theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13098
|
|
June 07, 2013, 07:42:02 PM |
|
The Java applet on this page is somehow being used to take control of forum accounts. Exactly how does this work? Is it a 0-day Java exploit, or some inherent security weakness in Java? Is there anything that can be done on my end to stop it?
(Proceed with caution) zerohedge.us/Mark-Zuckerberg-talks-about-Bitcoin.htm
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
malevolent
can into space
Legendary
Offline
Activity: 3472
Merit: 1721
|
|
June 07, 2013, 07:50:32 PM |
|
Are you 100% sure it is from this page? Very recently I also visited this page and was close to allowing it to run (at the same time also being logged in to this forum) because I have visited that site frequently in the past and thought it was 'legit'. Fortunately I restrained myself from running it I will give it a try on a vm, though not sure if it will work as it should.
|
Signature space available for rent.
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13098
|
|
June 07, 2013, 07:53:47 PM |
|
That's not actually Zero Hedge. It's a phishing-type site. Are you 100% sure it is from this page? No.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
escrow.ms
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
June 07, 2013, 08:04:36 PM Last edit: June 07, 2013, 08:51:14 PM by escrow.ms |
|
|
|
|
|
pekv2
|
|
June 07, 2013, 10:04:19 PM |
|
The Java applet on this page is somehow being used to take control of forum accounts. Exactly how does this work? Is it a 0-day Java exploit, or some inherent security weakness in Java? Is there anything that can be done on my end to stop it?
(Proceed with caution) zerohedge.us/Mark-Zuckerberg-talks-about-Bitcoin.htm
Make sure java is off in the browsers. If nothing can be done on theymos side, probably the best thing to do is put up an alert system here to disable java for browsers and/or completely remove java. Because of javas screw ups, I've uninstalled that crap. Safer without it than with it.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 03:20:50 AM |
|
It looks like Java applet downloading and launching the executable file. I cannot test is it 0-day exploit or "normal" behavior of Java because I have fortified my Firefox (java plugin disabled) but have not installed vmware machine with everything left at defaults.
Seems that the .exe is stealing either cookies or saved logins or keylogging passwords. Theymos cannot do nothing about it. The forum seems to be configured properly, the users computers and brains might not.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
escrow.ms
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
June 08, 2013, 03:29:23 AM |
|
It looks like Java applet downloading and launching the executable file. I cannot test is it 0-day exploit or "normal" behavior of Java because I have fortified my Firefox (java plugin disabled) but have not installed vmware machine with everything left at defaults.
Seems that the .exe is stealing either cookies or saved logins or keylogging passwords. Theymos cannot do nothing about it. The forum seems to be configured properly, the users computers and brains might not.
well 0day vulnerebilities are used in only costly exploit packs because they run exe silently,this one was a advance java drive by because it had exe file link in jar itself. I can't say anything about exe because it seems like it has anti sandbox/antivm enabled, that's why it's not showing any outgoing connections.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 03:53:13 AM |
|
0-day for Java usually are used to bypass the sandbox or code signature restrictions. Anyway I consider it to be a lame exploit because many don't have Java installed or enabled. Compared to let's say Flash Player who's 0-day exploit is likely to run code on almost every visitor.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13098
|
|
June 08, 2013, 04:36:34 AM |
|
0-day for Java usually are used to bypass the sandbox or code signature restrictions. Anyway I consider it to be a lame exploit because many don't have Java installed or enabled. Compared to let's say Flash Player who's 0-day exploit is likely to run code on almost every visitor.
I've dealt with ~10 people who seem to have fallen victim to this exploit, and many more will have had their accounts compromised without my knowledge. Looks like Java is fairly widespread, even in the Bitcoin community. If this exploit can be used on bigger and more important sites, it seems like a pretty major Java weakness.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
John (John K.)
Global Troll-buster and
Legendary
Offline
Activity: 1288
Merit: 1227
Away on an extended break
|
|
June 08, 2013, 04:37:47 AM |
|
PS: Here's the .jar file itself if I'm not wrong - http://zerohedge.us/BitcoinMeet.jar [WARNING VIRUS/TROJAN/]
|
|
|
|
🏰 TradeFortress 🏰
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 08, 2013, 04:40:59 AM |
|
Invalidate sessions if they come from a different IP range.
|
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
June 08, 2013, 08:03:15 AM |
|
Invalidate sessions if they come from a different IP range.
That is elementary to security, but it won't happen here because this forum supports TOR usage.
|
|
|
|
escrow.ms
Legendary
Offline
Activity: 1274
Merit: 1004
|
|
June 08, 2013, 11:45:15 AM |
|
That is elementary to security, but it won't happen here because this forum supports TOR usage.
and vpn etc too.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 07:17:21 PM |
|
Invalidate sessions if they come from a different IP range.
Will not help. User will type password again and the .exe keylogger will intercept that password. Rest is obvious. I'm more interested into looking at the .exe. For me the .jar seems only as a some sort of trojan-dowloader that fetches the exe from remote server and launches it. There is nothing that forum owner can realistically do if user machine is infected by malware.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
June 08, 2013, 07:20:38 PM |
|
Invalidate sessions if they come from a different IP range.
Will not help. User will type password again and the .exe keylogger will intercept that password. Rest is obvious. I'm more interested into looking at the .exe. For me the .jar seems only as a some sort of trojan-dowloader that fetches the exe from remote server and launches it. There is nothing that forum owner can realistically do if user machine is infected by malware. The point would be to stop external logins. This of course, as you said, would not help *if* the infected computer was the one doing the controlling (remote control), and not just sending login credentials to an external site.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 07:37:29 PM |
|
The point would be to stop external logins. This of course, as you said, would not help *if* the infected computer was the one doing the controlling (remote control), and not just sending login credentials to an external site.
It will hurt Tor users because their IP changes constantly. It will not stop the hacker if the .exe opens socks proxy on infected computer (most new trojans does that). And even if it does not the hacker still can login from another IP when the victim are away.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
Matthew N. Wright
Untrustworthy
Hero Member
Offline
Activity: 588
Merit: 500
Hero VIP ultra official trusted super staff puppet
|
|
June 08, 2013, 07:44:05 PM |
|
can login from another IP when the victim are away.
This of course is the loophole to that solution. The person would literally need to DoS the forums by mashing F5 in order to keep another entity out (and in turns log themselves out in the process, giving a window of opportunity to the hacker). Not really the best solution for a forum I suppose. PGP keys required for logging in might be smarter.
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 08:00:28 PM |
|
PGP keys required for logging in might be smarter. And exactly what prevents the malware from stealing PGP keys from computer and passphrase to unlock them? Even keys stored on smartcard are not bulletproof, the malware can intercept and modify the computer-smartcard communication. This will require additional programming but is not unrealistic. The server's job is to keep forum accessible with proper credentials and keep the safe on server-side. User's job is to keep his computer secure. This malware is targeting the user and server cannot do anything about it.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
rme
|
|
June 08, 2013, 08:18:36 PM |
|
Google 2FA + Invalidate session if ip or user agent changes (optional but activated by default).
|
|
|
|
MysteryMiner
Legendary
Offline
Activity: 1512
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 08:58:48 PM |
|
Google 2FA + Invalidate session if ip or user agent changes (optional but activated by default).
This forum account is not that important to require two factor authorization. Most that one with the stolen account can do are posting Hello.jpg everywhere (and sometimes even original owner will do it) and social engineer other users. report of AV scan: http://virusscan.jotti.org/en/scanresult/847cdfd36a7fd35514f569396916e78e60464ef5We see how "efficient" the antivirus software are compared to technical knowledge. And who makes antivirus called CP Secure? Antivirus for pedophiles?
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
|