Tuesday, September 4, 2012

Nasty Java malware is nasty

And by "nasty" I mean really nasty:
Zeroaccess is a nightmare. It creates a hidden partition to run components from, deletes the BITS and Windows Update services, infects system restore and then removes the system restore interface from Windows. It locks you out of various sections of your file system it has decided to secrete backup copies of itself into. (C:\Windows\Temp, C:\Windows\System32\Config\Systemprofile and so forth.)

Zeroaccess knows all the standard tricks; it hides itself from Trend Micro's virus scanner Housecall, kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system), resists cleaning by SurfRight's Hitman Pro, Symantec's resident AV and so forth. If you delete the hidden partition after booting from a Linux Live CD, chances are you didn't get every last remnant of the thing and it will be back in due time. It also prevents remote support app Teamviewer from starting properly with Windows.

If any residue of the rootkit lingers, or if Sirefef and/or its downloaded friends remain, they will all download and reinstall one another and we get to play whack-a-malware one more time. Bonus points were awarded for exploiting known Windows 7 vulnerabilities to infect every other machine on the network; that was a nice touch that really made my Friday.
Anyone who's an IT admin needs to read this.  It's a bit hyperventilating, but there's a detailed description of the removal process.  Unfortunately, the process looks like it will take around an hour per Windows computer, and looks to be entirely manual (i.e. not scriptable).

I'm not sure what to say to those of you who are not IT admins.  You're very likely vulnerable as well; you may even have been infected.  I'd say that you should run Combofix - if it locks your system up, then you should do items 2-11 on the list, which won't be any fun.

I'd also recommend that you turn off Java in your browser, but likely most of the ubercool new "Cloud" services (Webex, Dropbox, maybe backup services) will all break.  I don't think that I have a good answer for what you should do - as I've said before, we may simply have lost the malware war.

What I will say is that if Combofix makes your system hang then you are infected.  DO NOT USE ONLINE BANKING UNDER ANY CIRCUMSTANCES IF THIS IS TRUE.

If you want to do online banking, my recommendation is to follow these steps:
  1. Get an old PC with a (hard wired) Ethernet 10 Base-T interface.  You should be able to pick one up for small money on eBay, and may have one hanging around your house.
  2. Load Linux on it.  There are a bunch of distros out there; I run Ubuntu but a lot of folks don't like the new versions.  Pick one that is pretty minimalistic - all you need is web browser access.  This will be free.
  3. unetbootin will make a USB thumbdrive bootable.  Copy your Linux distro image to that, and boot your new/old computer from that.  Follow the steps to install.  Ubuntu is easy, but so are some others.
  4. Install Firefox on the Linux box.  It's modern, it's kept up to date very well, and it will be supported by your bank.
  5. IMPORTANT: Turn Java OFF in Firefox.
  6. IMPORTANT: ONLY do your online banking from this computer.  Do not EVER do online banking from another computer.
  7. Do not EVER do online banking from your smart phone.  Ever.  Don't make me want to change my tone.
The goal here is to separate your most critical assets (the password that gives you access to all your money) from your weakest defenses.  It's not quite an air gap (that would be even better, but you'd need another home router like a Linksys) - however, this will be a big upgrade in protecting your banking password.

The malware is very, very good, and online banking passwords are one of their top targets.  The malware authors are successful enough at getting these passwords that they are better funded than the antivirus companies.  Linux is not targeted as often, but it is targeted - this is why you should only use the Linux computer for banking, and nothing else.

I guess that this is a way of saying that we're in Condition Orange.  Sadly, I don't think that will change anytime soon.

UPDATE 4 September 2012 16:21: Just a clarification, most users will NOT want to try to use Combofix to clean your system - Combofix is notoriously hard to use.  Rather, it's a diagnostic tool - if you run it and your system hangs, this identifies that you're infected.  Note that if you try to do a lot with Combofix and you don't know what you're doing, you might brick your computer. 

And in any case, I recommend a dedicated computer for doing online banking.  Linux will give you the lowest cost, and the smallest target (I don't think I've heard of a banking trojan targeting Linux).

But I don't like online banking.  Ees Online Bank.  Ees not safe.  And really really really don't ever use your phone to bank.  Really.


Erin Palette said...

Downloaded and ran ComboFix. It told me I needed to turn off my Antivirus program. That immediately triggered my "Bullshit, and fuck you" response.

chiefjaybob said...

Damn you, Borepatch. Damn you. The ONLY reason I bought a smart phone was to make deposits.

Borepatch said...

Erin, Combofox has a reputation as being above boards. It's not simple to use, but it's not malware.

Chiefjaybob, sorry, but I just don't think it can be secured.

Angus McThag said...

We're going to tell our grandkids all about the amazing things we did with computers and they are going to call us crazy old coots because computers can no longer be connected to anything.

Anonymous said...

Off topic but...
Good shot for an old man.

Erin Palette said...

OK, on your recommendation I disabled my antivirus and ran the program.

Good news: Didn't lock up.

Indifferent news: Now I have a report I don't understand.

Bad news: Computer is now running noticeably slower, with much thrashing of hard drive.

Now what?

Jake (formerly Riposte3) said...

A couple of questions, from one who is geeky but not IT-level geeky. :)

1) "Turn Java OFF in Firefox." Does this include JavaScript? I know they are different-but-related-somehow, but does JavaScript create the same vulnerabilities?

2) "Do not EVER do online banking from your smart phone." On this I have to plead ignorance - what's the reasoning? (If you've covered it before, I've missed it.)

Borepatch said...

Erin, good that you didn't get a lock up. I would re-enable your antivirus and reboot. If it's still running like this, fire up the task manager (ctrl-alt-del, select Task Manager) and sort the processes by page faults. That will show which process is grinding your disk.

Jake, I did an update with a link to why you shouldn't bank from your phone.

Erin Palette said...

sort the processes by page faults

I have no idea what these words mean.

Ruth said...

Oh bleh, I've not run into this one yet. Does anyone know if Malwarebytes will spot this one?

....I knew there was a reason why I didn't get a degree in IT....but somehow everyone asks me to fix the damn things anyway.....

Rick C said...

BTW, ComboFix will NOT run under Windows 8 because they did stupid version-checking. ("sorry, we don't support windows 2000 any longer.") You must use compatibility mode to lie to it and let it think it's running Windows 7.

Rick C said...

Correction: the SOB will refuse to run in compatibility mode.

KurtP said...

-Downloaded ComboFix
-Installed ComboFix
-Turned off Avast (forgot malwareBytes)
-Ran ComboFix_after restarting came back as one bit of maleware to be deleted

-FireFox, IE, Avast and everything else I tried to open had an error mssg saying a node was scheduled for deletion and do I want to delete this app?

-Restored to sometime last month and everything is back to normal.

Borepatch said...

Erin, that's actually not a bad topic for a post, but I'm pretty slammed right now. Rebooting is the right thing to do right away.

B322 said...

Any opinions as to whether Mac users are in danger from this thing? I'm turning off Java as soon as I can get my mouse working again, just to be on the safe side.

B322 said...

With a little research it looks like I"m probably safe from Zeroaccess. I did scan my computer and my wife's for Flashback, and they came up clean.

Jake (formerly Riposte3) said...

"Jake, I did an update with a link to why you shouldn't bank from your phone."

Thanks. I think you actually did that update while I was writing my comment! :)

I think I have balanced the convenience/risk equations on that to my satisfaction (YMMV, of course). My Android phone is pattern locked with 4+X points (with X being a number I won't reveal, for security reasons), USB debugging is set to "off" so it won't readily accept even physical connections, and the browser is set to not store passwords. On the bank side of things, my spending and bills accounts are separate, with an (admittedly small) emergency reserve kept in the bills account, so that even if one account is compromised (which has happened before), I'm not totally fsck'd (distributed assets - even if it's just two separate accounts at the same bank - is one of the better ways to secure your assets against criminals). As far as my home computer, I'm running Kubuntu linux, with the Java plugin disabled in Firefox - another risk balancing equation, there, needed for realtime account balancing.

I am still curious about the Java/JavaScript thing though, especially since I may need to take action at work - I'm the "office geek" that the bosses look to before they call in the contracted IT guy ("Hey, Jake, my computer's acting funny, can you take a look at it?").

Needless to say, I'll be emailing the paid IT guy in the morning, just in case he's not aware of this yet.

Anonymous said...

If this persists you will need to roll back your machine to the factory settings and reimage, which is why you will wish you had backups of everything and why you are about to spend an entire weekend rebuilding an XP machine that came with sp1. I already had java turned off in firefox it doesn't save you at all. My machine died three weeks ago and it sounds like it was this was the cr*p that did it.

wolfwalker said...

Jake, regarding your first question: Javascript has NOTHING to do with Java, despite the similarity in names. JAVA is a genuine programming language, full powered, fully capable, that runs real full size programs on your computer and can do anything that any other program can do. JavaSCRIPT is a "client-side" scripting language that runs only in your browser and is strictly limited in what it can do. It can manipulate web pages and send data back and forth to the server, and that's all. It can't even read or write to files on your hard drive.

Borepatch, I downloaded and ran ComboFix after I first read this post. This in the quoted article:

"Zeroaccess ... kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system)"

may be giving it too much credit. ComboFix's standard procedure includes setting a System Restore point, so its inability to run may be an unintended side effect of the malware's killing the System Restore function.

perfidy said...

I only run windows as a virtual machine. I did a clean install, and then made a snapshot. I save any files I need outside the windows file system. Every week or so, instead of firing up as normal I just revert to the snapshot. Guaranteed clean and virus free in two clicks.

lelnet said...

You forgot Step 8: Throw away that MS crap and install a real operating system on your regular computer too. :)

drjim said...

I've been running Linux since 1996.
And I'll keep on running it......