Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MSE detected viruses in Java cache


  • Please log in to reply
5 replies to this topic

#1 mcbsys

mcbsys

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 12 June 2012 - 12:37 PM

Hi,

On June 5, I received a bogus invitation to connect on LinkedIn. I clicked on it. When I saw "Please wait page is loading" (or words to that effect) in large type for several seconds, I knew it was a mistake. I quickly closed the tab on the browser, then ran a full scan with an updated MalwareBytes. When nothing was detected (except a couple old email viruses that I keep in encrypted zip files), I thought I had dodged a bullet. (Let me know if you need the URL from the email.)

Then on Sunday June 10, MSE ran its weekly scan and detected and quarantined remnants of a potentially related virus in the Java cache (Blacole). Yesterday June 11, I ran another full MalwareBytes scan; nothing found. I changed MSE to daily scanning and last night it again detected a virus in the Java cache. The detected file is dated June 5.

The most similar post I found on this diagnosed the issue as a false positive, but due to my mistake last week, I'm wondering if my computer is actually infected.

I can certainly clear the Java cache but before I do, I thought maybe I should post here. Is there a way to track back from the cache to figure out what the applet is? What concerns me is that a new infection showed up on the second MSE scan, like there is some base infection that has not been rooted out.

This past week, I had Java 6 update 31. I updated to Java 6 update 32 today.

I have a full system image from a couple weeks ago so I can go back to that if necessary.

Thanks for your help,

Mark

From MSE:

Exploit: Java/Blacole.ET (detected 6/10 4:52am)

containerfile:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2
file:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2->gui_a/F.class
file:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2->gui_a/gui_d.class

Exploit:Java/CVE-2012-0507.AY (detected 6/10 4:52am)

containerfile:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2
file:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2->gui_a/gui_a.class->[ZKM]

Exploit:Java/CVE-2012-0507.BU (detected 6/12 4:40am)

containerfile:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2
file:C:\Users\<MyUser>\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\28\7ea7c09c-7e11bab2->gui_a/gui_b.class->[ZKM]

Output of SecurityCheck.exe:

Results of screen317's Security Check version 0.99.41
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 32
Java version out of date!
Adobe Flash Player 11.2.202.235
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (13.0)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Common Files Microsoft Shared Microsoft Online Services smss.exe -?-
Common Files Microsoft Shared Microsoft Online Services MSOIDSVC.EXE
Common Files Microsoft Shared Microsoft Online Services MSOIDSvcm.exe
Common Files Microsoft Shared Microsoft Online Services audiodg.exe -?-
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 12 June 2012 - 02:26 PM

Your scan results indicate a threat(s) was found in the Java cache.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache manually to ensure everything is cleaned out:If you want to perform a more thorough browser clean up, please refer to:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system.That's why it is important to always use the most current Java Version and remove outdated Java components.
You can verify (test) your JAVA Software Installation & Version here. Your SecurityCheck log shows it is out of date (Java™ 6 Update 32)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mcbsys

mcbsys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 12 June 2012 - 03:37 PM

Thanks for your reply and the references. The Securing Java book, although 13 years old, is particularly interesting. BTW, the Java cache directory link is dead.

That's why it is important to always use the most current Java Version and remove outdated Java components.
You can verify (test) your JAVA Software Installation & Version here. Your SecurityCheck log shows it is out of date (Java™ 6 Update 32)

My understanding was that as long as the software is still being actively patched, it's okay to continue using it. So I use the latest patched versions of Adobe Reader 9, Internet Explorer 8, and Java 6. Java 6 Update 32 was released 2012-04-26 with no security fixes. Update 31, which I was running when I went to the malicious site, was released 2012-02-14 with 14 security fixes. (Java version history) Why does SecurityCheck consider these to be out of date?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 13 June 2012 - 06:47 AM

Java Runtime Environment (JRE) 6 Update 33 & Java 7 update 5 was just released.

Release notes and download links:

Java 6 update 33
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Java 7 update 5
http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

Downloads
http://www.oracle.com/technetwork/java/javase/downloads/jre6-downloads-1637595.html
http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1637588.html

Also make sure you pick the correct one for your operating system on the download page after you sign the agreement.

Verify your version
http://www.java.com/en/download/testjava.jsp

Note: UNcheck any unwanted toolbars/programs if offered.

calendarofupdates.com

Note: Java SE 7 is the latest release for Java and is the recommended version.

Java SE 7 is the latest release for Java that contains many new features, enhancements and bug fixes to improve efficiency to develop and run Java programs.

Why should I upgrade to Java 7?

Java 7 was not initially released for widespread distribution and they have continued to release updated versions of Java 6 while releasing updates to Java 7.


You should also make sure you are using the most current version of Adobe Acrobat Reader. There are serious security issues with older versions which can increase the risk of system infection.If you're not sure what version you are using, launch Adobe Reader, click Help in the top menu and select About Adobe Reader.... If it is outdated, select Check for Updates. The most current version can also be manually downloaded from here.

BTW, the Java cache directory link is dead

The link has been fixed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 mcbsys

mcbsys
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:16 AM

Posted 13 June 2012 - 09:52 AM

Okay thanks. Seems I updated a machine to Java 7 early on and something didn't work. Maybe I'll try again now that it has matured a bit.

I usually find that the latest versions add bloat and sometimes unwanted add-ons (Adobe AIR), and are often buggy. Adobe Reader 9, Java 6, Internet Explorer 8, Windows XP, and Windows Vista are all being patched in parallel with the latest versions (Reader 10, Java 7, IE 9, and Windows 7), so I tend to keep using them until there is a benefit to upgrading.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:16 AM

Posted 13 June 2012 - 11:03 AM

No problem.

One major benefit of upgrading is that the vendor usually has fixed vulnerabilities and exploits that attackers take advantage of. Older versions do not always get these patches to they are wide open to exploitation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users