Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 & recent Java exploit


  • Please log in to reply
No replies to this topic

#1 AzureSkyy

AzureSkyy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 25 April 2010 - 10:03 PM

I'm running Win7 Ultimate x64, and am not an idiot.

There was a Java exploit recently(1) that allows complete access, including the ability to change local file permission levels remotely, and my antivirus flagged this activity. However, though this problem has been known to exist(2) - I do research on things, like a responsible person, before I talk about them - since atleast 2009, it was not addressed until just recently for Windows users via a Windows Update(3) last week or so (Java JRE 1.6, note 4). Upon these items being flagged, I was at first skeptical; the items were not in the AVG database, AVG could not give any real information about them, and they were from a trusted, core application that commonly runs scripts in the background.

I am an idiot in one respect: I did not remember to write down the name of the file flagged by AVG.

I also can't find the flagged event in my AVG log files. I'm not sure why this is.

Anyhow. To move on. After seeing the items flagged a second time, having told AVG to remove their threat as power users since it couldnt clean the infection - a function that I'm unsure does anything actually useful, "removing threat as power users" - I then ran scans with Spybot Search & Destroy, immunized with SB S&D, deleted the folders at the flagged location(5) which contained no files and only a series of empty hex-labeled folders, and timed this delete to be followed, within seconds, by the Wipe Free Space command on Piriform's CCleaner.

Not sure if that last step, Wipe Free Space, really helped me at all, but it felt like a more effective way to approach problems in the way I prefer to approach them: from multiple vectors under a philosophy of all-out-war.

Anyhow.

To move on once more, after having done all this, I looked around some more, but as the problem had only recently been recognised as a threat, there wasnt much information out there that was relevant to making sure you were safe after-the-fact, and since the vulnerability allows the person to execute any code, of their own choice, no specific place to attack, no pre-defined enemy to batter down. And for a while, things were fine. In these last few days however, the quality of my internet connection, the speed with which my computer can handle multi-tasking, the frequency of general errors, and my once-respectable bootup/shutdown times have all decayed significantly and at rapid rates. Additionally, my connection handles a great deal of packets on a daily basis. I am not sure what a normative amount would be for my computer to send on a daily basis, as I do not check, but the sheer quantity aside, sometimes the ratios between Sent and Received packet amounts are massively disproportionate. Such as now. 1.3mil to 7.2mil; sent vs received, respectively. Not that I am saying this is a causal, correlational, or even meaningful link, but, there it is, on the offchance that it matters.

Let me know what you think would be a good plan of action. Thanks.

Cheers,
~Matt.-



NOTES & REFS:
(1) - http://news.cnet.com/8301-27080_3-20002199-245.html -
(2) - http://landonf.bikemonkey.org/, scroll to "CVE-2008-5353" -
(3) - http://www.microsoft.com/technet/security/...n/ms03-011.mspx - (talks specifically about MS-VMs, but is not unique to that platform. Java-, not OS- specific.)
(4) - http://java.sun.com/javase/downloads/index.jsp -
(5) - C:\Users\AzureSkyy\AppData\Roaming - Full path incomplete, had hex values as folder string name

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users