parameter is incorrect". Interesting, yes. Helpful, no.
posted by rjmx, Thu Nov 01 2012, 14:18
> If you don't need Java JRE on your PC, get rid of it.

I did, and now the "webmail.ISPNAME.ca" interface to my E-mail takes 15 to 20 seconds EVERY time that I open an E-mail message, presumably while it hunts around for some version of Java on my computer. Nothing on the web-page's "spinner" to indicate that their web-page needs the most-current Java add-on. Sigh.
posted by Melvin, Thu Nov 01 2012, 14:37
I've recently purchased a license of Ninite Pro for our organization. It is very inexpensive for what it does. I have a script set up to run twice weekly (Mondays and Thursdays) that updates all 3rd party apps on everyone's computer. Computers that need an older version of Java are not on the domain network but are rather on the wireless and are used only for their intended purpose. This is strictly monitored with our Barracuda web monitor software.
posted by Lee, Thu Nov 01 2012, 15:13
The bigger point here for me to vendors is stop writing Java applications that are version dependent. I know it can take more time to be version independent but you will save time in the long run with less re-writing down the road. The whole idea of Java is portability and in my opinion you just lost a big part of that portability by requiring a specific version of java to run it. And of course you expose yourself to this nightmare catch-22 situation.

I have written C/C++ applications that survived 3 or more major OS releases without any updates because they followed the API/OS vendors recommendations and didn't take shortcuts. Shortcuts like that are a save time now but spend even more later proposition. And they typically don't provide a good security profile either. Its like validating input to your program, takes time to do it right but you save so many problems down the road.
posted by BGC, Thu Nov 01 2012, 17:03
Java 6 Update 37 - I believe this addresses all known security issues, the same as the latest Java 7 release. We still have a business need for Java 6 with Oracle HR and E-Business. We know JRE 7 support is a ways off as Oracle is still struggling to fix all issues, and then that means we'll have to patch our Oracle apps and test as well. https://blogs.oracle.com/stevenChan/entry/planning_for_jre_7
posted by Jason R, Thu Nov 01 2012, 17:07
Various Oracle Apps don't work with the latest JRE. Not to mention the DBAs and Apps teams are utterly unwilling to test all their apps with the latest releases of JRE as they come out one even one platform, let alone OSX, linux, etc. Major irritation.

etime (an ADP app) is even worse. Not only does the java version of their web app require (last I checked) an older release of java, it requires a specific release. When we were eval'ing the application, I managed to make it run on linux, but only by running an old version of JRE (with many known exploits) and a truly decrepit version of firefox (with many known exploits). Naturally, the people deciding whether or not to use this webapp ignored my recommendation, probably because we're already using ERP apps that also require old JREs. (Bah!)

Combine this with the auto-update "feature" in JRE so instead of applying the latest java 6 patch it upgrades to java 7, and now we have managers recommending people turn off auto-updates of java. Phooey. (grumble)
posted by Brent, Thu Nov 01 2012, 17:29
What is it with Java always including some kind of browser toolbar or other software? Over the years there have been many and if the user is not careful they can have several toolbars for their browser. I have seen as many as 4 on an older computer.
posted by KBR, Thu Nov 01 2012, 18:19
Oracle and SAP are rightfully being singled out as bad about requiring old Java versions. The one that personally annoys me is Cisco – the most recent version of Java that we can get to reliably run their administrative tools is 6.25. So I have to use vulnerable software to connect to firewalls and IPS units that are supposed to increase security? Sigh.
posted by Joey, Thu Nov 01 2012, 20:19
@jbmartin6.... or anyone else.....

I've seen the portable idea mentioned a couple of times lately....and I think it's great. Just wondering if you or anyone else has figured out how to do this with IE.....

I searched www.portableapps.com for Internet Explorer and aside from all of the very helpful 'why would you ever wanna do that?...IE sucks' comments, it seems it isn't done for EULA legality reasons.

I have an app that requires IE and Java v1.6.0.4, and would love to switch it to a portable type IE environment.
posted by K-Dee, Thu Nov 01 2012, 23:22
Find out if they're running Cisco and hit 'em where it hurts. ASDM, et. al. are version dependent and usually lag well enough to require previous versions, which Oracle is not keeping up with. While the hackers are at it, nail SAP/Oracle to the wall through their vulnerability fix lag. They killed off one of our vendors with their poor business software implementation, let them burn.
posted by Sean, Fri Nov 02 2012, 03:41
For the few applications that require an older version of the Java JRE we configure a virtual machine to host it. Using Microsoft's RemoteApp we're able to launch an application window on users' workstations as if it were running locally. After they close it the virtual machine reverts back to a snapshot.
posted by someone, Fri Nov 02 2012, 15:54

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Announcement!

IPv6 Support Added

Our iptables client now supports submitting IPv6 firewall logs.

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Port 51616 - Got Packets? - by: Kevin Shortt (2013-05-19)

e-netprotections.su ? - by: Daniel Wesemann (2013-05-17)

SSL: Another reason not to ignore IPv6 - by: Johannes Ullrich (2013-05-17)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute