Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Thanks ever so much Java, for that biz-wide rootkit infection
The Register ^ | 3rd September 2012 11:00 GMT | Trevor Pott

Posted on 09/03/2012 10:05:45 AM PDT by Ernest_at_the_Beach

Cup of coffee actually a carboy of toxic Kool-Aid

Sysadmin blog Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact its revenge.

Closer inspection of the infection revealed deep network penetration that the installed antivirus applications were completely unable to cope with. The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser. Contrary to early reports that we should only fear Java 7, this beauty crawled in through a fully up-to-date Java 6 browser plugin and installed some friends.

I have no idea what the initial vector was beyond the swift appearance and disappearance of some malicious Java archive files; the primary delivery mechanism scrubbed itself clean (along with significant chunks of the browser history) right after it downloaded its payload onto the compromised Microsoft Windows PC.

The payload: a software nastie called Sirefef. This itself is actually irrelevant; even Microsoft Security Essentials can find and kill most variants. The purpose of Sirefef is to serve as the staging component for the coup de grace: the highly sophisticated Zeroaccess rootkit (Sirefef downloaded some other friends too, but once the rootkit is dealt with, they are easily dispatched.)

Zeroaccess is a nightmare. It creates a hidden partition to run components from, deletes the BITS and Windows Update services, infects system restore and then removes the system restore interface from Windows. It locks you out of various sections of your file system it has decided to secrete backup copies of itself into. (C:\Windows\Temp, C:\Windows\System32\Config\Systemprofile and so forth.)

Zeroaccess knows all the standard tricks; it hides itself from Trend Micro's virus scanner Housecall, kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system), resists cleaning by SurfRight's Hitman Pro, Symantec's resident AV and so forth. If you delete the hidden partition after booting from a Linux Live CD, chances are you didn't get every last remnant of the thing and it will be back in due time. It also prevents remote support app Teamviewer from starting properly with Windows.

If any residue of the rootkit lingers, or if Sirefef and/or its downloaded friends remain, they will all download and reinstall one another and we get to play whack-a-malware one more time. Bonus points were awarded for exploiting known Windows 7 vulnerabilities to infect every other machine on the network; that was a nice touch that really made my Friday.

Cleaning up this one Trojan-horse town

So what's the solution? It turns out that some combination therapy kills the Zeroaccess variant in question. The solution I have settled upon is this:


  1. Disconnect every Windows system from the network; if one is infected, they are all infected. (I have absolutely no idea what they used to get through the firewalls on client PCs, but it was effective.) You need to clean all systems one at a time on a quarantine basis. If you have a way to automate the rest of this list for enterprise deployment, please let me know.

  2. Create a new local user with admin privileges, reboot and log on as that user. (You need as clean a profile as possible.)

  3. Download and run Symantec's Zeroaccess removal tool. It will ask you to reboot; do so. A widget will pop up when you next log in that says the rootkit was not found. This is a lie. The removal tool got rid of it, and you have already been reinfected. Fortunately, it can't do anything until the next reboot.

  4. Run Trend Micro's Housecall; kill all the things. Do not reboot.


  5. Repair the background intelligent transfer service (BITS).


  6. Repair the Windows automatic updates service. (If you get the popup for the "Microsoft Fixit" tool, use it. It will fix your broken Windows update service.)

  7. Install Windows updates. Do not reboot.


  8. Run Microsoft Security Essentials; kill all the things. Do not reboot. At this point, you should have killed all of Zeroaccess's little friends.


  9. Re-run the Symantec Zeroaccess removal tool. It should kill the newly reinfected (but still dormant) variant of Zeroaccess.

  10. Reboot. When the system comes back up, make sure you log in as the "new" local administrative account you created.


  11. Run Combofix. If it doesn't lock up your system, you're good!

  12. Reboot back into your regular account, and delete the local account you created for this process. You win.

If you are infected with Zeroaccess, exercise extreme caution. Someone is actively versioning this rootkit. I detected at least three different variants on one network alone. More to the point, the little friends that serve as satellite malware are also seeing some rapid evolution; what worked for me today may not work a week from now.

This incident should serve to underscore exactly how serious the Java exploits in question are. If you can, uninstall Java. If you must use Java, keep it as up-to-date as possible and see if you can disable or remove the plugins for your browsers. (In an attempt to help resolve the current crisis, Ninite is offering free access to the pro version for a limited time; it can really help with the updating.) If you absolutely must use Java-in-the-browser then it's time to start taking security very seriously; break out the tinfoil and start making some shiny hats.

Java-in-the-browser absolutely must be treated as "already compromised". There is no wiggle room here. Do not under any circumstances run Java in the browser on any production system or any client system in which any other application is used. Go buy another Windows licence and put Java inside a virtual machine.

Ring-fence the virtual machine by placing it on its own VLAN and subnet. Keep that virtual machine's traffic as separate from the rest of your network and system as you possibly can: Java-in-the-browser is a live grenade and you can't afford to have it go off inside your network. If you can, deploy the virtual machine from a managed template; the ability to destroy it at the end of the day and revert to a "known good" is a huge advantage when dealing with a threat of this magnitude.

Even if Oracle gets its act together and solves the immediate issues, this is only the latest in a long line. Java is simply is not developed with an adequate "security first" approach; Oracle is used to dealing with large corporations, not consumers. It doesn't have the experience to fight these kinds of rapidly escalating arms races, and it shows.

There isn't time to wait for Oracle to overcome its corporate inertia. It is time for systems administrators to act. It is our duty to depopulate Java with extreme prejudice. ®


TOPICS: Computers/Internet
KEYWORDS: java; javaexploits; javascript; linuxlivecd; malware; sirefef; teamviewer; whackamalware; zeroaccess; zeroaccessbotnet; zeroacess
Navigation: use the links below to view more comments.
first 1-5051-53 next last

1 posted on 09/03/2012 10:05:49 AM PDT by Ernest_at_the_Beach
[ Post Reply | Private Reply | View Replies]

To: Ernest_at_the_Beach

Thanks for posting this antihelminthic procedure. Well-written too.


2 posted on 09/03/2012 10:10:58 AM PDT by thecodont
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Later read!


3 posted on 09/03/2012 10:13:05 AM PDT by RoseofTexas
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Bump for later.


4 posted on 09/03/2012 10:13:25 AM PDT by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

If you have Windows 7 or God forbid Vista, doing a system restore to an earlier date also seems to work.

I’ve ran across a few of these lately. What fun!


5 posted on 09/03/2012 10:13:38 AM PDT by unixfox (Abolish Slavery, Repeal The 16th Amendment!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Noumenon

Ping.


6 posted on 09/03/2012 10:13:53 AM PDT by DuncanWaring (The Lord uses the good ones; the bad ones use the Lord.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

fyi


7 posted on 09/03/2012 10:16:13 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
It is our duty to depopulate Java with extreme prejudice.

OK, what is the recommended alternative to creating java aps?
8 posted on 09/03/2012 10:18:39 AM PDT by RushingWater (Let's have a brokered convention and page Sarah Palin - especially if Condi is the VP nominee)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Not sure all the inbedded links work....so here is a FR Thread on the :

Technical paper: The ZeroAccess rootkit under the microscope

9 posted on 09/03/2012 10:18:42 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 7 | View Replies]

To: Ernest_at_the_Beach

bookmark


10 posted on 09/03/2012 10:31:20 AM PDT by dadfly
[ Post Reply | Private Reply | To 1 | View Replies]

To: dadfly

read later


11 posted on 09/03/2012 10:41:48 AM PDT by knarf (I say things that are true ... I have no proof ... but they're true)
[ Post Reply | Private Reply | To 10 | View Replies]

To: RushingWater

No Idea...but doesn’t look easy.


12 posted on 09/03/2012 10:43:49 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 8 | View Replies]

To: Ernest_at_the_Beach

BOOKMARK.


13 posted on 09/03/2012 10:50:07 AM PDT by The Cajun (Sarah Palin, Mark Levin......Nuff said.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: unixfox
"If you have Windows 7 or God forbid Vista, doing a system
restore to an earlier date also seems to work."

That is if the bug hasn't infected the other backups, virii
love to stick around and infect other restore points.
I have Windows Restore set to off and use "ERUNT"
"WinRescue" instead:
http://www.larshederer.homepage.t-online.de/erunt
http://regvac.com/frescuemenu.htm

14 posted on 09/03/2012 10:52:49 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 5 | View Replies]

To: lysie

bookmark


15 posted on 09/03/2012 10:58:02 AM PDT by lysie
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

I was wondering when someone was going to turn the spyware root-kits into a virus. One or two you can fix, 200 at a time will be a problem and if it can cross subnets, look out.


16 posted on 09/03/2012 11:01:19 AM PDT by ClayinVA ("Those who don't remember history are doomed to repeat it")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

So, what’s the skinny? Should we not be running Java?


17 posted on 09/03/2012 11:02:04 AM PDT by bcsco (Bourbon gets better with age...I age better with Bourbon.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Hey, Ernest, I don’t have Sun java running on mine, but I did disable it off of my mom’s business pc, thanks so much for the heads up on this ^^


18 posted on 09/03/2012 11:03:27 AM PDT by chris37 (Heartless.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bcsco
"So, what’s the skinny? Should we not be running Java?"

I uninstalled it after the last infection it gave my PC.
It's rarely needed in my case. YMMV.
19 posted on 09/03/2012 11:09:32 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 17 | View Replies]

To: Ernest_at_the_Beach

These people need to be put up against a wall and shot. And then the video put on YouTube for all the world to see.


20 posted on 09/03/2012 11:09:32 AM PDT by ottbmare (The OTTB Mare)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bcsco

I would disable Sun Java if you are running it. That is the program that will be exploited.

While in internet explorer, click tools, internet options, programs tab, manage add ons, look for Sun Java in the list, disable it if it is there. This is for windows 7.


21 posted on 09/03/2012 11:09:47 AM PDT by chris37 (Heartless.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: LouieFisk; chris37

Thanks. I disabled it in both IE & Firefox.


22 posted on 09/03/2012 11:17:52 AM PDT by bcsco (Bourbon gets better with age...I age better with Bourbon.)
[ Post Reply | Private Reply | To 19 | View Replies]

To: Ernest_at_the_Beach

Microsoft is aware of this rootkit and has a page on it in the Malware Protection site:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin64%2FSirefef.D

Lot’s of good tips to protect your computer from it and from fixing your PC if you get it. They are not, however, recommending disabling Java. Note in the article originally posted the business executive had to have Java in the browser to track finances. This is true for a lot of people. I’m not sure that disabling Java is going to work with a lot of my users.


23 posted on 09/03/2012 11:19:24 AM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

bookmark


24 posted on 09/03/2012 11:26:18 AM PDT by squarebarb ( Fairy tales are basically true.)
[ Post Reply | Private Reply | To 1 | View Replies]

sfl


25 posted on 09/03/2012 11:26:51 AM PDT by phockthis (http://www.supremelaw.org/fedzone11/index.htm ...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Alas Babylon!
"Lot’s of good tips to protect your computer from it and
from fixing your PC if you get it."

Pretty generic cover-all suggestions. Use an anti-virus, firewall,
be careful about attachemts,etc.
26 posted on 09/03/2012 11:28:55 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 23 | View Replies]

To: Ernest_at_the_Beach; All

My only concern about the Microsoft link is the fact that it’s so old. November of 2011. So I did a search in the Malware Protection site for “Java Rootkit” and got the following, sorted by date:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=java%20rootkit&showall=False&CBF=False&sortby=date&sortdir=desc

Looks bad. Every day another new one.

Still, as I said, we have several major apps we support that uses Java, and getting rid of them would be a sure PITA and a possible show stopper.

As a stopgap, ALWAYS ensure you antivirus/anti-spyware software is running always, and updated everyday!!!!!


27 posted on 09/03/2012 11:32:05 AM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 23 | View Replies]

To: Ernest_at_the_Beach

Bookmark !


28 posted on 09/03/2012 11:32:13 AM PDT by onona (Thank you fellow Freepers)
[ Post Reply | Private Reply | To 1 | View Replies]

To: LouieFisk

Microsoft is sue-happy. Lawyers pretty much call all the shots.

If they just recommend disabling Java, I’m pretty sure Oracle would get legal. And that costs MSFT money even if they win.

Then again, if a few major corporate players get hacked bad they’ll be talking to counsel.

So it’s generic, pappy, we-told-you-so remodies.

This is the crap I fight everyday. In the end, the corp bigwigs hold IT responsible. That crap rolls downhill to us administrators. We’re on the line in more ways than one.

Me? I pray a lot!


29 posted on 09/03/2012 11:36:50 AM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 26 | View Replies]

To: Ernest_at_the_Beach

Java is crap.

All the things they said Java would never do, they now do with ease. Like infect you.

I have Noscript installed w/Firefox, the problem is there are tons of Java junkies out there who think it is the answer to everything, and half the websites I go to don’t work.

It was a flash in the pan and ought to be replaced by a new HTML standard.

It would help if MS would clean up there buffer problems and application security.... yeah, like that’s gonna happen!


30 posted on 09/03/2012 11:37:10 AM PDT by djf (The barbarian hordes will ALWAYS outnumber the clean-shaven. And they vote.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Alas Babylon!
"Still, as I said, we have several major apps we support that
uses Java, and getting rid of them would be a sure
PITA and a possible show stopper."

Yeah, it's as I said, it depends on how much you depend on
it/frequency of use. But rootkits can be mighty nasty.
I consider a severe infection as making a machine comprised, time to format
and reload the OS.
But if a person does uninstall Java he should be sure
to get rid of the old versions, too. Java
keeps them installed for some reason.

31 posted on 09/03/2012 11:42:19 AM PDT by LouieFisk
[ Post Reply | Private Reply | To 27 | View Replies]

To: bcsco; LouieFisk; chris37; Alas Babylon!
I think it is bigger than just JAVA,.....JAVA script in the browser....or whatever.....

Read the Technical paper for some real hair-raising detail.....

32 posted on 09/03/2012 11:51:56 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 22 | View Replies]

To: djf

What a mess...


33 posted on 09/03/2012 11:52:45 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 30 | View Replies]

To: Ernest_at_the_Beach

Like I said, pray! :-)


34 posted on 09/03/2012 11:55:52 AM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 33 | View Replies]

To: All
All should look at this for online Financial stuff:

*****************************************************

Link :

Lightweight Portable Security---DOD

******************************

The Abstract from Distrowatch above......

*******************************************

Lightweight Portable Security (LPS) is a Linux-based live CD with a goal of allowing users to work on a computer without the risk of exposing their credentials and private data to malware, key loggers and other Internet-era ills. It includes a minimal set of applications and utilities, such as the Firefox web browser or an encryption wizard for encrypting and decrypting personal files. The live CD is a product produced by the United States of America's Department of Defence and is part of that organization's Software Protection Initiative.

35 posted on 09/03/2012 11:57:43 AM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 33 | View Replies]

To: Alas Babylon!
Well,...you have a problem of much larger magnitude than most of us have to deal with....

Man oh Man....glad I retired from the Main Frame business....

Guess I have a question ...if an enterprise is running Virtual machines hosting linus apps and windows apps...does that help ...in detection?

36 posted on 09/03/2012 12:02:10 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 34 | View Replies]

To: Ernest_at_the_Beach

BTTT.


37 posted on 09/03/2012 12:09:00 PM PDT by exit82 (Pass the word: Obama is a FAILURE!! Democrats are the enemies of freedom!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Got that right!

I did manage to find the equivalent of a “Windows Live” CD.
You burn it and boot from CD.

Problem is, zero installed software, I can’t remember if IE is even installed, so except for tweaking registries, recovering hard drives, etc., it’s basically useless.

Can’t remember the name exactly... something like “Windows Presentation Manager” or some such crap.

Sure would be nice if MS worried as much about my rights to not have my machine infected as they do worrying about DRM for Katy Perry or WTF...


38 posted on 09/03/2012 12:26:45 PM PDT by djf (The barbarian hordes will ALWAYS outnumber the clean-shaven. And they vote.)
[ Post Reply | Private Reply | To 33 | View Replies]

To: All
Used Google to find this:

ZeroAccess Description

***********************************EXCERPT*********************************************

ZeroAccess is a rootkit that uses advanced techniques to conceal itself and thwart your PC security software. Afterwards, ZeroAccess may also be used to open a backdoor on your system in the fashion of a backdoor Trojan. As is true of other rootkits that SpywareRemove.com malware researchers have analyzed, ZeroAccess has negligible symptoms of its activities, although you may be able to find ZeroAccess by watching for malfunctions in your anti-malware and security programs. ZeroAccess has been updated several times throughout its life and is sufficiently advanced and potentially damaging that only specialized and up-to-date anti-malware programs should be used to delete any ZeroAccess infection on your PC. Refraining from doing so will leave your computer open to attack by criminals and other forms of harmful software, and can cause lose of private information or destruction of files on your PC.

The Hidden ZeroAccess Threat to Your Computer


ZeroAccess is considered a highly-sophisticated kernel mode rootkit due to its use of multiple methods to obscure itself and attack programs that could find or remove ZeroAccess and similar rootkits. Although ZeroAccess isn’t considered quite as advanced as a TDL3 Rootkit, it remains comparable to such rootkits (including Rootkit.Boot.Mybios.a, TDSS.e!rootkit, TDSS Rootkit and Rootkit.Win32.Agent.bhnc) in terms of potential damage to your PC.

Since SpywareRemove.com malware researchers have found that ZeroAccess, like many other rootkits, prefers to load itself without an independent process that can be seen and shut down, you may not be able to tell when ZeroAccess is active unless its related attacks give off visible signals, such as browser hijacks, system slowdown or visibly-altered network settings.

However, the attack that ZeroAccess is most well-known for is its ability to shut down any program that engages in behavior that ZeroAccess feels would be a threat to ZeroAccess. This includes most forms of standard system scans that are used by anti-malware and security programs. Since ZeroAccess has received multiple updates since its origin in July of 2011, keeping your anti-malware software equally up-to-date is important for removing ZeroAccess.

You may also be able to infer the existence of ZeroAccess by noting the presence of related PC infections, particularly dropper Trojans. These Trojans, such asTrojan-Downloader.Agent-BFJ, Trojan-Dropper.Win32.Delf.br, Trojan-dropper.win32.VB.agtq, Trojan-Dropper.Win32.HDrop.apo or Trojan-Downloader.Agent-FCX can install ZeroAccess and may also install spyware, ransomware Trojans, worms or other PC threats.

Why ZeroAccess is a Great Big Zero for Your Computer’s Safety


39 posted on 09/03/2012 12:27:07 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 36 | View Replies]

Continuing.....looks like detection is free....but removal is for a fee:

************************************

Why ZeroAccess is a Great Big Zero for Your Computer’s Safety


Besides its notable security program-disabling traits, any particular ZeroAccess variant may also possess any or all of the following attributes:

Confirmed aliases for ZeroAccess include Dropper.Sirefef.B, Generic Dropper!dvy and Trojan-Dropper.Win32.Sireref.b.

ZeroAccess Automatic Detection Tool (Recommended)


Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Is your PC infected with ZeroAccess? To safely & quickly detect ZeroAccess, we highly recommend you run the malware scanner listed below.
Download SpyHunter's* Malware Scanner to detect ZeroAccess What happens if ZeroAccess does not let you open SpyHunter or blocks the Internet?

*SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats.
40 posted on 09/03/2012 12:37:05 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 39 | View Replies]

To: Ernest_at_the_Beach

Well, I disabled Java just in case.


41 posted on 09/03/2012 12:45:53 PM PDT by bcsco (Bourbon gets better with age...I age better with Bourbon.)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Ernest_at_the_Beach

Well, not really. VMs can add an extra layer of protection via their individual firewalls, anti-malware, etc, but generally if you want the apps to be accessable to the users, connect and store data on the databases, and act like a real service than the VMs are going to need network access like any other machine. And there in lies the danger.

I CAN tell you that machines without a network interface or no way to communicate with the innerwebs are much, much more secure! Of course they’re useless, too...


42 posted on 09/03/2012 1:18:39 PM PDT by Alas Babylon!
[ Post Reply | Private Reply | To 36 | View Replies]

To: bcsco
The "Vector" in the story seemed to be somehow involved with exercising a javascript in the browser....

Javascript is very popular....

i don't think turning off Java on your computer stops this particular nasty stuff working....if I read it correctly.

43 posted on 09/03/2012 1:47:15 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 41 | View Replies]

To: Ernest_at_the_Beach

BFL


44 posted on 09/03/2012 1:48:03 PM PDT by editor-surveyor (Freepers: Not as smart as I'd hoped they'd be)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
So what in the H**l is a RootKIT....

To the Wikipedia:

>Rootkit

*********************************EXCERPT************************************

A rootkit is a stealthy type of malicious software designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.[1] The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.[1]

Rootkit installation can be automated, or an attacker can install it once they've obtained root or Administrator access. Obtaining this access is either a result of direct attack on a system (i.e. exploiting a known vulnerability, password (either by cracking, privilege escalation, or social engineering)) or a result of... . Once installed it becomes possible to hide the intrusion as well as to maintain privileged access. Like any software they can have a good purpose or a malicious purpose. The key is the root/Administrator access. Full control over a system means that existing software can be modified, including software that might otherwise be used to detect or circumvent it.

Rootkit detection is difficult because a rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternative and trusted operating system, behavioral-based methods, signature scanning, difference scanning, and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; reinstallation of the operating system may be the only available solution to the problem. When dealing with firmware rootkits, removal may require hardware replacement, or specialised equipment.

Contents

[hide]

[edit] History

The first documented computer virus to target the personal computer marketplace, discovered in 1986, used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected these to elsewhere on the disk, where a copy of the original boot sector was kept.[1] Over time, DOS-virus cloaking methods became more sophisticated, with advanced techniques including the hooking of low-level disk INT 13H BIOS interrupt calls to hide unauthorized modifications to files.[1]

The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted "root" access.[2] If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator. These first generation rootkits were trivial to detect by using tools such as Tripwire that had not been compromised to access the same information.[3][4] Lane Davis and Steven Dake wrote the earliest known rootkit in 1990 for Sun Microsystems' SunOS UNIX operating system.[5] Ken Thompson of Bell Labs, one of the creators of Unix, subverted the C compiler in a Unix distribution and discussed the exploit in the lecture he gave upon receiving the Turing award in 1983. The modified compiler would detect attempts to compile the Unix "login" command and generate altered code that would accept not only the user's correct password, but an additional password known to the attacker. Additionally, the compiler would detect attempts to compile a new version of the compiler, and would insert the same exploits into the new compiler. A review of the source code for the "login" command or the updated compiler would not reveal any malicious code.[6] This exploit was equivalent to a rootkit.

The first malicious rootkit for the Windows NT operating system appeared in 1999: a trojan called NTRootkit created by Greg Hoglund.[7] It was followed by HackerDefender in 2003.[1] The first rootkit targeting Mac OS X appeared in 2009,[8] while the Stuxnet worm was the first to target programmable logic controllers (PLC).[9]

[edit] Sony BMG copy protection rootkit scandal


45 posted on 09/03/2012 1:58:06 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

That SpyHunter link in post #40 doesn’t work.


46 posted on 09/03/2012 2:17:30 PM PDT by bcsco (Bourbon gets better with age...I age better with Bourbon.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: bcsco
OK...lets try this:

http://www.spywareremove.com/download-spyhunter-scanner/

Left it bare so it could be seen where it goes.

47 posted on 09/03/2012 3:11:14 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 46 | View Replies]

To: Ernest_at_the_Beach

Bflr


48 posted on 09/03/2012 4:25:51 PM PDT by colinhester
[ Post Reply | Private Reply | To 47 | View Replies]

To: Ernest_at_the_Beach
Everyone should realize... Javascript and Java are two very different things. About the only thing they have in common are the letters J-A-V-A in their names.

The bug that is causing this is in the Java runtime from Oracle (formerly Sun).

If you want to avoid it, you need to uninstall the Java runtime (JRE).

It is not being caused by having Javascript enabled in the browser.

Javascript != Java!

49 posted on 09/03/2012 4:36:01 PM PDT by Mannaggia l'America
[ Post Reply | Private Reply | To 1 | View Replies]

To: Mannaggia l'America
So ....guess I wrongly interpreted the statement:

The chief financial officer of the company relies on cloudy applications that require Java-in-the-web-browser.

50 posted on 09/03/2012 4:52:39 PM PDT by Ernest_at_the_Beach ((The Global Warming Hoax was a Criminal Act....where is Al Gore?))
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-53 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson