So maybe you guys are aware how crappy Java has gotten lately. I'm not sure if it's due to Oracle's acquisition of Sun or whether someone is pissed at that omnipresent shitty Oracle logo. Now we have to deal with some pissed off employee or activitist bent on destroying Java's reputation. Why so many exploitable bugs? You do some research on Google, you click on a spoof website and BANG... some exploit embedded in the HTML starts running in the background and on your machine!!
Fortunately I got ZoneAlarm Pro set to some extreme level. By that I mean, I trust no software on my laptop (ok just some, like OS processes, Firefox & Skype), but I don't trust Flash, Java, Adobe PDF, Apple Quicktime update, Winamp, Windows Media Player and etc.... I don't mind running those apps but when it comes to granting them internet access, I feel less at ease. Each time I quit Windows Media Player (WMP10), a setup executable (wm_setup?) got launched and it wanted Internet access. But why?? Is this Microsoft's way to know which videos I'm watching and how often? But don't worry MS, your snooping behavior and lack of support for popular codecs have meant my 100% shift to VLC media player.
As you can tell from the above, I'm very concerned with software that have a need to communicate with the Internet. Are they really looking for an update or are they sending gathered information to the mothership? E.T. go home?
I filter my friends in real life, so my question is why should my computer be a whore, letting programs run amok and access the internet whenever they want? That's not right, it's just disaster waiting to happen. I guess that's why I installed a bi-directional firewall and set it to make programs ASK for that Internet access. It's a pain to manage, especially when the anti-virus wants to get its update but at least I know who is currently accessing the web. ZoneAlarm sucks at this as its real-time monitoring lags or fails to work. All I want is a console to grant or revoke internet access and at all times, I want to know which active program is using the web.
You may think that it's all a bit extreme but think about your online life for one second. You access your eBay, Amazon, Email etc... and Bank online. Imagine that each time you do that, a background process records your activity, keystrokes and sends it back home (search: keylogger). This malware could have been sent to you by email or it could have been carried along with software you installed. How? Just think about web toolbars. You install a software and next you're browsing the web an ugly Yahoo or Google toolbar is hanging on your browser. Such toolbars form part of the browser UI, therefore is above the DOM and hence can snoop on whatever you're browsing or typing in the browser's window or tab.
As for the keylogger, you don't usually know it's there and in most cases it's because you don't have a bi-directional firewall installed. You thought your Wifi router's & Windows' own firewall were enough. This is only good for protection from outside attacks. How about programs on your computer that want to communicate with the outside world? That's why I'd recommend installing a bi-directional firewall. Using them properly is a learning curve (sadly most firewall makers are still in the dark ages of software development, i.e. they make their software unfriendly) and since it is software-based, the firewall will eat processing-power off your CPU.
Your laptop/desktop will definitely be slowed down when you add such protection, esp. with an Anti-Virus running side-by-side. They will both consume a constant amout of CPU (i.e. leaving less for your other programs). Even though that's a shitty deal, there's nothing else you can do with that Windows garbage. Got to make it safe. And on that matter, I don't think Apple computers are as safe as people claim (i.e. you don't need an antivirus if you run Mac OS). My argument is that it's more likely that you simply don't know that you have a virus or spyware on your Mac... and you'd be a complete retard to believe Jobs or whoever tells you Apple is safe from viruses. It just hasn't happened yet or you are blessedly unware that it's already there.
Back to the Java thingy...
The Java malware I encountered ran really fast and very "invisibly." As you know the first thing a Java applet (not javascript) needs is the Virtual Machine. This runs on your computer and as a first thing it contacts the Sun/Oracle website. As soon as it does that, ZoneAlarm interrupts the process and asks me whether this access can be allowed. Nice. If I'm genuinely running a Java app from a website, then the answer is yes but if it's some background thing running as part of a compromised webpage, then the answer is NO! This is the easy bit - denying communication with the Internet. The problem is the Java virtual machine. It is a program launched without your permission and provides an environment to run the java code. The code can be good or bad. Take a look at this snapshot:
Is this acceptable? Java code running a server in my web browser!?
I didn't know much about this type of vulnerability at first. I'd right-click on the Java Icon, bring up the Console and then frantically click a series of keys to kill the running code. Here are the keys I used:
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear class-loader cache
l: dump class-loader list
l: dump class-loader list
f: finalize objects on finalization queue
g: garbage collect
I don't know how much this helped. The console will gladly let you retype those key strokes and produce the same debug information. I'd rather have "code no longer running" during the second round. Maybe the Console is pure "caca" program.
The problem sometimes is not even having that Java Icon showing up in the "Notification Area" of the Taskbar. If it's not there then you won't even know if a Java application is running. If the icon is not there, then you can't right click to bring up the Java Console. If this is your case, then you have to ask yourself, how many times did a malicious Java App run in your browser and without your knowledge.
To get the Java Console to show up, you have to navigate your way to the Java settings in Control Panel and toggle the console to show. Riiiiiiiight, thanks for this shitty loophole Sun, I bet hackers are very thankful for that.
To have Java Console show up when code is being run, you need to navigate through this: Control Panel :: Java :: Advanced :: Java Console :: Show Console.
Now, whenever a java application (not javascript) is running from within a webpage or as a program on your computer, you'll see the white Java Console icon appear next to the clock (Notification Area of the Taskbar). When you close the webpage tab the console icon should "theoretically" disappear. Yes, I did put that word within quotes.
If your Internet Explorer or Firefox has been shittily programmed, then the malware code will have plenty of time to run, as the browser takes time to kill the Java virtual machine (& therefore console). It could be that the bastard code found an exploit to keep the virtual machine (VM) alive, so the browser is in a state of not knowing what to do. (The VM has been programmed in C or C++, so exploit heaven!)
Now it's important to set your firewall to have any Java.exe or Javaws.exe or variant program always ask for permission for web access. This way even if the Java malware is running and did something on your computer, it will be jailed on your computer (i.e. no Internet for it) and that situation will last until you kill all Java processes running within Task Manager. Either this or exit your browser or restart Windows (too drastic).
Killing java processes from Windows Task Manager is easy!! As soon as you see the Java Icon appear in the "Notification Area" AND you know that this is something unexpected (i.e. you didn't browse a webpage that was specifically for running a Java maths or Painting applet), then do this:
- CTRL+ALT+DEL or CTRL+SHIFT+ESC to bring up Task Manager.
- Click on the Processes Tab (arrange the processes by name if they're too messy) and locate any Java??.exe processes, right-click on the name and kill it!
Some weird thing in Hotmail...
Ok so the other day, I opened Hotmail. I normally give my hotmail address to spammers and anonymous people I meet online. As the email pane was loading, the Java Icon appeared in my Taskbar's notification area. Soon after ZoneAlarm was going crazy with web-access requests from Java (which I denied). I never had the instance of Java being run within Hotmail so I wasn't gonna break this tradition now. Javascript yes but not Java application code (big difference)! Soon after Adobe Updater (adobeARM.exe) was launched. Now this sequence of event was too strange for me...
I know for a fact that I have that shitty Adobe updates OFF, but if Adobe repaired that then I have the Firewall to intercept its web-access request. My guess is this: "A bad email body or rogue online advert had a link to a Java applet in the body of their HTML. The link executed, the java code was downloaded by the virtual machine (this a is very automatic process) and started running. Amongst unknown things it tried to run, it managed to open a PDF file in the background and whenever PDF viewer renders a PDF file, its first call is to launch Adobe Update. The update executable was halted by the Firewall." What I will not know though is what java code actually ran on my machine during this window of time?
We all know PDF has become synonymous to danger! Just do a search for zero-day PDF exploits and you should see lots of them [example]. So many actually that I wonder whether Adobe is even a reliable software company. They also make Flash which is used everywhere, mostly for video and annoying online adverts (that suck up your CPU & RAM). Should I trust Flash given how dangerous PDF is? No way. Just run my videos, anything else dies.
The Hotmail story ended with me quickly killing that java??.exe processes in Task Manager.
More Java: I was uninstalling some stuff today...
Apparently Adobe came up with Adobe Reader X. It's supposed to open PDF files in a contained environment, so exploit codes are jailed in it and can't harm your computer. Nice, right? ...but still we wouldn't be in this situation if PDF Reader was well programmed and offered limited functionality, such as just read, scroll, zoom-in and print. But no PDF Viewer had to give more than that, it had to increase the surface area of exploitable bugs in its API. It's like opening pandoras box. They love it and we, customers, do the testing for it. Good thing, car makers don't follow that development model.
Man I digress so much. I must be really pissed off. Anyway, so I go to uninstall the old PDF stuff, so anything with "Adobe & PDF" in it. I go to Add/Remove... obviously. As I check the whole list of installed programs, I find something interesting next to the Java programs:
How did KeyEventDemo, a java applet, get into "Add Remove Programs?" I mean what the fuck man! And you can't uninstall it and I can't even find when that thing was installed. Would be good to have a timeline so I could associate it with some software I installed or a webpage I visited (just do a history search in firefox or IE) or if it's something I used from 4 years ago.
Now I need to do something most Windows are way too familiar with. Open Google and search for "removing programms from Add-Remove that can't be removed." I mean, that Windows XP must surely be one big lump of crap (and one that won't flush). Why offer an "Add Remove Program" service if some software on it are unremovable? I guess this is a common theme at Microsoft. Their level of programming is so bad that we get an "Add-Remove" service which can't remove everything it lists. 800-900 PhD level staff?? You guys should be ashamed of your work.
A tiny program from CNet called AddRemoveCleaner showed some more detail on the KeyEventDemo program, it's under Current User (so just my admin account):
The reason I was alarmed is that KeyEvent usually refers to keyboard events such as keystrokes and if I'm right this applet/program gets activated to capture, record & send off your keystrokes. Did it come by email, me visiting a website or me being too trusty with software i install? I can't tell, I rarely visit the "Add Remove Programs" corner so I'm a bit to be blamed. Anyway ESET Nod32 is supposed to alert me if a program is trying to snif key strokes. I think it's an option called "Potentially Unwanted Application." ZoneAlarm will tell you if a program is trying to record to keystrokes.
The reason I don't visit Add/Remove is that I'm usually more pre-occupied with ZoneAlarm Pro program's list these days. That list is where I can see if ZoneAlarm is being shitty and granting full web & server access to installed programs. ZoneAlarm trusts a list of software and so gives them full access but what about me? What if I don't trust them? Like the Java case mentioned above! Java in most cases is a trusted program but what if it's running exploit code, does the trust rule still apply? Is ZoneAlarm being stupid?
Lately, it has transformed itself into a useless firewall, a real porus sieve. Ever since the day I refused to ugrade my paid version to the latest "paid" version, I noted that ZA firewall is not being a firewall. Why the fuck would it give Internet+Server+Send Mail access rights to anything I install? Just check the snapshot below, these Setup.exe files that were given access-all-areas passes by Zone Alarm. What the fuck?! Do they not know how Server rights are dangerous? This right alone will allow a rogue software to view my desktop and send commands to my computer.
Key: "?" = Prompt user if program wants access; "√" = Automatically allow program access; "Access" = One-way communication to a website or IP-address (send data); "Server" = Two-way communication to a website or address (send data, receive instructions); "Send Mail" = Ability to send emails
Each time I get asked to update to the latest version of the paid, I wonder... "It's a firewall for crying out loud, how much can it change? It's not like Antivirus updates." The only reason for an update in the firewall software is that ZA forgot to program something in it or left a bug, and therefore renders its old claims of being SECURE (when I bought my version) false.
Anyway I installed the new version, my system was slow. The virtual crap browsing was experimental to say the least. The whole thing was so unstable that I had to uninstall it and using XP Safe Mode!! Yep, it was that extreme. If you have to resort to Safe Mode then clearly the program you purchased is equivalent to a pile of dung. Get a refund.
My problem now is that anything I install gets green-lighted for {Web, Server, Sendmail} rights by Zone Alarm. So now I got to monitor that program's list in ZA's "Program Control." What a fucked up world...
I was able to uninstall KeyEventDemo using that program from CNet, here's some extra information I gathered on it. It's Registry location was:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\KeyEventDemo
and contained:
It's a tutorial file, is it? How did this get into Add/Remove? Isn't that space reserved for installed software? This Windows allows really fishy things to happen. Just like those other user accounts I found the other day. They weren't visible under "Start::User Accounts::Home." but somehow they were there.
So on my machine, there's my Admin account, a backup Admin account and a Guest account. Three and that's it! However when I opened MS-DOS Command prompt (Start::Run type CMD hit Enter) and typed "net user" at the prompt, I saw two additional accounts. I totally didn't recognise them... weird looking accounts with some random numbers appeneded to them. How did they get there? Who created them? Why didn't they show up in "Start::User Accounts::Home ?"
As usual, Windows users get on Google and do a search right? I did mine and on "how to remove user accounts using the net command." Got a hit, and it was pretty easy to delete those weird user accounts at the command prompt. Some digging up on those account names revealed that they are either "Remote Desktop" accounts or "Help & Support" agent accounts.
Seems like the moto on Windows world is: "Install & browse nothing if you want peace of mind." I can't wait for the revolution, someone to come up with a Windows killer. The farce has lasted far too long now and there are no consumer laws protecting customers who had Windows shoved down their throat. If Windows were a car, it'd be the most dangerous car of all times.
--New--
* Java BotNet Windows/Apple (attacker can even activate your webcam): http://www.net-security.org/malware_news.php?id=1714
No comments:
Post a Comment