Back in January there was big news about a zero-day vulnerability in Java. This vulnerability would let the Bad Guys execute software on your computer, allowing them to (among other things) turn it into another zombie machine on a botnet. At the time, the recommendation was that users disable Java in their browsers.
As you might imagine, Oracle, the company that took responsibility for Java when it acquired Sun Microsystems, hurriedly worked on a fix. That fix is now available and you can download it. But the attention to the Java vulnerability has now led to a new approach to malware that pretends to be a fix for the vulnerability.
What happens is this. The new malware appears on your screen, and looks for the most part like the standard Java update window and requests permission to install an update. The Java logo is there, and if you’re not paying attention, it seems legitimate. But click to give permission and it will install malware instead of an update.
“The Java security update is a type of social engineering,” said Kevin Haley, director, Symantec Security Response. “It’s unrelated to the vulnerability; it’s just a way to get people to click on the attachment.”
Fortunately, if you have adequate security software it won’t be able to do anything even if you click to give it permission to perform the “update.” Unfortunately, there’s no way to know for sure that your security software caught it. Everything depends on exactly what kind of security software you’re running, and how recently it’s been updated. “You should consider yourself infected,” Haley said.
Haley noted that Symantec has a free security scanning service that can check for malware, and he said that many other security vendors have similar services. These products, which you download and install on your Windows machine, will give a complete malware scan, and alert you to any viruses or other malware. You can find similar scanning software at McAfee and Kaspersky among others.
Haley said that he wasn’t surprised at the appearance of the fake Java update. “There’s always been that when these zero day vulnerabilities become public,” Haley said. “It’s in the public domain, the bad guys all want to take advantage of it. There’s a race between patches and exploits.”
The problem has become much worse recently now that the hacking took kits have become commercialized. “These guys are competing to sell their toolkits to bad guys,” Haley said. “We’re seeing them out in the field quicker. You don’t have that lag time that there used to be before people start exploiting these vulnerabilities.”
Java Flaw Repair Email Camouflages Crafty New Malware Attack
Updates are a particularly effective form of social engineering for people trying to distribute malware simply because people are used to clicking on them almost as a reflex. Haley said that Symantec even found one mass email purporting to be from his company containing a fake Symantec update that contained malware.
“Don’t click on attachments,” Haley said, and he cautioned against visiting websites that you don’t know for sure are malware free. Fortunately, most security software can scan the Web looking for sites containing malware and either warn you, or prevent you from going there.
Haley also noted that basic antivirus software is no longer enough. He said that the means of distributing malware have changed and now your security software needs to recognize attacks from a number of sources, not just viruses. Haley also suggested that you remove any applications on your computer that you’re not actually using. “Get them off the system, so if there’s vulnerability you won’t have it.” He also advised against removing the normal protections on mobile devices, especially Android devices. “We are seeing malware on Android. Don’t root your devices – that’s opening them up to malware.”
“Rooting” means defeating the security features built into a mobile device so that the owner can get greater control of its functions. But this also makes it easier for hackers to take control of the device remotely by planting malware on it.
All of this means that you need to be suspicious of updates to software that appear unexpectedly or otherwise out of sequence. Check the Web address that the update comes from, and if necessary check the vendor’s website to see whether a security update is being sent out.
It’s also a good idea to pay attention to the content of the message that appears in a pop-up on your screen or in an email. Do the version numbers make sense? When you hover over a link in an email, does the link match the address that appears at the bottom of the email? It’s worth noting that vendors almost never deliver software updates by email, so any email claiming to contain an update should be viewed with deep suspicion.
And since I know you’ll ask, I was nearly caught by that Java update exploit. But there was something a little off in the appearance of the pop-up window, so I killed it, and went to the Java site and updated from there. Do I know for sure that it was the Java update malware delivery that I killed? I don’t know for sure, but I didn’t want to find out, either.