> Something not commonly seen in JVM malware that is present here is a class titled VMEscape. It checks if its in a sandboxed windows environment by checking if the current user is WDAGUtilityAccount, which is part of the Windows Defender Application Guard. If this condition is met, an attempt to escape the sandbox system is made.
> The process is roughly as follows:
> - Start a repeating thread to run the following actions:
> - Create a temporary directory using Files.createTempDirectory(...)
> - Iterate over FileDescriptor entries in the system clipboard (Supposedly this will be accessing the contents of the host)
> - Create a shortcut that looks like the original file (using icons from SHELL32) but instead invokes the malware
> - Assings this shortcut to the clipboard, overwriting the original file reference
> Thus, if a user copies a file and goes to paste it elsewhere they will instead paste a shortcut that looks like their intended file, but actually runs the malware.
kind of reminds me of the very subtle malware found in a modified version of a bitcoin wallet that would lay low but when you copy-paste a BTC address in the recepient field, the malware replaces the clipboard with their own address in hopes you don't check it twice
But only if the user has a high balance on their own wallet.
At least one person fell for this when they made a small test-transfer which went through but when they entered the higher BTC amount the recipient was replaced. Pretts smart and evil stuff
It gets even better, those malware even dynamically generate replacement wallets, finding ones that have similar starting and ending characters to the target one so that the victim can't easily recognize that the wallet has been replaced.
Wow, that is nasty. I would actually fall for that, I never thought of double checking copy/pasted data, only in cases I copied something similar before and I want to make sure I really did press copy.
When HDDs used to be the norm, that would raise an obvious audiovisual signal that something isn't right. Unfortunately with almost everyone using SSDs these days, and the loss of activity indicators[1] on a lot of machines, it would be barely noticeable.
[1] I suspect that it's also in the interests of "officially sanctioned" malware to hide its presence.
This is one of the (several) modern trends of computing that I dislike severely. There are lights for all kinds of nonsense but actually useful information, like Wifi status, disk activity, and even POWER ON/OFF are removed for some misdirected sense of minimalism or style.
my issue with them is i don't need my house lit up like a christmas tree at 2am in the morning when everything is "off", i've never found having a flashing light a great way of troubleshooting when there's a lot better tools to measure disk or network usage anyway.
disk activity lights can be pretty keen when you're trying to figure out whether or not the system is entirely halted or just slogging through a heavy workload.
the kind of time when a tool that is good at measuring such things won't ever even attempt to load.
I also enjoyed the sound that the HDD made when something was happening. So even if the computer froze, the sound gave me a bit of hope. If there was no sound from the HDD and the computer froze, I just restarted the computer, abandon all hope.
I understand this; on the other hand I pretty much want a totally quiet computer, so I don't really miss the sound. A frantically blinking LED is useful, and desirable if not too bright.
Yes. Related, I really do not need my headset to blink in the eyes of the person I sleep next to this hard. Why does it blinks seven times every time I use any command like volume up and down?
So thick black tape it is. (Can't do anything about this voice screaming the headset's status though.)
LEDs that are too bright on my laptops get similar treatment. I try to leave them a bit visible, enough to see in a dark room whether they are on, but the laptop not sending light including when it's suspended is more important.
> when there's a lot better tools to measure disk or network usage anyway.
Only if your system is working fine.
Only if you are okay with switching the context.
'Flashing lights' aren't the best troubleshooting tools, but they are OOB and works constantly. Frantically flashing HDD LED would say you about why the system froze for a couple of seconds way sooner when you oculd launch some performance monitor things.
monitoring the presence of disk and network activity in general was a lot more useful when computers only did things when you told them to and only made connections to remote hosts when you explicitly requested it. Never knowing what your devices are doing or who/what they are communicating with without having to launch a full scale investigation was nice.
I like my Lenovo X200 with all its glorious light indicators, some of which one can even see when the lid is closed. I wish modern laptops would have those again.
We didn't have rainmeter back when hard drives were used as boot drives. I have a pretty large set of windows performance monitor and HWInfo readouts running on all of my windows machines with modified versions of the simpleperfmeter and now rainformer skins.
No need to have uncontrolled diagnostic feedback when you can make it be exactly what you want in a much more rich/dense format. Clicking doesn't tell you much compared to time traces of read and write activity, drive temperature, and page fault rate.
For a modern OS a some inductor LED for drive activity would just be constantly flashing at different rates. Something is always writing to a log somewhere, just on the OS itself.
To actually be useful more information would need to be carried: different rates (by colour, brightness, or a simple bar of variable length), an indicator per drive if multiple, ...
I've done that in the past, back when I was running Linux on very slow & apparently somewhat fragile solid state devices on a netbook, and when trying to keep traditional drives as quiet as possible in a desktop pretending to be a server that was on all hours, but for the most part I leave logging on and not overly buffered these days. SSDs are quiet and reliable¹ ATM.
--
[1] though for anything I care about I still RAID1² everything
[2] with devices from different sources, to reduce the chance of both dying at the same time (or the second dying before the first is replaced and the mirror rebuilt)
This is not true at all. I'm running Linux and I am alerted by the HDD LED when it lights up and then I realize that I left the BitTorrent client running or something like that. But in regular browsing and using the device, the LED is mostly off, blinking once every 10 seconds or so.
I find that SSDs have a terrible failure mode too. Everyone thinks they are "fast" so they do all sorts of file operations that would have previously been considered too slow. However, consumer SSDs are only "fast" until they run out of DRAM buffer or SLC cache. Then they slow WAY down, like slower IOPS than my spinning rust disk. That means your busy machine goes from perfectly fine to nearly locked up, because even the OS now thinks file operations are "cheap" enough to block on and rely on in all sorts of hot paths.
Once that buffer or cache runs out, all those mostly extraneous IOPS just pile up, and the SSD will basically never catch up, because the technology fundamentally cannot catch up to a sustained load like that, but the load is sustained because all the software was designed with "SSDs are fast and lots of small writes will be fast" so they just keep growing the queue.
Previously most of the OS would be in memory and only page out if absolutely needed. It feels like modern windows is perfectly willing to page itself out because "SSDs are fast" and have random, pointless file ops everywhere. So if your SSD gets bogged down, now your operating system basically dies too, so good luck killing whatever app(s) are causing the problem
My new-ish Dell XPS laptop actually does make noises; I think from the SSD due to [0]. It can indeed be quite useful for figuring out when something’s not quite right.
Also, it checks the entire system for JARs and injects it’s stage0 bootstrap!, that includes maven and gradle caches. Reading this part sent a slight cold shiver down my back. Am infected mod dev could become a new spreader
God im sick of "everything you run runs under your full rights". It doesn't reflect reality, it may have in the 80's. Now it's impossible to know what is being executed so it shouldn't make sense that it has free reigns. IT SHOULD ASK FOR EVERY FKIN RESOURCE IT WANTS TO ACCESS
It seems baffling that we have this massive community making mods with highly insecure raw java code, and somehow nobody thought of figuring out how to sandbox the stuff.
What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".
Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.
I think this goes to show how effective the trust we place in the social network is. These things don't happen immediately for every new game because mod spread through word of mouth (or forums, or server-to-player-to-server), and each community's moderators are there to take down any malicious payload that does get discovered.
Generally the misadventures have been limited to attacks against individuals in personal bitch fights, and overzealous copy protection / license enforcement schemes from paranoid (people selling Xplane planes forex).
There's a lot of hinky stuff out there that doesn't quite reach the level of "malware", just potential fun.
specialized "Visual Studio" extensions are worth looking hard at too.
>What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
Which is especially surprising considering the sheer insanity of Minecraft modders and hackers.
I'm sure people have thought about it, it's just hard, annoying, and asking a lot of mostly unpaid OSS contributors. Many mod developers are high school / college aged.
Sandboxing Java code running in process requires ugly and obscure security APIs and restricts you to having to have a common modding API (Forge). Many mods use bytecode patching and would be broken completely.
The page this post links to is for the prism launcher, a 3rd-party launcher that enables a lot of very useful features such as automatic mod installs. Crucially, it is distributed as a flatpak with sane default permissions, which means that pretty much all linux users are safe (turns out even the ones not using flatpak were safe because they borked their unit file but still).
People thought of sandboxing the stuff, but the people thinking of that and the people making the mods aren't the same people and the people making the mods would rather be able to do things outside a single API.
I foresee this being a big problem for the Godot game engine as it gains popularity. There's absolutely no sandboxing or "safe mode" or anything when loading extra resource packs, and any resource or scene file can have an embedded script which executes upon loading.
Do you mean this would be an issue with regards to using their asset store/3rd party plugins for your game?
If so how is it really any different from just regular nodejs packages or Python packages?that’s a risk developers seem to ignore.
Or are your talking about scripts being added for modding purposes like Minecraft? If so that’s a pretty good point, would be nice to have godot implement some sort of sandboxed system you can use. Not sure what the term would be or how that would even work.
That's quite possible, I'm not super into the modding scene. I guess my default assumption is that mods should be running through some sort of scripting interface that doesn't have access to things like the filesystem.
When developers add an official modding interface, then it usually works the way you've suggested. They get access to much of the internal API and a sandboxed environment.
Many mods though, work by just subverting the game by replacing components with custom-made ones. This allows substantially more customization.
In Minecraft, both types exist. The first type are called "data packs" or "resource packs" and would not be subject to this attack. The latter type involves swapping in new .jar files and running them directly, which is unsupported by the developer and gives basically unrestricted access.
This might be a bit nitpicky but resource packs just replace assets without scripting capabilities, and datapacks do let you run commands which are Turing-complete but they aren’t really a great programming language because you can’t do things like loops in a normal way
You are running code on your CPU in ring 0 all the time? No. The same way a sandbox gives a whitelist approach to security — this app by default should have no filesystem access. It does want to open a file — ask the user whether it should be able to or not.
Security is upheld, user control is given, everyone is happy.
What kind of sandbox does Windows have? All I could find was about a pro/enterprise feature but even that has to be explicitly started and I doubt minecraft users used that.
Not having admin rights is almost uselessly crude as a “sandbox”.
There is the one called "windows sandbox" but it's not persistent making it useless.
More recently, I've been following https://github.com/microsoft/win32-app-isolation which seems incredibly interesting! If they can pull it off, we will have mobile-os like security on windows, finally, after all these years.
It has been my #1 feature request for windows for so long... I almost can't believe it's actually happening.
The same could be said about NPM, or pip, or crates. The security model is "they will probably find the backdoor before it affects me", and it's unreasonably effective.
Time for folks to try out Minetest, perhaps. I happen to know it has sandboxed its Lua mods to prevent just this sort of attack. I don't play it myself, but I know the person who wrote the sandboxing code. Or knew him. He passed away recently.
This is highly annoying/intentional timing as Minecraft 1.20 just got released but now it is tainted with fears of viruses and extra steps to mitigate. For a friend who streams minecraft content and relies on the income this is a big setback and extra-risky for them if their account secrets are stolen.
Many smaller mods updated quickly. This is a) because this is not a very large update, and b) because Minecraft has pre releases and release candidates which are practically the same as the final release, so the mod can be updated before the final release of the version.
Also, many mods are necessary for performance reasons, due to vanilla's performance being questionable at times.
A lot of people use accessibility mods that suck to go without. Not having ItemScroller causes me physical pain after just a few minutes of clicking around in chests.
I'm just going to stick with 1.19 and the mods I downloaded several months ago until this matter is sorted out.
A second computer is actually a pretty typical setup for streaming. One PC actually runs the game, and a capture card sends the audio/video output to a second PC that runs your streaming software.
Either way though, no matter how you sandbox Minecraft, at least your Minecraft account is going to be vulnerable.
It's been years since I've done it so maybe it's much better now, but getting games to run properly in a VM was a huge hassle for me. In the best cases 3d acceleration was slow, often it just wouldn't work at all.
VMs are no-go for gaming, unless you are willing to do dedicated gpus. Reminder that most people streaming minecraft do not know what a vm is to begin with :)
This wouldn't even be a good way to protect yourself, because the useful things are all tied to the game account, which would be inside the VM.
It's one of the biggest games in the world, so I can see the appeal of targeting Minecraft players, especially since a lot of them are children and don't know what's going on. I checked my sons computer for this malware yesterday, and luckily he wasn't infected, but I ran OSForensics on his computer afterwards to see if he did get infected what kind of data an attacker might be able to get, and there was all sorts of PII from myself and my wife having used that computer before at one point or another. I'm sure with such a large install base there's plenty of opportunity to steal lots of valuable info.
Some of the very first reports of log4j were against Minecraft servers. If you go look at the original Github issue in which it was identified, all of the posts prior to anyone understanding its gravity were from Minecraft server operators.
People try to get around online moderation bans for calls to violence or such by saying things like "Someone needs to kick that guy's ass... In Minecraft"
Hilarious thing is, that sort of speech I think is protected by the Brandenburg Vs. Ohio. It's when it gets specific in a "do x at y" way it gets you v&.
The world of Minecraft mods has always been a bleep-show. Massive community but ignored by the developers for the most part. I'm surprised malware isn't more rampant.
from TFA:
> Until further notice, do not use the official CurseForge launcher, or download anything from CurseForge or the Bukkit plugin repository. While the control server for this malware is currently offline, any download from CurseForge or the Bukkit plugin repository in in the last 2-3 weeks should be treated as potentially malicious. This malware is unlikely to be detected by Windows Defender or similar antimalware products.
They've said that virus scanners have started to add the malware signatures now, but I think the point was to say that "you're not fine just because you have an antivirus that would have caught it".
> Something not commonly seen in JVM malware that is present here is a class titled VMEscape. It checks if its in a sandboxed windows environment by checking if the current user is WDAGUtilityAccount, which is part of the Windows Defender Application Guard. If this condition is met, an attempt to escape the sandbox system is made.
> The process is roughly as follows:
> - Start a repeating thread to run the following actions:
> - Create a temporary directory using Files.createTempDirectory(...)
> - Iterate over FileDescriptor entries in the system clipboard (Supposedly this will be accessing the contents of the host)
> - Create a shortcut that looks like the original file (using icons from SHELL32) but instead invokes the malware
> - Assings this shortcut to the clipboard, overwriting the original file reference
> Thus, if a user copies a file and goes to paste it elsewhere they will instead paste a shortcut that looks like their intended file, but actually runs the malware.
This is just evil.