Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Skuzzy on April 15, 2010, 06:54:44 AM
-
I know many of you allow Java to run freely on your browsers, and those who use FireFox think they are bullet-proof, so I thought I would give you a heads up about a potential problem you might have (http://blogs.zdnet.com/security/?p=6161&tag=col1;post-6161).
-
Thanks for the headsup :salute
-
Yikes, glad I don't have java....just what I need is another stupid infection. Getting tired of reformatting. :)
Thanks for the heads up Skuzz.
-
Disabling the Java plugin is not sufficient to prevent exploitation, as the toolkit is installed independently.
:uhoh
-
I spent a some time 2 days ago on this, and I found
a) Our current installation of Eset's Nod32 (EAVBE, 4.2.40.0) quarantines the sample script - so I'd like to presume that it would protect you from an attempt to exploit - and I would like to assume that the retail version would to, although I didn't test it.
b) NoScript (with Firefox) will mitigate this, in that you have to enable scripting from the exploitive web site before it can run
c) removing npdeploykt.dll (or replacing it with another innocuous dll, which is what I did administratively to all of the workstations at work) prevents the exploit from deploying.
Also, I noticed that Java has released a new patch release (6.20) overnight - I'd like to assume that this is fixed, but haven't had time to confirm that.
<S>
Guy
-
Oh Yippee.
-
fun fun :banana: thanks for the heads up :aok
-
"The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others."
good thing I know their lyrics by heart :)
j/k
thanks
Skuzzy
-
Some how I can't picture Skuzzy listening to Lady Gaga..
:lol
-
Lady Gaga!? Oh no, the wifes computer will be locked up in no time. :uhoh
Wait, that's a good thing. :D
-
Some how I can't picture Skuzzy listening to Lady Gaga..
:lol
Not with the sound turned up anyway :D
-
Ok wheres a site. Im willing to play Guinea pig.
My daughter has gotten me to get pretty good at getting rid of these bastages.
BTW Facebook users. Beware of ads on facebook as some have recently been known to carry that windows security Trojan.
If your using firefox I suggest adding adblock as well as noscript
-
Thanks for the warning, Skuzzy. I doubt it, yet out of general curiosity, does this exploit manage to unload onto Linux systems?
-
It effects all versions of Sun's Java runtime, regardless of the OS. However, the chances of the malware/spyware program being able to run on a Linux box is pretty low as virtually all these types of programs are written for Windows.
-
"The main lure so far seems to be a song lyrics publishing site, with Rihanna, Usher, Lady Gaga and Miley Cyrus being used, among others."
good thing I know their lyrics by heart :)
j/k
thanks
Skuzzy
Wow....the artists with the most "issues"...how coincidental. Lady Gaga is a trainwreck that only lacks a place to happen...and somehow I can't see Miley Cyrus's "Greatest Hits" on Skuzzy's Ipod...lol
V/r
Changeup
PS - If I knew any of their lyrics I would kick my own ass....Go buy some CRUE!!! lmao
-
It effects all versions of Sun's Java runtime, regardless of the OS. However, the chances of the malware/spyware program being able to run on a Linux box is pretty low as virtually all these types of programs are written for Windows.
Thanks for the clarification.
-
Yep, I got it... of all things by looking at a webcomic that i've been a fan of for ages. :(
Im having kapersky clean the bugger out.
-
Guess its so new kapersky didnt squash it.
Still, the bugger cant hide.
I got this from an ad banner (which I didnt click.. apparently it loads with the banner image on whatever website you happen to be on).
It starts in the system processes (cntr-alt-del , processes) under 'rundll32'
once it loads it becomes
awwhbbdtssd.exe
and it starts popping up messages above the clock with icons that look like the native windows antivirus system (yellow shield with !) telling you that WINDOWS has detected a trojan infection and to activate your AV.
No matter what you do, the system will refuse to load any programs.. not the antivirus, not the browser.. nothing. It will tell you the .exe file associated with the program is infected ... doing cntr-alt-del will briefly launch the task manager.. then it gets blocked saying tskmngr.exe is infected (lol!)
It does not load itself on windows safe mode...but avirus programs wont catch it there either.
Only way to block it is to stop the rundll file process as windows starts by doing cntr-alt-del while windows is just starting to load...
then you can use windows.
msconfig will show the awwhbbdtssd.exe as a startup program ... and thats where you'll find the folder its hiding in.
in my case it was hiding in 2 locations. on the desktop under:
kaka://c:\documents and settings\administrator\local setings\application data\asojkhanw\awwhbbdtssd.exe/netalert.htm
and of course,
c:\documents and settings\administrator\local setings\application data\asojkhanw\awwhbbdtssd.exe
killed the entire asojkhanw folder, cleaned all cookies, temp files, history, did an extra deep scan with 2 avirus programs I had..
rebooted one last time..
and its gone.
at least... its not blocking my pc no more nor popping up messages.
-
So from what Im hearing, this thing can get through a firewall pretty easily? If your computer were to get this bug, would something like Sysclean be able to get rid of it? How about Norton, Kaspersky or Malware Remover?
-
Rkill
I always keep copies of it. Both on my machines and on a flash drive I keep that has security programs on it (Anti malware etc.)
It will not rid your machine of the buggers. but it will end the processes of them so you can clean your machine using your antivirus/malware solution of choice
If you have kids. Or ummm other people who carelessly click on things or go places they ought not to. this is one handly little item
http://www.technibble.com/rkill-repair-tool-of-the-week/
-
Thanks skuzzy I don't trust Java anyway I'm fraid I do have it on one of my computers though! :eek:
-
Thanks skuzzy I don't trust Java anyway I'm fraid I do have it on one of my computers though! :eek:
Hmm I didn't type that right :uhoh So,will I get a virus if my Java updates?
-
Java Runtime 1.6.0_20 was released in response to this exploit - I hesitate to say it "fixes the issue" given that I don't have first hand knowledge that it does, but it's supposed to.
But this brings us to another caveat - Sun's Java run-time drives me utterly bugnuts, anyway. Prior to somewhere in the vicinity of 1.60 version 4, it installed new versions without removing the old - and a developer can "request" an older version at run-time. I've looked at machines that LITERALLY had more than a dozen versions of the runtime.
Make sure remove all unnecessary older versions via Add/Remove so that the only one listed is the new one.
And if you need to access a web site and/or run an IE-based widget/add-in
(insert -> another of my pet peeves, if you want to provide an app that I "must" use to access the information your company is providing to mine, then write a #*@* app, don't depend on IE and then tell me that I can't update IE and/or Java until after you rewrite your widget!)
that requires an older version, then I'd urge you to pressure the provider to update their website or widget to no longer be version specific.
<S>
-
Java Runtime 1.6.0_20 was released in response to this exploit - I hesitate to say it "fixes the issue" given that I don't have first hand knowledge that it does, but it's supposed to.
But this brings us to another caveat - Sun's Java run-time drives me utterly bugnuts, anyway. Prior to somewhere in the vicinity of 1.60 version 4, it installed new versions without removing the old - and a developer can "request" an older version at run-time. I've looked at machines that LITERALLY had more than a dozen versions of the runtime.
Make sure remove all unnecessary older versions via Add/Remove so that the only one listed is the new one.
And if you need to access a web site and/or run an IE-based widget/add-in
(insert -> another of my pet peeves, if you want to provide an app that I "must" use to access the information your company is providing to mine, then write a #*@* app, don't depend on IE and then tell me that I can't update IE and/or Java until after you rewrite your widget!)
that requires an older version, then I'd urge you to pressure the provider to update their website or widget to no longer be version specific.
<S>
I don't use any products of companies that require the use of java and/or IE. Period.
-
I wish I had the luxury of making the same choice - but our clients pick the custodians, and we have to use whatever (often crappy) solution the custodian provides. Some are OK, some hoover scummy pond water....
<S>
-
I wish our college would consider some simple scripting reasoning and dump their java online testing center.