> Something not commonly seen in JVM malware that is present here is a class titled VMEscape. It checks if its in a sandboxed windows environment by checking if the current user is WDAGUtilityAccount, which is part of the Windows Defender Application Guard. If this condition is met, an attempt to escape the sandbox system is made.
> The process is roughly as follows:
> - Start a repeating thread to run the following actions:
> - Create a temporary directory using Files.createTempDirectory(...)
> - Iterate over FileDescriptor entries in the system clipboard (Supposedly this will be accessing the contents of the host)
> - Create a shortcut that looks like the original file (using icons from SHELL32) but instead invokes the malware
> - Assings this shortcut to the clipboard, overwriting the original file reference
> Thus, if a user copies a file and goes to paste it elsewhere they will instead paste a shortcut that looks like their intended file, but actually runs the malware.
kind of reminds me of the very subtle malware found in a modified version of a bitcoin wallet that would lay low but when you copy-paste a BTC address in the recepient field, the malware replaces the clipboard with their own address in hopes you don't check it twice
But only if the user has a high balance on their own wallet.
At least one person fell for this when they made a small test-transfer which went through but when they entered the higher BTC amount the recipient was replaced. Pretts smart and evil stuff
It gets even better, those malware even dynamically generate replacement wallets, finding ones that have similar starting and ending characters to the target one so that the victim can't easily recognize that the wallet has been replaced.
Wow, that is nasty. I would actually fall for that, I never thought of double checking copy/pasted data, only in cases I copied something similar before and I want to make sure I really did press copy.
When HDDs used to be the norm, that would raise an obvious audiovisual signal that something isn't right. Unfortunately with almost everyone using SSDs these days, and the loss of activity indicators[1] on a lot of machines, it would be barely noticeable.
[1] I suspect that it's also in the interests of "officially sanctioned" malware to hide its presence.
This is one of the (several) modern trends of computing that I dislike severely. There are lights for all kinds of nonsense but actually useful information, like Wifi status, disk activity, and even POWER ON/OFF are removed for some misdirected sense of minimalism or style.
my issue with them is i don't need my house lit up like a christmas tree at 2am in the morning when everything is "off", i've never found having a flashing light a great way of troubleshooting when there's a lot better tools to measure disk or network usage anyway.
I like my Lenovo X200 with all its glorious light indicators, some of which one can even see when the lid is closed. I wish modern laptops would have those again.
We didn't have rainmeter back when hard drives were used as boot drives. I have a pretty large set of windows performance monitor and HWInfo readouts running on all of my windows machines with modified versions of the simpleperfmeter and now rainformer skins.
No need to have uncontrolled diagnostic feedback when you can make it be exactly what you want in a much more rich/dense format. Clicking doesn't tell you much compared to time traces of read and write activity, drive temperature, and page fault rate.
For a modern OS a some inductor LED for drive activity would just be constantly flashing at different rates. Something is always writing to a log somewhere, just on the OS itself.
To actually be useful more information would need to be carried: different rates (by colour, brightness, or a simple bar of variable length), an indicator per drive if multiple, ...
This is not true at all. I'm running Linux and I am alerted by the HDD LED when it lights up and then I realize that I left the BitTorrent client running or something like that. But in regular browsing and using the device, the LED is mostly off, blinking once every 10 seconds or so.
I find that SSDs have a terrible failure mode too. Everyone thinks they are "fast" so they do all sorts of file operations that would have previously been considered too slow. However, consumer SSDs are only "fast" until they run out of DRAM buffer or SLC cache. Then they slow WAY down, like slower IOPS than my spinning rust disk. That means your busy machine goes from perfectly fine to nearly locked up, because even the OS now thinks file operations are "cheap" enough to block on and rely on in all sorts of hot paths.
Once that buffer or cache runs out, all those mostly extraneous IOPS just pile up, and the SSD will basically never catch up, because the technology fundamentally cannot catch up to a sustained load like that, but the load is sustained because all the software was designed with "SSDs are fast and lots of small writes will be fast" so they just keep growing the queue.
Previously most of the OS would be in memory and only page out if absolutely needed. It feels like modern windows is perfectly willing to page itself out because "SSDs are fast" and have random, pointless file ops everywhere. So if your SSD gets bogged down, now your operating system basically dies too, so good luck killing whatever app(s) are causing the problem
My new-ish Dell XPS laptop actually does make noises; I think from the SSD due to [0]. It can indeed be quite useful for figuring out when something’s not quite right.
Also, it checks the entire system for JARs and injects it’s stage0 bootstrap!, that includes maven and gradle caches. Reading this part sent a slight cold shiver down my back. Am infected mod dev could become a new spreader
God im sick of "everything you run runs under your full rights". It doesn't reflect reality, it may have in the 80's. Now it's impossible to know what is being executed so it shouldn't make sense that it has free reigns. IT SHOULD ASK FOR EVERY FKIN RESOURCE IT WANTS TO ACCESS
It seems baffling that we have this massive community making mods with highly insecure raw java code, and somehow nobody thought of figuring out how to sandbox the stuff.
What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".
Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.
I think this goes to show how effective the trust we place in the social network is. These things don't happen immediately for every new game because mod spread through word of mouth (or forums, or server-to-player-to-server), and each community's moderators are there to take down any malicious payload that does get discovered.
Generally the misadventures have been limited to attacks against individuals in personal bitch fights, and overzealous copy protection / license enforcement schemes from paranoid (people selling Xplane planes forex).
There's a lot of hinky stuff out there that doesn't quite reach the level of "malware", just potential fun.
specialized "Visual Studio" extensions are worth looking hard at too.
>What's amazing to me is you have an entire modscene of young or amateur programmers uploading binary code to god-knows-where and this is the first time this sort of thing has happened (that I can recall)
Which is especially surprising considering the sheer insanity of Minecraft modders and hackers.
I'm sure people have thought about it, it's just hard, annoying, and asking a lot of mostly unpaid OSS contributors. Many mod developers are high school / college aged.
Sandboxing Java code running in process requires ugly and obscure security APIs and restricts you to having to have a common modding API (Forge). Many mods use bytecode patching and would be broken completely.
The page this post links to is for the prism launcher, a 3rd-party launcher that enables a lot of very useful features such as automatic mod installs. Crucially, it is distributed as a flatpak with sane default permissions, which means that pretty much all linux users are safe (turns out even the ones not using flatpak were safe because they borked their unit file but still).
People thought of sandboxing the stuff, but the people thinking of that and the people making the mods aren't the same people and the people making the mods would rather be able to do things outside a single API.
I foresee this being a big problem for the Godot game engine as it gains popularity. There's absolutely no sandboxing or "safe mode" or anything when loading extra resource packs, and any resource or scene file can have an embedded script which executes upon loading.
Do you mean this would be an issue with regards to using their asset store/3rd party plugins for your game?
If so how is it really any different from just regular nodejs packages or Python packages?that’s a risk developers seem to ignore.
Or are your talking about scripts being added for modding purposes like Minecraft? If so that’s a pretty good point, would be nice to have godot implement some sort of sandboxed system you can use. Not sure what the term would be or how that would even work.
The same could be said about NPM, or pip, or crates. The security model is "they will probably find the backdoor before it affects me", and it's unreasonably effective.
Time for folks to try out Minetest, perhaps. I happen to know it has sandboxed its Lua mods to prevent just this sort of attack. I don't play it myself, but I know the person who wrote the sandboxing code. Or knew him. He passed away recently.
This is highly annoying/intentional timing as Minecraft 1.20 just got released but now it is tainted with fears of viruses and extra steps to mitigate. For a friend who streams minecraft content and relies on the income this is a big setback and extra-risky for them if their account secrets are stolen.
Many smaller mods updated quickly. This is a) because this is not a very large update, and b) because Minecraft has pre releases and release candidates which are practically the same as the final release, so the mod can be updated before the final release of the version.
Also, many mods are necessary for performance reasons, due to vanilla's performance being questionable at times.
A lot of people use accessibility mods that suck to go without. Not having ItemScroller causes me physical pain after just a few minutes of clicking around in chests.
I'm just going to stick with 1.19 and the mods I downloaded several months ago until this matter is sorted out.
A second computer is actually a pretty typical setup for streaming. One PC actually runs the game, and a capture card sends the audio/video output to a second PC that runs your streaming software.
Either way though, no matter how you sandbox Minecraft, at least your Minecraft account is going to be vulnerable.
It's been years since I've done it so maybe it's much better now, but getting games to run properly in a VM was a huge hassle for me. In the best cases 3d acceleration was slow, often it just wouldn't work at all.
VMs are no-go for gaming, unless you are willing to do dedicated gpus. Reminder that most people streaming minecraft do not know what a vm is to begin with :)
This wouldn't even be a good way to protect yourself, because the useful things are all tied to the game account, which would be inside the VM.
It's one of the biggest games in the world, so I can see the appeal of targeting Minecraft players, especially since a lot of them are children and don't know what's going on. I checked my sons computer for this malware yesterday, and luckily he wasn't infected, but I ran OSForensics on his computer afterwards to see if he did get infected what kind of data an attacker might be able to get, and there was all sorts of PII from myself and my wife having used that computer before at one point or another. I'm sure with such a large install base there's plenty of opportunity to steal lots of valuable info.
Some of the very first reports of log4j were against Minecraft servers. If you go look at the original Github issue in which it was identified, all of the posts prior to anyone understanding its gravity were from Minecraft server operators.
People try to get around online moderation bans for calls to violence or such by saying things like "Someone needs to kick that guy's ass... In Minecraft"
Readit News
> Something not commonly seen in JVM malware that is present here is a class titled VMEscape. It checks if its in a sandboxed windows environment by checking if the current user is WDAGUtilityAccount, which is part of the Windows Defender Application Guard. If this condition is met, an attempt to escape the sandbox system is made.
> The process is roughly as follows:
> - Start a repeating thread to run the following actions:
> - Create a temporary directory using Files.createTempDirectory(...)
> - Iterate over FileDescriptor entries in the system clipboard (Supposedly this will be accessing the contents of the host)
> - Create a shortcut that looks like the original file (using icons from SHELL32) but instead invokes the malware
> - Assings this shortcut to the clipboard, overwriting the original file reference
> Thus, if a user copies a file and goes to paste it elsewhere they will instead paste a shortcut that looks like their intended file, but actually runs the malware.
This is just evil.
But only if the user has a high balance on their own wallet.
At least one person fell for this when they made a small test-transfer which went through but when they entered the higher BTC amount the recipient was replaced. Pretts smart and evil stuff
https://old.reddit.com/r/adventofcode/comments/zb98pn/2022_d...
When HDDs used to be the norm, that would raise an obvious audiovisual signal that something isn't right. Unfortunately with almost everyone using SSDs these days, and the loss of activity indicators[1] on a lot of machines, it would be barely noticeable.
[1] I suspect that it's also in the interests of "officially sanctioned" malware to hide its presence.
No need to have uncontrolled diagnostic feedback when you can make it be exactly what you want in a much more rich/dense format. Clicking doesn't tell you much compared to time traces of read and write activity, drive temperature, and page fault rate.
To actually be useful more information would need to be carried: different rates (by colour, brightness, or a simple bar of variable length), an indicator per drive if multiple, ...
It is also the reason I like mechanical relays in car. You can hear the startup sequence and listen if something is wrong.
Once that buffer or cache runs out, all those mostly extraneous IOPS just pile up, and the SSD will basically never catch up, because the technology fundamentally cannot catch up to a sustained load like that, but the load is sustained because all the software was designed with "SSDs are fast and lots of small writes will be fast" so they just keep growing the queue.
Previously most of the OS would be in memory and only page out if absolutely needed. It feels like modern windows is perfectly willing to page itself out because "SSDs are fast" and have random, pointless file ops everywhere. So if your SSD gets bogged down, now your operating system basically dies too, so good luck killing whatever app(s) are causing the problem
[0] https://superuser.com/a/1603734
[0] https://learn.microsoft.com/en-us/sysinternals/downloads/pro...
MATE desktop but I bet there are equivalents everywhere.
https://github.com/fractureiser-investigation/fractureiser
Pretty significant find. Exercise caution if you have downloaded Minecraft mod packs since at least April.
What's the security like on Steam workshop? Or Nexusmods? Gaming and modding is still rife with lots of little "here download my exe from this forum post and give it a run please".
Pretty much every game I play modded ends up with some kind of support framework DLL that tons of other mods build from. I am amazed that that has still not really blown up in our faces here in 2023.
There's a lot of hinky stuff out there that doesn't quite reach the level of "malware", just potential fun.
specialized "Visual Studio" extensions are worth looking hard at too.
Which is especially surprising considering the sheer insanity of Minecraft modders and hackers.
Deleted Comment
Sandboxing Java code running in process requires ugly and obscure security APIs and restricts you to having to have a common modding API (Forge). Many mods use bytecode patching and would be broken completely.
Granted, this is a large concern for clients.
People thought of sandboxing the stuff, but the people thinking of that and the people making the mods aren't the same people and the people making the mods would rather be able to do things outside a single API.
If so how is it really any different from just regular nodejs packages or Python packages?that’s a risk developers seem to ignore.
Or are your talking about scripts being added for modding purposes like Minecraft? If so that’s a pretty good point, would be nice to have godot implement some sort of sandboxed system you can use. Not sure what the term would be or how that would even work.
Dead Comment
I thought it took a hot minute to get mods updated anyway
Also, many mods are necessary for performance reasons, due to vanilla's performance being questionable at times.
I'm just going to stick with 1.19 and the mods I downloaded several months ago until this matter is sorted out.
I’m not a malware expert by any means, but I am pretty sure VMs are extremely hard for malware to escape when it isn’t expecting it.
And VMs take almost no technical skill to set up nowadays.
Either way though, no matter how you sandbox Minecraft, at least your Minecraft account is going to be vulnerable.
This wouldn't even be a good way to protect yourself, because the useful things are all tied to the game account, which would be inside the VM.
Data does not persist though, so maybe create a setup script to install mods combined with cloud syncing for saving game state.
https://learn.microsoft.com/en-us/windows/security/applicati...
Also would be surprised if a commercial AV like Bitdefender doesn’t pick this malware up.
If someone found an md5 preimage attack, they wouldn’t burn it on some random Minecraft players.