Bitcoin Forum
March 19, 2024, 10:22:15 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: How does this Java exploit work?  (Read 2648 times)
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5138
Merit: 12565


View Profile
June 07, 2013, 07:42:02 PM
 #1

The Java applet on this page is somehow being used to take control of forum accounts. Exactly how does this work? Is it a 0-day Java exploit, or some inherent security weakness in Java? Is there anything that can be done on my end to stop it?

(Proceed with caution) zerohedge.us/Mark-Zuckerberg-talks-about-Bitcoin.htm

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1710843735
Hero Member
*
Offline Offline

Posts: 1710843735

View Profile Personal Message (Offline)

Ignore
1710843735
Reply with quote  #2

1710843735
Report to moderator
Bitcoin addresses contain a checksum, so it is very unlikely that mistyping an address will cause you to lose money.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
malevolent
can into space
Legendary
*
Offline Offline

Activity: 3472
Merit: 1721



View Profile
June 07, 2013, 07:50:32 PM
 #2

Are you 100% sure it is from this page? Very recently I also visited this page and was close to allowing it to run (at the same time also being logged in to this forum) because I have visited that site frequently in the past and thought it was 'legit'. Fortunately I restrained myself from running it Tongue

I will give it a try on a vm, though not sure if it will work as it should.

Signature space available for rent.
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5138
Merit: 12565


View Profile
June 07, 2013, 07:53:47 PM
 #3

That's not actually Zero Hedge. It's a phishing-type site.

Quote
Are you 100% sure it is from this page?

No.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
June 07, 2013, 08:04:36 PM
Last edit: June 07, 2013, 08:51:14 PM by escrow.ms
 #4

Normal java drive by, nothing else. Probably FUD

<html>
  <applet width='500' height='500' code="BitcoinMeet.class"' archive="BitcoinMeet.jar"> </applet>

</html>

edit: it's FUD https://www.virustotal.com/en/file/39b5ed1833ac72f79fb042f5fadf3c2352605b3c8cb58842114e77289f033cb8/analysis/1370635717/

and not normal one.. i have reported site in google safe browsing.

http://www.google.com/safebrowsing/report_badware/

Please report..^

Edit: It's downloading a file from here

Warning INFECTED FILE
https://v-panel.info/userAccounts/blackapples/AdobeUpdates DOT exe

Scan: 5/47
https://www.virustotal.com/en/file/79c4e1fa564ba5075fe15b6131202e16631cb1151708d337d2a0455bdbb882ab/analysis/1370636620/
https://malwr.com/analysis/YjAwYjE2MjIzN2Y1NDExYmIyOGRiYzcwZDBlODY0YjE/


You can see, https://v-panel.info/
this site provides these malicious java applets for 20$ only XD

more info about v-panel
http://www.hackforums.net/archive/index.php/thread-3413390.html
http://blackhatcrackers.blogspot.in/2013/05/java-drive-by-advanced.html
pekv2
Hero Member
*****
Offline Offline

Activity: 770
Merit: 502



View Profile
June 07, 2013, 10:04:19 PM
 #5

The Java applet on this page is somehow being used to take control of forum accounts. Exactly how does this work? Is it a 0-day Java exploit, or some inherent security weakness in Java? Is there anything that can be done on my end to stop it?

(Proceed with caution) zerohedge.us/Mark-Zuckerberg-talks-about-Bitcoin.htm

Make sure java is off in the browsers.

If nothing can be done on theymos side, probably the best thing to do is put up an alert system here to disable java for browsers and/or completely remove java. Because of javas screw ups, I've uninstalled that crap. Safer without it than with it.
MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 03:20:50 AM
 #6

It looks like Java applet downloading and launching the executable file. I cannot test is it 0-day exploit or "normal" behavior of Java because I have fortified my Firefox (java plugin disabled) but have not installed vmware machine with everything left at defaults.

Seems that the .exe is stealing either cookies or saved logins or keylogging passwords. Theymos cannot do nothing about it. The forum seems to be configured properly, the users computers and brains might not.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
June 08, 2013, 03:29:23 AM
 #7

It looks like Java applet downloading and launching the executable file. I cannot test is it 0-day exploit or "normal" behavior of Java because I have fortified my Firefox (java plugin disabled) but have not installed vmware machine with everything left at defaults.

Seems that the .exe is stealing either cookies or saved logins or keylogging passwords. Theymos cannot do nothing about it. The forum seems to be configured properly, the users computers and brains might not.


well 0day vulnerebilities are used in only costly exploit packs because they run exe silently,this one was a advance java drive by because it had exe file link in jar itself.

I can't say anything about exe because it seems like it has anti sandbox/antivm enabled, that's why it's not showing any outgoing connections.
MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 03:53:13 AM
 #8

0-day for Java usually are used to bypass the sandbox or code signature restrictions. Anyway I consider it to be a lame exploit because many don't have Java installed or enabled. Compared to let's say Flash Player who's 0-day exploit is likely to run code on almost every visitor.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
theymos (OP)
Administrator
Legendary
*
Offline Offline

Activity: 5138
Merit: 12565


View Profile
June 08, 2013, 04:36:34 AM
 #9

0-day for Java usually are used to bypass the sandbox or code signature restrictions. Anyway I consider it to be a lame exploit because many don't have Java installed or enabled. Compared to let's say Flash Player who's 0-day exploit is likely to run code on almost every visitor.

I've dealt with ~10 people who seem to have fallen victim to this exploit, and many more will have had their accounts compromised without my knowledge. Looks like Java is fairly widespread, even in the Bitcoin community. If this exploit can be used on bigger and more important sites, it seems like a pretty major Java weakness.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
John (John K.)
Global Troll-buster and
Legendary
*
Offline Offline

Activity: 1288
Merit: 1225


Away on an extended break


View Profile
June 08, 2013, 04:37:47 AM
 #10

PS: Here's the .jar file itself if I'm not wrong - http://zerohedge.us/BitcoinMeet.jar [WARNING VIRUS/TROJAN/]
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1302
Merit: 1042

👻


View Profile
June 08, 2013, 04:40:59 AM
 #11

Invalidate sessions if they come from a different IP range.
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500


Hero VIP ultra official trusted super staff puppet


View Profile
June 08, 2013, 08:03:15 AM
 #12

Invalidate sessions if they come from a different IP range.

That is elementary to security, but it won't happen here because this forum supports TOR usage.

escrow.ms
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
June 08, 2013, 11:45:15 AM
 #13


That is elementary to security, but it won't happen here because this forum supports TOR usage.

and vpn etc too.
MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 07:17:21 PM
 #14

Invalidate sessions if they come from a different IP range.
Will not help. User will type password again and the .exe keylogger will intercept that password. Rest is obvious.

I'm more interested into looking at the .exe. For me the .jar seems only as a some sort of trojan-dowloader that fetches the exe from remote server and launches it.

There is nothing that forum owner can realistically  do if user machine is infected by malware.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500


Hero VIP ultra official trusted super staff puppet


View Profile
June 08, 2013, 07:20:38 PM
 #15

Invalidate sessions if they come from a different IP range.
Will not help. User will type password again and the .exe keylogger will intercept that password. Rest is obvious.

I'm more interested into looking at the .exe. For me the .jar seems only as a some sort of trojan-dowloader that fetches the exe from remote server and launches it.

There is nothing that forum owner can realistically  do if user machine is infected by malware.

The point would be to stop external logins. This of course, as you said, would not help *if* the infected computer was the one doing the controlling (remote control), and not just sending login credentials to an external site.

MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 07:37:29 PM
 #16


The point would be to stop external logins. This of course, as you said, would not help *if* the infected computer was the one doing the controlling (remote control), and not just sending login credentials to an external site.
It will hurt Tor users because their IP changes constantly. It will not stop the hacker if the .exe opens socks proxy on infected computer (most new trojans does that). And even if it does not the hacker still can login from another IP when the victim are away.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
Matthew N. Wright
Untrustworthy
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500


Hero VIP ultra official trusted super staff puppet


View Profile
June 08, 2013, 07:44:05 PM
 #17

can login from another IP when the victim are away.

This of course is the loophole to that solution. The person would literally need to DoS the forums by mashing F5 in order to keep another entity out (and in turns log themselves out in the process, giving a window of opportunity to the hacker).

Not really the best solution for a forum I suppose. PGP keys required for logging in might be smarter.

MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 08:00:28 PM
 #18

Quote
PGP keys required for logging in might be smarter.
And exactly what prevents the malware from stealing PGP keys from computer and passphrase to unlock them? Even keys stored on smartcard are not bulletproof, the malware can intercept and modify the computer-smartcard communication. This will require additional programming but is not unrealistic.

The server's job is to keep forum accessible with proper credentials and keep the safe on server-side. User's job is to keep his computer secure. This malware is targeting the user and server cannot do anything about it.

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
rme
Hero Member
*****
Offline Offline

Activity: 756
Merit: 504



View Profile
June 08, 2013, 08:18:36 PM
 #19

Google 2FA + Invalidate session if ip or user agent changes (optional but activated by default).
MysteryMiner
Legendary
*
Offline Offline

Activity: 1470
Merit: 1029


Show middle finger to system and then destroy it!


View Profile
June 08, 2013, 08:58:48 PM
 #20

Google 2FA + Invalidate session if ip or user agent changes (optional but activated by default).
This forum account is not that important to require two factor authorization. Most that one with the stolen account can do are posting Hello.jpg everywhere (and sometimes even original owner will do it) and social engineer other users.

report of AV scan: http://virusscan.jotti.org/en/scanresult/847cdfd36a7fd35514f569396916e78e60464ef5

We see how "efficient" the antivirus software are compared to technical knowledge.

And who makes antivirus called CP Secure? Antivirus for pedophiles?

bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!