Thanks ever so much Java, for that biz-wide rootkit infection Right on cue, Java has responded to my hatred in kind. Shortly after I awoke to discover my previous article denouncing the language had been published, a client called to inform me his computer had contracted some malware. Java has, if you'll forgive the anthropomorphization of a bytecode virtualization engine, decided to exact …
Java exploits don't only work on Windows, they'll run on anything that Java will run on, including Linux.
What you're displaying is a fairly common mindset that "Windows is the only thing that gets exploited, therefore I'm safe, whatever I do with my non-Windows OS." It's very dangerous and I've seen it bite people, a friend of mine found that his broadband was running slowly because his Linux box had been rooted and was happily serving porn to the world.
Trevor was talking about his own experience, so it might not have been appropriate in this particular article, but I do wish that more people would remember the penguins when it comes to documenting these risks and recovering from them.
If it saves just one chicken...
The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges.
As other operating systems become more usable, we'll find more poorly trained and untrained people using them. Which means more people making the mistake of using an elevated privileges account for everyday work.
Perhaps the only solution is to go the Apple route, and maybe a bit further. Create an operating system what will only run software signed by the operating system author. I fear that is where we are headed.
Where we are clearly headed is "Safe Computing" shooting up on 'roids and methamphetamine:
Everyone will run their OS inside a VM. At least one "bundes-trojaner" will be in full control of the VM and continuously monitor all interfaces to the hardware layer for "dangerous traffic". External connections are logged and saved for 7 years in case the definition of "dangerous traffic" mutate and prosecution becomes necessary after the fact.
You cannot install anything outside of the VM, any attempt to hack it will bring the full force of NDAA 2012 or RIAA sturmtroopers to your doorstep. All of this is for our own protection, of course.
Which shows that my last reply must be, err ...wrong. Oh well, that happens! :)
But I wonder why they bother, as it is so unnecessary for everything except admin tasks. It would make me sad too.
Not that I never spent all day logged in as root on a work machine. And not that I never screwed up when doing so <Blush>
Which, if you are not a transplanted M$ n00b, is never recommended.
this should read:
Which is never recommended.
To MS'ses credit they are actively trying to persuade everyone since NT 3.51 (that's a very long time ago, thank you) to please not log on as admin. only: nobody listens. neither do you. or he. or she. or who ever. Long story short: migrating these people to Linux will not solve the problem, only make it worse: they will still log on as root (I'm the admin!) and now will not even have a clue how stuff works in linux.
migrating normal users to linux is a disaster waiting to happen. trust me. I know. for sure. been there. and turned back.
I would say that MS says one thing and does another.
On a default install of Windows 2000 Professional/Server you are root (administrator) by default, so are you in Windows XP/2003, then on Vista you get elevated privileges through UAC all the time which is neither an administrator account, neither a non-privileged user, same for Windows 7/2008/R2.
Microsoft had the oportunity with Win7 to go to a fully user/admin separated model like everything on the industry other than them for the last 30 years.
But no, they know that will break software and alienate users, and the bottom line is more important than doing things the right way.
The good news is that on OS X you can go into the Java preferences, disable the Java plug-in on all browsers with a click on the checkbox, and still have local Java programs (well, in my case Eclipse) running perfectly fine.
Windows, on the other hand, is a fecking nightmare to disable.
"Windows, on the other hand, is a fecking nightmare to disable."
You can go into the Java preferences and disable the Java plug-in by clicking on the checkbox.......
Let me guess. You've been fannying around with the options in the various browsers rather than going to the horse's mouth of the Java console in Control Panel, haven't you?
You need to run the Java control panel from an elevated command prompt (obvious, that) and while that works for alternative browsers it still doesn't work properly for IE and IE is part of Windows. See my post on the next page.
Your icon is self referential I suppose?
"...compared to Windows XP, where everybody runs with administrator privileges"?
In the corporate environment this is unforgivable (and if there's a sysadmin of any note it won't be true). I will concede that in the home it's more tempting to run as an administrator. Bear in mind that full admin rights aren't given by default to newly created accounts: it is the owner's choice.
"The exploits are cross-platform, but the payloads only run on Windows -- so far, at least. So running Linux, for now, IS actually an effective shield. It would be more difficult to craft a payload that did anything harmful on Linux, too, compared to Windows XP, where everybody runs with administrator privileges."
Utter bollocks I am afraid too say. It would not be hard at all to craft a payload that did anything harmful on a Linux install. What planet are you living on? Clearly not the same one as me. Running Linux is not an effective shield for now. Windows and Linux boxes are exploited for differing reasons.
Windows - Exploited these days to slurp mostly banking data and anything else they fancy due to the high volume of Windows users and therefore banking details available to be stolen. Making target No.1 for anything exploiting for Cash profit that can be rapidly taken advantage of.
Linux - Small desktop percentage and therefore low volume of banking transactions compared to Windows. Hence why you don't see you & your friends Linux desktops hit with a slew of Malware. There is no substantial profit to be made. Linux has a heavy server percentage and the exploits developed reflect that. Stating that it's harder to exploit a Linux system is utter drivel of the highest order. It's secure on the desktop due to it's obscurity/low install base. As simple as that. On the server it needs proper care & attention to detail or your open to all sorts of attack .
So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it.
Exploiting a Linux workstation and installing a rootkit running as a regular user requires much more than a simple Java exploit.
Most hacks that I have encountered in Linux follows only one pattern, the people using it are completely clueless.
I have never faced an exploit on a Linux desktop, but I have been exploited by a 0-day vulnerability in Opera in Windows, thanks god I never run as Admin and the little nasty only got to infect my profile.
Seriously I have yet to face the same thing in Linux.
"So to be short. There is no profit in exploiting Linux Destop users at this time. If the user base blew up so would the number of Malware kits produced for it."
I am eager to see Linux being exploited in this manner, I would love to see what the response will be from the technical community, the Linux crowd will not sit idle, as thankfully there is no inertia to overcome.
True, the software would run on any machine with a suitable java runtime. However, most non-windows installations use sensible user permissions as default. Plus, the exploit code is going to be very OS specific so you'd need to have something explicitly targeting linux, osx, vms, ...
"was happily serving porn to the world" Must have a really good broadband connection!
Yep, although I do wonder how he managed to get incoming tcp connections through the router firewall... oh wait, upnp... another fine invention for malware.
We need something which is inherently less capable than java. You don't need to root a box if it can happily run a java web-server as a local user, or spend some time scanning your RPC services for exploits now or in the future or (I suspect is the most common) wait some time and then pretend to be a flash update requesting admin privileges to install.
Linux is a good model with its repositories. No per-application update systems please. Flash should never ask to install updates, the system should keep a list of updates which the user can check (or silently install). How often have we seen "posing as a flash update"?
I'd like to see further OS controls, especially for mobiles. Few applications need access to the internet, mostly they just need to talk to one domain. How about controls set during an installation which limit what an application can access? Should that be part of the standard application installation system? So the OS restricts flash to *.adobe.com for updates. Anything which wants wide or unusual internet access should be easily spotted. Hmm, why does that pack of emoticons need any outbound network connections, let alone access to the entire internet? How about path restrictions? Why not set the binary path and library requirements at installation and get the OS to prevent loading/execution of anything else?
I want to lynch the people who write malware.
I have had to clean out systems in a way that the author has described before and I have a dim view of damage control and rebuilding systems from malware take overs...
The amount of shit and misery they cause in terms of people "tens of millions of years of people time, to fix up the shit" to billions of people many times over, over the decades - I think the sentence ought to be burning at the stake.
Fuck them.
In how many other OS's could a virus get in through a NON priviledged account yet not only hide itself all over the system but disable core services AND create a new friggin partition?? I think this demonstrates that despite what the Seattle snake oil salesmen have to say , Windows never was and never will be a serious OS and certainly not one fit for 24/7 use in a high availability corporate enviroment. Requiring anti virus in an OS is like putting rollers under a car because the wheels have been designed square.
I think he did. He was pointing out that it takes two to tango, and that while JITB is a high risk gamble, running an OS that apparently just lies down, rolls over and sticks it's legs up in the air isn't actually going to help matters.
Ironic that Java was originally intended to be a browser thing that was going to be the secure multi platform alternative to the evil that was (and still is) activeX. Finally, nice article and lots of useful information that I really hope I never have to use.
At least malware authors are paying proper attention to version management :-)
No he wasn't - he was windows bashing. And while windows might need a bash now and then it should really be for things that are wrong with windows. The supposed evil of Microsoft is nothing compared to the incompetent, irresponsible malware that is java. Windows can be done secure with the right amount of application - java cannot be done secure - on any OS - period.
I really do feel sorry for anyone who has to maintain any system with a java reliant component.
"And while windows might need a bash now and then it should really be for things that are wrong with windows."
So allowing a browser plugin to execute priviledged code from a non priviledged account ISN'T a problem with the OS? Whose fault is it then , the magic malware pixie?? Jeez....
Indeed, but if you do not know what you are doing with Windoze you get an account with Admin rights, if you do not know what you are doing in Linux you get a user account which doesn't give you any access to Admin privileges, thus such malware can not run.
This Malware seems to do windozy type things, so it might well be possible to use the same java exploit on a Linux box, but it wouldn't do anything, it would not give the malware access to anything, so it would be plain useless.
The 2 OS's work in totally different ways, windoze leave everything open, Linux makes you open things, in which case you need to know what you are doing first!
This is why Linux seems to have such a high learning curve, because its not all done for you.
I am sure there are viruses for Linux (though in my 10+ years experience, I've never seen one, only read about them being theoretically possible), but the system has to be compromised first to allow them to run.
Your information is dated. On Windows XP users ended up with an admin aka root account, but Vista and Win7 have changed that behaviour quite heavily.
And lets please also not forget that during the times of XP Linux distributions didn't enforce users to create an account for themselves yet.
Quite frankly I also can't believe that you're actually thinking that the capability of locally running code on Linux would be a lesser problem than running code on Windows. Because that is assuming that there are no local root exploits - what so ever - available on Linux right now. Can you be 100% positive of that? I don't think so...
Being able to run code locally, no matter what the platform is, is bad news. Whether this is on Windows, Linux, Mac or BSD*, the whole ordeal is bad and a huge security risk which needs to be addressed ASAP.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
