Nailed By Java Exploit - Possible Comodo Firewall Vulnerability

I got nailed with this Java exploit last Thursday evening: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-February/006316.html.

I am running Comodo ver. 4 .916 in firewall proactive and custom policy mode; WIN XP SP3 fully patched.

I was surfing and received an alert from Comodo about java.exe. Not sure if was from the firewall or Defense+ but suspect it was from the firewall. It was one of those yellow Safe application alerts. Seeing that it was a safe app, java.exe, and not fully paying attention, I allowed it and the fun started.

When I did my first boot yesterday, XP went into that all light blue screen you see when running disk fix and the like. It sat there for a while displaying “Waiting …” I think, not a good sign.

Later, I was in task manager and noticed some unusual svchost.exe activity so I decided to do a AV scan using my Symantec Endpoint 11.6 AV. Lucky I did since it found no less than 7 Trojans stored as compressed enties in Documents and Settings\sun\java\catch folders.

Doing some computer forensics, I saw that a new sub-rule had been added to my existing java.exe firewall rule allowing outbound UDP to port 8080. Never saw that one before. I also traced the offending IP of 95.211.30.36 using the Comodo firewall log.

Bottom line advice here is be fully awake when running custon poliicy mode for the firewall.

Also I think Comodo needs to check this out as it pertains to their canned “Safe” rules for java.exe

quick question do you have sandbox enabled?

No, I don’t have Comodo’s sandbox installed. I have been waiting for it shakedown a bit longer.

I do have a license for Defensewall. I uninstalled it since I don’t fully trust the Ru-skies but guess I will reinstall it. It would have trapped the Java app install. In the worst case, I could have done a rollback with it.

Anyone know anything about Avira Antivir Premium Webguard? Everything I have read on it says will catch virtually everything coming off the Internet.

use firefox with sandboxIE. its your choice if you want to buy it, or use it as long as you want for free.

it would erase all traces of anything, already when you just close firefox. be careful to make the right setting the first time :wink: . thats all.

What you saw was a java exploit but nothing happened to your system. The java app might have dropped some files in the java cache ( think temp internet files but for jave) but nothing was executed because if it was D+ would have given you an alert.

The avira webguard will not catch everything, trust me I have tested it and it misses a ton of things.

I am attaching a pic of Symantec’s log showing the Trojans. Ignore the hueristic entries. They are related to an earlier event.

I theorize these were backdoors waiting to be triggered by a later event. Must say I have never seen a compressed infection like this. I can’t really say they were benign either since they were downloaded for a reason.

I also did receive that blue boot screen indicating something was running at low kernel level. I have done rootkit scans with Gmer’s MBR and Rootkit Revealer and came up clean. Plan on doing some AV boot CD scans with Kapersky, Bit-Defender, etc. tomorrow. I have 5 of those CDs.

[attachment deleted by admin]

Something I’d always like to know is whether Comodo protects against exploits. I mean if I open a pdf document or Java application which is infected and CIS antivirus does not catch it, could the infection spread to the system or D+ is able to prevent it in some way?

Anyone who thinks vmain.class Trojan can’t do a lot of harm to your PC check-out this link: It looks like im infected - Am I infected? What do I do?. This is one of many refs. on the web and this malware seems to be currently quite active.

For starters I would set up a blocked network, 95.211.0.0 - 95.211.255.255. Actually, if I had a way to block all RIPE servers out of Amsterdam, I would do it!

I did some more research and I must say, the plot definitely thickens. I am attaching more screen shots of my Comodo firewall log that I will refer to below.

I forgot that a Java update was triggered on June 2. This update also resulted in a few firewall popups from javaw.exe. This activity from the log is shown on the first screen shot. The IP for the java update request was to 192.204.11.19 which is NTT America in Colorado. I assume that is a valid server for Sun/Oracle? The TCP port 80 request for javaw.exe was to 137.254.16.78 which is Oracle. The final TCP port 80 request for javaw.exe was to IP 66.235.128.158 who is Omniture. Inc. I have no idea who that is.

Now the question is why are their multiple javaw.exe requests to different IPs for a Java update? Finally, no Java update was performed as far as I can tell. My current ver. is 1.6.20 which is what it was previously.

The next screen shot is for June 3 right after my initial boot for that day. It shows a UDP port 53 inbound request to System that was blocked. What is extremely interesting is that the source port for this request corresponds to a preceding outbound source port 53 destination port 51726 request from Comodo update?

The final screen shot is for that Java.exe that I am 99% sure dropped the compressed Trojans on my PC.

At this point,I am not sure what to make of this. It does point to some sort of malware that attempted to piggyback on to Comodoo’s update and that block rule I had in place saved me from getting seriously infected by those compressed Trojans sitting in the Java cache area.

[attachment deleted by admin]

Looks like this might be the culprit? Unpatched Java Exploit Spotted In-the-Wild – Krebs on Security

So much for Sun’s Java security patches!

Well, stop using java and everything will be alright.:slight_smile:

Looks like I wasn’t the only one to get infected: http://isc.sans.edu/diary.html?storyid=2934. Maybe this is some kind of annual bug? I got infected approx. three years to the date afterwards. Oh … obviously Sun never really patched Java against this ■■■■■■. Lies, and more lies. That appears to be all what the PC is about.

Also this latest Comodo update keeps the global allow all out rule in place which is part of the problem. I have yet to perform a Comodo update via Internet and have any of my existing rules modified. I think Comodo needs to clarify that these updates as they pertain to firewall rules are only in effect when doing a stand alone uninstall and then reinstall.

Ripe is one of the official instances that hand out IP addresses in Europe, the Middle East and parts of Central Asia.

I looked up the IP address you gave using Whois - IP Address - Domain Name Lookup . That pointed to a a Dutch hosting company called Leasweb (Leaseweb owns the 95.211.0.0 - 95.211.255.255 range) . You should simply block the offending IP address; not the complete Leaseweb range. Leaseweb got their IP address from RIPE as RIPE services this particular part of the world.

I just block the entire ISP range. If everyone did that, the ISPs might do a better job policing the “bad guys” on their network.

Big Brother is something that I think we should all be afraid of. Be careful what you wish for, my friend.

Looks like Bequick is right.