JAVA.Exploit.Agent-2

[dougmack]

ClamAV has found JAVA.Exploit.Agent-2, and says it can not be quarantined or deleted. Ran scan on filesystem from ClamTk. (GUI frontend to ClamAV.) The entire path is:
/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins/com.ibm.rcp.j2se.linux.x86_1.6.0.20110713a-201108151128/jre/lib/plugins.jar

Maybe I have to run it from root?  How do I run a GUI from root? Or just type in rm 'that big string' from root? I'd hope that this would not make Symphony unusable.

Is this a problem, and if so, what next?

Thanx, gurus--doug

[Archie]

Don't do anything rush. Stay away from launching the app.

http://vrt-blog.snort.org/2012/08/cve-2012-4681-bypassing-built-in-java.html

The scariest part about all of this is that the next scheduled Oracle patch release is October 16. As Oracle has a policy of not issuing out-of-band updates, this means nearly two months of time where attackers can exploit this without root mitigation by the vendor. In the interim, security researcher Michael Schierl has released an unofficial patch, which is for now only available by request.

I would advise that you first uninstall the app including all configs (I hope you have a backup of those) then check the existence of the file again. If it is not removed, delete it. Reinstall your software, restore your backup, run your AV again, cross your fingers and pray.

Good luck.

[dougmack]

Thank you for the quick response.

Well, I opened a root account and deleted the plugin.jar file, and scanning the /opt directory and subs now finds no Java exploit.  I ran the word processing portion of Symphony briefly and rescanned, and still no threat.  It's quite late now, so I'll have to postpone further testing.  I will try the spread-sheet read capability--I don't make any spreadsheets of my own, but I
do occasionally receive one--and see what that brings. I have never used the presentation capability. Obviously I have no idea what function that file might supply, if it's not superfluous altogether.

I have looked at the reference link you sent, but I confess that for me it might as well have been written in Greek or Arabic.  Does the fact that I have removed the file that ClamAV
named mean the virus is gone from the machine, or is it now hiding somewhere else that Clam can't find?  (I will run the complete scan tomorrow again.)

If necessary, I can still  remove the entire app and reinstall it. There are no special configuration files, only some sort of patch. I have the rpm for the main program, and maybe even the patch.  (The patch antedates this problem by many months--I don't know what it actually does.)  Synaptic has both the files listed, so I guess it can uninstall them.

Can you suggest how that file became infected, and what I might do to protect against such infection?  One of my uses of Symphony is to edit copy that I receive from an outside
source--one that I trust, but one who would probably not know if he was passing on an infection.  The copy (now) comes in in Microsoft 2003 or so .doc format, done on a Mac.
It had come in in .rtf format, but that was unreliable. Other copy comes in as text in an email, which I receive in Thunderbird, and I convert it to the word processing format and edit it. 

Thanx again for the assistance.  Let me know if I need to do anything further than what I have done so far.

--doug

[Archie]

The previously posted link also has links to a ClamAV update that should be worth following up.

Your guess is as good as mine as to how you came about with the infection. Also, considering our Java at 1.6 may also be an attributing factor as to why the virus did not propagate. If your suspicion is correct and that it came from Windows, hopefully it did not have enough time to download its payload before being discovered. Again, the time difference between receiving the email and detecting the infection could factor a better guess.

I would not rest on the assurance that deleting the .jar had fixed your problem. For all you know, it may have already have caused some damage.

There is not enough information to go by so guessing at this point is moot.

Honestly, I don't know what else you can do. I don't have a clue what should be done except disable Java. However, if you need it then you are still at risk.

Good luck.

[menotu]

You may want consider running a LiveCD to scan for both malware and rootkits

BitDefenderRescueCD apparently does a decent job of checking for rootkits (and malware it's supporting/protecting)

The file to download is BitDefenderRescueCD_v2.0.0_5_10_2010 which can be found at:

http://bit.ly/coqNmL

or

http://download.bitdefender.com/rescue_cd/

The ISO is 380MB

It uses xfce  and when it boots to the desktop it needs net access to update the signature list database which is very important.

Depending on the size of the disk it may take 15mins or more to complete the scan.

Please note, I don't know how well this would pick up any baddies on Linux, but if the signature is the same as on Windows it should at least identify it

==================

Don't do anything rush. Stay away from launching the app.

As Archie advises, don't rush just stay away from running any Java related stuff and/or disable any java browser plugins

If you open krunner ( Alt + F2) and enter java -  you may see something like Java Control Panel plus you may also see  Java and JavaScript configure the behaviour of...... as well

[Tony]

I would consider every suggestion made so far.

I would also ask people to consider installing Avast! for Linux. Easy Tutorial HERE

There is an Edition of The PCLinuxOS Magazine which has a Tutorial for installing Avast! also, which I can't find at this time. Your call, I'm simply offering advice.

The first problem with a suspected Virus is whether it really is a Virus ?

Most Anti Virus have a Quarantine,  (Avast! = Virus Chest)  were you can store the file(s), and wait for subsequent virus database updates, rescan the file, and essentially after a week more or less know for sure you have a nasty, and delete the file, or send it to Avast! via a Secure built in transfer mechanism.

I've not used ClamAV for many years, and that under MS, but I don't think it has such a feature ?

Putting the so called infected file into the Virus Chest isolates the file from your System, totally. No harm can be caused to your System.

Alteratively you can also upload a 'copy' of the suspicious file from your quarantine (Avast! = Virus Chest) safely to an online scanner, such as: https://www.virustotal.com/ ; http://virusscan.jotti.org/en: point being scanning with multiple AV Scanners gives a much surer indication as to whether you have Malware.
Viruses pose as 'Important System files', so isolating a suspected file shouldn't be harmful.

*Just because we use a Linux Distro does not mean we can't seriously and diligently use all options open to us if we are infected !
Don't attack me for over simplifying these processes please; main thing is to act now.

*Simplest action; Disable Java in all Browsers, and programs using Java.

There are False Positives generated by AV's due to their nature; using a database which is basically a list of filenames to detect infected files. There are other methods used in detecting viruses, malware, trojans, etc. but your really just stuck with an Archaic method of scanning and matching the quarantined filename till the Database has been updated over days, or weeks.

Or as with the Security breach at Linux Foundation (incorporating Kernel.org trojan) ! I think from memory they undertook the huge task of wiping all their Hard Drives ! 

[Tony]

menotu:

As Archie advises, don't rush just stay away from running any Java related stuff and/or disable any java browser plugins

If you open krunner ( Alt + F2) and enter java -  you may see something like Java Control Panel plus you may also see Java and JavaScript configure the behaviour of...... as well

Thanks menotu; just looking at Java Control Panel > Temporary Files.
I had no idea it was set to 1 GB.   Easy to just disable all, or limit Temp files.
There's an option to make that cache smaller; and to Delete/Don't Keep - Temporary Files.





*Also; running Bleachbit, with Firefox ( your Browser) - and Flash checked, then clean, can clear 100's of MB's of potentially 'dangerous' Temp Files.

[dougmack]

Further reply:  I didn't see the other inputs before I wrote the last reply, and anyway, I forgot something.  There was a note that there is a patch to ClamAV--I didn't see the link when I
went back to look for it.  I did see a patch in Google, but it looked like it was for a Windows version.  Comment, anyone?  Now I see that I can install Avasti, if I can figure out how, so i will
do that, with luck.  Since I have already uninstalled all the Java files (as mentioned before), I cannot get that graphical Temporary Control Panel > Java Files that was illustrated by Abraxas.
Obviously, I will need at least one Java file--finding out which one will be a bear!

More when I have Avasti running. Thanx for the inputs.  --doug

[T6]

the temporary file you had inside that folder, you sure it wasn't a false positive?

it could be perfectly a file of that lotus symphony you downloaded

avast is a great windows antivirus but it is even worse for false positives, i know that because i have used it for many years

it would have been nice to unzip that jar file you had there and see if it was a real virus, do you have a copy of the file?

also, clam is just doing the same as avast, searching for windows virus, you can have a virus stored on your temporary folder but that doesn't mean that you can damage your machine with it

[dougmack]

I don't have a copy of the jar file. It looks like Symphony doesn't use it, at least the way I use Symphony. I could not install Avasti.  On the fifth screen in the illustration,
after it downloaded the 43.3 MB, it hung. If it's only a Windows checker, I don't think I need it anyway. Altho I have XP dual-booted on this machine, I practically never boot into it.

The possibility that the Exploit was harmless was not expressed in the early responses here, and it would seem that nobody actually knows, so I'm just as glad to be rid of it.
My real problem is how to get ONLY enough Java for the things I use that need it, and finding out which they are.  Or do any of the readers here believe it's safe to reinstall all
the Java files that I uninstalled?  (These are all files from the repo, except for the jar file on the ibm path.)  That would simplify my life immensely!

Thanx for all the comments and advice.  --doug

[T6]

the jar file needs java engine to run, if you removed java, it won't work afik

i still think it could be a false positive

about avast, they have a rpm or a .bin/run file?

if a rpm, then rpm -i thenameofthepackage to install it

if a bin/run, then you need to change permission to executable and then run it by chmod u+x thenameofthepackage and then ./thenameofthempackage

last time i used avg it didn't do much, no idea how avast is working now

that virus supposedly is the one that verifies what os you have and then tries to connect to internet and download more stuff to start the real attack on the os you are

what i find interesting is the location of it, why in the temp folder of lotus symphony? why not in /tmp?

if it was a real virus, was it part of a office file you opened in lotus?

[dougmack]

OK, I'm familiar with using rpm files, and I can install the file from the rpm, assuming it works like other rpm installs--I'm not sure why all the steps that were indicated in the instructions here.
(That's how I got Symphony.)  Perhaps you'll tell me why you say that the Exploit Agent is a temporary file--it's not in a tmp or temp directory. What part of the path is the clue?  

If the putative virus is/was in a Symphony file I downloaded, then ClamAV should have found that file--it's almost surely still on the computer, unless the (possible) virus erased
the file that carried it in?  

I have avg on my Win7 machine, as well as the MS Security program. AVG seems to know when sites are flaky--I don't know if it actually catches any viruses. I think it has
a pretty good rep, as these things go.  It's obviously hard to judge a program that works, but one that doesn't shows up real quick!

Thanx for the input.  --doug

[Tony]

ClamAV has found JAVA.Exploit.Agent-2, and says it can not be quarantined or deleted. Ran scan on filesystem from ClamTk. (GUI frontend to ClamAV.) The entire path is:
/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins/com.ibm.rcp.j2se.linux.x86_1.6.0.20110713a-201108151128/jre/lib/plugins.jar

What you'd do is Google that whole path, or parts of the path. If what you have is a Virus others will also have reported that path, or the file on the end of the path.That's how a Malware Expert would approach the result from ClamAV.

You are Dual booting with Windows, and say you have plenty of protection. That's too easy. AVG is fine. Same as every AntiVirus Software, it'll protect you while running Windows. If T6 had of been using AVG "for years" he would have said it found False Positives too.   No need to be putting down Avast!, all AV's have their traits, well off the Topic at hand.

This exploit is a nuisance to us in Linux, which is rare, and won't behave as a Windows Virus, it can't; totally different Systems, and architecture.
Therefore...
As Archie has said:

There is not enough information to go by so guessing at this point is moot.

Honestly, I don't know what else you can do. I don't have a clue what should be done except disable Java. However, if you need it then you are still at risk.

Good luck.

So we wait and gather info as it appears, about "JAVA.Exploit.Agent-2" on Linux Systems, with Java apps turned off.

1.)Turn off Java as shown by menotu.
2.)Google info about Terms such as "Java Exploit", use your imagination: "Java exploit in Linux"; "Running Java in Linux".

For Windows Check:
http://forum.avast.com/index.php?topic=53253.0
http://www.bleepingcomputer.com/filedb/
http://www.bleepingcomputer.com/forums/topic34773.html

*This is an example of a Windows virus: "Exploit.Java.Agent.f" Detected on a Windows System from a quick Google search on the Web.
http://forum.kaspersky.com/index.php?showtopic=174394
It has no relation to the Java exploit in Linux.

I don't have further info on the Linux exploit of Java.

The TUTORIAL for installing "avast4workstation-1.3.0-1.i586.rpm" has worked for hundreds of people.
It will only find Windows Viruses to protect your Windows Partition, and any Windows Users you interact with. Same as ClamAv for Linux. I'm sure this is easy to distinguish from this so called Java Exploit in Linux.

We have to search and wait for further info on how this exploit works on Linux Systems.

[Tony]

Or Simply     
Security Update: Java SE 6 Update 35

[T6]

"Perhaps you'll tell me why you say that the Exploit Agent is a temporary file--it's not in a tmp or temp directory. What part of the path is the clue?"

sorry, when i read the path you posted, it seems that i read the last part of the address as tmp but it says lib, i was wrong, i really need to use my glasses 

then, the file was placed there by the install, that /opt folder is not accessible for normal user afik

"If T6 had of been using AVG "for years" he would have said it found False Positives too." and "No need to be putting down Avast!, all AV's have their traits, well off the Topic at hand."

why you say this?  i mentioned avast because is what i used until 2011, before that, i used avg only

right now i use avira in my house and avast for some clients i have, avast gives me lots of false positive but also works well so one thing mitigates the other

i never said avg didn't gave me false positive in the past, it did, it also just deleted the file when i knew it wasn't a virus so i had to disable the antivirus to handle the file, avira at least complaints first and i can tell it to not delete the file

since i haven't used avg in last 3 or 4 years, i can't mention if currently it gives that or not and if false positives is common on it now

remember that i fix windows pcs, it has been my job and my hobby for the last 13 years, if you try to find holes or weaknesses in my statements you will find many because in the first place, i don't speak english so i have to translate first what i write to english, my english knowledge is limited so then i try to find logic to what i just wrote and make corrections, also i can't talk about every single product and his current state because i can't use every single product existing just to know it exist

from your reply it seems that my posts are not welcome or you think i'm telling lies, or perhaps you expect me to know everything from every single product created for windows

if that is the case, i ask you, are you crazy?