Brazilian Coders Are Pioneering the First Cross-OS Malware Using JAR Files 124
An anonymous reader writes: Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows, Linux, Mac, and even Android from the same codebase, instead of relying on 4 different versions. Right now, only the malware dropper, a component used to infect computers with banking trojans, seems to have been coded in Java, but security experts expect a full-blown banking trojan to soon follow.
That's it, I'm switching to CP/M (Score:5, Funny)
There's no Java for CP/M-Z80, so I'm safe from being target by cross platform malware [or being targeted by applications in general].
Re: (Score:1)
Re: (Score:2)
So much for write once, run anywhere.
So using Java exactly what it was designed for? (Score:5, Informative)
Guess all those memories of viruses from the 80's containing executable code valid on multiple processors are all my fevered imagination. Who knew that the first cross-OS malware was definitely only being written now, in 2016, in Java.
Wait, no, just the dropper. Congrats guys, you've discovered a platform-independent way of opening a stream from somewhere on the internet and dumping it to a file. Definitely pushing the envelope of Java to do that, I mean it's not like it comes with any sockets or file API specifically designed for stuff like that.
Give me a break. I was hoping to hear about something actually creative, like PDF or jpeg with multiple exploits for common Windows/Mac/Linux viewers or decode libraries, that causes a jump into the appropriate shellcode for each platform depending on what it's viewed on. This story is a non-event.
Re:So using Java exactly what it was designed for? (Score:4, Interesting)
It is a bit of a stretch. There was a nice entry into the IOCC a few years ago that was a program that was valid as C program, a shell script, or a makefile. Running it as either a shell script or makefile would compile the C program, which would then print its output. There's been some interesting recent research involving isolating instructions that are NOPs on various architectures and writing exploit code that is a valid executable on both x86 and ARM (it doesn't have to be long, because you can encode a jump to the architecture-specific version in the portable code).
It's worth noting that this is even (almost) the official and documented way of writing a cross-architecture Windows binary: you have a little .NET stub that P/Invoke's the native binary for the architecture that it detects.
Re: (Score:2)
I was thinking exactly this. Glad to hear that only now are we seeing a 'cross-platform' malware, and that the untold numbers of Excel macro viruses, Outlook exploits, PDF exploits, Flash exploits, etc. don't count. Only when you use Java to do something it was actually designed to do (as you described) do you become 'the first cross-platform malware.'
"First Cross-OS Malware Using JAR Files" (Score:5, Funny)
"First Cross-OS Malware Using JAR Files"
I used to have that one. It was developed by Sun, and called the Java plugin.
Re: (Score:2)
JAR capable of being deployed to Linux (Score:3, Insightful)
Re: (Score:1)
So many dell dracs so little time lol
Re: (Score:2)
Re: (Score:3)
"Press OK to enter our contest and win an iPhone 6/..."
Re: (Score:2)
Re: (Score:2)
>Dice employees used to be the lowest form of life
Used to be ?!??!?!
Re: (Score:2)
Well, they've sold /. so, presumably, they've moved up a notch.
Re: (Score:2)
I think of it more as /. getting a shot of penicillin actually.
Java: write once (Score:1)
"Java: write once, run anywhere"
Sorry, couldn't help.
First? (Score:4, Informative)
I don't think so.
http://virus.wikidot.com/esperanto
Like linux users needed (Score:2)
another reason to uninstall java.
Re: Like linux users needed (Score:2)
And guaranteed to be 50 times as long as it should have been. Deep inside java was a functional, elegant and readable OO language trying to get out. Its name was python.
Re: (Score:2)
> In Java's case, your code is automatically portable and can execute on any OS that has a JRE installed (write once, run anywhere).
Thanks for the laugh !!!
Re: (Score:2)
Re: (Score:2)
1) FS calls tend to be faster in Linux
2) FS paths are different if you are too stupid to use the abstraction API properly
3) One time a math function returned a different value. Turned out it was in the Wolfram .so file, which they patched.
I know the hate bandwagon is a tempting position when you're not too bright
Re: Like linux users needed (Score:2)
I dont have a thousand other reasons not to install C support. Also, unlike java, C lets me run some actually usefull programs.
New slogan (Score:2)
First? My ass... (Score:5, Informative)
2008: http://citeseerx.ist.psu.edu/v... [psu.edu]
2009: https://en.wikipedia.org/wiki/... [wikipedia.org]
2010: https://nakedsecurity.sophos.c... [sophos.com]
Look what some moron said about the same subject back in 2011:
http://www.developers.slashdot... [slashdot.org]
2012: https://www.intego.com/mac-sec... [intego.com]
2012: http://www.zdnet.com/article/c... [zdnet.com]
2012: http://www.infosecisland.com/b... [infosecisland.com]
etc., etc.
Re: (Score:2)
You'd think the OP never played Minecraft.
Smells like a difamatory campain to me... (Score:1)
Re: (Score:1)
Re: (Score:2)
En Inglés es "defamatory" y "campaign." Mí Español es malo, es muy mierda.
Re: (Score:2)
Ah. No habla portugués! ;-)
Re: Smells like a difamatory campain to me... (Score:1)
Qubes and virtualisation (Score:2)
This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life. Malware like this can work because it is given permission to work. There is no reason things need to be that way, except for laziness of programmers.
Re: (Score:3)
This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life.
When something that sounds great in a textbook never makes it to real life, there's usually a pretty good reason.
Odd editorial tone. (Score:2)
Hardly the first jar based malware (Score:2)
Download some Minecraft mods, take a peek inside.
All the more insidious because generally it is children installing said mods.
Re: (Score:2)
What mods are you referring to? The mod community seems to be pretty safe overall from what I've seen.
Macs? Really? (Score:2)
Don't mind the little fact that Macs don't even come with Java pre-installed anymore.
Re: (Score:1)
Don't mind the little fact that Macs don't even come with Java pre-installed anymore.
Last time I checked neither do most other popular desktop operating systems. What's your point?
These people have never worked in web hosting (Score:2)
There are plenty of malware packages in PHP, Perl, Python, and Ruby that will search for vulnerable web apps, infiltrate a hosting account, then set up web-accessible shells written in the same languages and continue on to find more vulnerable apps and accounts.
JAR? For Android? Really? Which Browser (Score:2)
automatically converts and runs JRE files in Android?
I don't believe it.
If we assume they are written in Java... (Score:2)
If we assume they are written in Java... then certainly we can do some profiling... just look for people with less hair.
Re:Does anyone actually install a JRE any more? (Score:5, Interesting)
It wouldn't need to run as a browser plugin. The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application. I suspect a lot of people have it because Oracle's made deals to have it included on the manufacturer's images, and those people don't have a clue what Java is or how to remove it so that's a problem.
I am, however, surprised it took them this long to come up with this idea. It's fairly standard on Unix systems, that's how cross-platform scripting of all sorts is done.
Re: (Score:1)
*cross-platform scripting* usually involves perl, sh or similar scripting language. There really is no need to use java for that. And no, it isn't standard at all. If I need java on a system for a new fancy software I always have to install it first. You get flash preinstalled more often than java.
It also isn't that hard to deploy a miniperl to provide a runtime on systems without built-in perl (aka windows).
Re: (Score:2)
Or in Ruby, or Python, or any number of other languages. Java's just another entry in the list here. Frankly I'd've expected the first cross-platform malware to be in Perl, and to have shown up at least 10 years ago. I'm not sure AV tools would even recognize a Perl program as malware...
Re: (Score:3)
The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application.
If malware gains local application code execution, then the target user is pretty much farked anyways -- the language used is irrelevant.
Re: (Score:1)
Ah, but if the malware needs a Java Runtime Enviroment then it can just install that, too. :)
The bigger question, though, is whether being the language of choice for writing malware is a plus or a minus for a language. I mean, let's say someone writes some very clever malware in C. Does that mean that C is a powerful and expressive language? Or does it mean that C is the devil?
Well, that's a bad analogy because we already know that C is the devil. But you get the picture.
Re:Does anyone actually install a JRE any more? (Score:5, Funny)
Well, that's a bad analogy because we already know that C is the devil. But you get the picture.
Well, any reasonably skilled programmer have several deals with the devil, and for about half of them the devil feels he got the short end of the stick.
My comments are usually ascii pentagrams, but they only show with a tabsize of 4.
Re: (Score:1)
tl;dr: nearly all banks require jre here.
As a Brazilian, i must say: a LOT of lazy coders rely on java for everything.
i am not bashing java, i meant relying on it for EVERYTHING.
(even on my cs graduation some teachers where promoting java as the only language you will ever use, forever)
to make things worse, they usually make very sloppy code, that even rely on older, vulnerable and discontinued jre versions.
(not kidding, the government is the main culprit and even run critical web stuff that still require i
Re: (Score:2)
Re: (Score:2)
Anyone interested in arduino for starters?
Re: (Score:2)
Re: (Score:1)
That is why I hate the git that made Minecraft, after years of watching Java die on the desktop here comes this twirp that makes an insanely popular game in java and BAM! Piles of shitty Java installs cropping up everywhere.
How about just how fucking incompetent a game programmer he is? There are at least three clones of minecraft which are more technically competent. They don't punch your computer in the nuts half as hard. It's a good thing he got rich on minecraft because he sure didn't have a second chance
Re: (Score:2)
Re: (Score:2)
Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous
He wasn't the first to get the idea into a game, though. He was the first to make it popular. Sadly, popular and good are orthogonal axes on the chart.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You're kidding, right?
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Almost every smart phone does.
Almost every smart phone, except for Android and iPhone where the JRE isn't available at all...
Re: (Score:1)
They still have JVMs
No they don't. all of he "JVM" stuff for ios runs on the development machine and does static translation to native code.
(android even moved BACK to oracles and ditched Dalvik)
No they didn't. They ditched the harmony project and started using the openjdk libraries.
The VM itself is still dalvik only instead of going right from dalvik opcodes to native code it goes dalvik->llvm->native code.
Android does not and has never supported java bytecode. You must recompile java bytecode to dalvik bytecode on your development ahead of time. Just like if you want to us
Re: (Score:2)
Does anyone actually install a JRE any more?
Yeah, I didn't think it was very many.
Yes, lots of people install JREs.
The browser plugin isn't used much anymore, but there's lots of applications that use Java on a desktop (and lots, lots more that use it on servers, but I'll leave them alone for now.)
Some ones that come to mind are Minecraft, Eclipse (and a bunch of other programming IDEs and tools), Roboforge, OpenOffice, Vuze, Runescape, FreeCol, JOSM, Genj ...
Re: (Score:2)
Hell, I haven't had Java installed in years, maybe a decade.
It was of limited use and screwed up other stuff, and it made my PC slow to a crawl.