Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keylogger in Java?


  • Please log in to reply
53 replies to this topic

#1 Mike.C

Mike.C

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 02:32 PM

I'm unsure of where to post this so I'll do it here.

 

Trend Micro Titanium detected HTTP_KEYLOGGER_REQUEST-2 In C:\program files\java\jre1.8.0_45\bin\javaw.exe four times, twice on the previously installed version and twice on a clean install, both times having 32 and 64-bit java installed. Has anyone else had this happen to them today? I just don't know if it actually is an issue with Java itself or one with Trend Micro.



BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:35 PM

Posted 05 June 2015 - 02:36 PM

Hi Mike.C :)

I don't know how TrendMicro works for these detections, but since a .jar calls javaw.exe to launch itself, it might be a false detection in a sense that it's not javaw.exe that is malicious, but that .jar that calls it like a_keylogger.jar. If you launch a .jar, go in the Task Manager and look at the Command Line for it, you'll see that javaw.exe is the process, and it calls the .jar as an argument/parameter. Did you install anything else on these new computers or not? Submitting javaw.exe (from Java 8 Update 45) to VirusTotal now to see what it'll give.

Edit: Cameback clean: https://www.virustotal.com/en/file/20c9604fa6df0a6811a6aa0b561cf97db74868b6cad9cb0d1338436c7ae21e66/analysis/1433533029/

Can you check if you have a javaw.exe process running right now, and if so, whats its command line (like I explained above)?

Edited by Aura., 05 June 2015 - 02:38 PM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Mike.C

Mike.C
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 03:12 PM

...I'm thinking it might just be a false positive. javaw.exe only runs when I use a program that uses it, for example, Minecraft, and stops whenever I close it. After it closes, Trend Micro detects it as a virus for some reason, and I suspect that it may be because of a recent update to Trend Micro? Before, it didn't detect anything in Java 8 update 40, but it did today. Same thing after I uninstalled and reinstalled to update 45. I'm not sure if it's because of the launcher I'm using for Minecraft (Since I'm using mods) (and though I have had that launcher for a while), or Trend Micro's update...  It's probably nothing important. Anyway, Thanks for the help!

 

I also have Malwarebytes on my computer. If there was anything malicious in the Java files I'm sure it would have caught it right away, right?

 

Edit: Also, due to Trend Micro, Java is rendered useless after it is detected and dealt with. I guess I have to add the file to the exception list...


Edited by Mike.C, 05 June 2015 - 03:16 PM.


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:35 AM

Posted 05 June 2015 - 03:22 PM

I would recommend you contacting Trend Micro support for the FP as well, since other people might also be having issues.

#5 Mike.C

Mike.C
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 03:34 PM

Oh boy... more trouble. I don't know how to create an account for their website. It won't even let me log in with my serial number since I don't have an account already. "invalid serial number" It says. Great...



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:35 AM

Posted 05 June 2015 - 03:38 PM

In that case, you can use the FP submission form for Trend Micro here.

(I hate filling forms...)

#7 Mike.C

Mike.C
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 03:46 PM

For non-Trend Micro customers only...If you are please contact support... back to the same page... Ugh, the website is so difficult to navigate. And who wants to contact support directly anyway? I could have sworn they had a forum, but I guess not. (and why would a non-customer be filing out this form anyway?) I guess this will save me time at least. Thanks.



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:35 AM

Posted 05 June 2015 - 03:48 PM

You are welcome :)

I use an AV that never requires its customers to fill out forms for anything, so I guess I never shared the pain of filling out forms and waiting for the vendors to reply.

#9 Mike.C

Mike.C
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 04:18 PM

Oh, great. Absolutely perfect! The form won't even recognize the file! It says "No file chosen" ! Isn't that a major flaw?! Hopefully this'll get fixed soon, or I'll have to mess around with the exceptions list...



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:35 AM

Posted 05 June 2015 - 04:19 PM

I would suggest compressing the file to .zip or .rar format using either the built-in Windows compressor or a third party software like WinRAR, assuming that they accept archives.

#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:35 PM

Posted 05 June 2015 - 04:27 PM

I'm coming a bit late in the conversation, but doesn't the new Minecraft launcher have a JDK built-in? So you don't need to have it installed at all on your system to run it, it'll run in it's own instance of Minecraft.


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Mike.C

Mike.C
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:07:35 PM

Posted 05 June 2015 - 04:33 PM

Putting it in a .zip did the trick. Thanks again Alexstrasza!

Now to put it on the exclusions list...

 

Man, what a way to kick off summer vacation, eh?  :wacko:

 

 

Edit: Aura, I'm running Minecraft on a third party launcher to run mods. Sorry I didn't really clarify.


Edited by Mike.C, 05 June 2015 - 04:35 PM.


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,193 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:07:35 PM

Posted 05 June 2015 - 04:37 PM

Well that explains it. Maybe some of these mods are flagged as malicious, it wouldn't be uncommon :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:01:35 AM

Posted 05 June 2015 - 04:41 PM

Minecraft mods are a really good way to get infected these days (kids infecting machines playing Minecraft all the time). So I would suggest that you be careful.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,563 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:35 PM

Posted 05 June 2015 - 04:46 PM

You can always make a report at the Trend Micro Community Forums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users