Malware - Revision history

JaroslavTulach: /* Maven & Apache NetBeans 12 */

JaroslavTulach — Mon, 01 Jun 2020 09:03:14 GMT

Maven & Apache NetBeans 12

←Older revision		Revision as of 09:03, 1 June 2020
Line 17:		Line 17:
	=== Maven & Apache NetBeans 12 ===		=== Maven & Apache NetBeans 12 ===

-	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds. However, should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.	+	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First and foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds. However, should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.

	Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] for [[Maven]] ever seen!		Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] for [[Maven]] ever seen!

JaroslavTulach: /* Popularity is Popularity */

JaroslavTulach — Mon, 01 Jun 2020 08:03:07 GMT

Popularity is Popularity

←Older revision		Revision as of 08:03, 1 June 2020
Line 7:		Line 7:
	=== Popularity is Popularity ===		=== Popularity is Popularity ===

-	On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it be a student's prank against roommates? Might it be more serious?	+	On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] really enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it be a student's prank against roommates? Might it be more serious?

	In any case it is clear, the malware developers could easily use the same attack vector against ''Make'', [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.		In any case it is clear, the malware developers could easily use the same attack vector against ''Make'', [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.

JaroslavTulach: /* Maven & Apache NetBeans 12 */

JaroslavTulach — Mon, 01 Jun 2020 07:41:52 GMT

Maven & Apache NetBeans 12

←Older revision		Revision as of 07:41, 1 June 2020
Line 17:		Line 17:
	=== Maven & Apache NetBeans 12 ===		=== Maven & Apache NetBeans 12 ===

-	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds, ~~but~~ should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.	+	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds. However, should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.

	Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] for [[Maven]] ever seen!		Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] for [[Maven]] ever seen!

JaroslavTulach: /* Vulnerable Build Systems */

JaroslavTulach — Mon, 01 Jun 2020 07:40:33 GMT

Vulnerable Build Systems

←Older revision		Revision as of 07:40, 1 June 2020
Line 13:		Line 13:
	=== Vulnerable Build Systems ===		=== Vulnerable Build Systems ===

-	The current build systems pay little attention to security. Everyone shall be aware that by running a build one is executing a potentially untrusted code. The build systems themselves provide no isolation by itself, the best one can do is to create a virtually isolated environment to perform the build from scratch and throw the results away after that. However, the situation may be even tougher, certain build systems (and their IDE integration) may trigger the untrusted code even when you are inspecting the code - e.g. even without starting the build. [[I]] have described this flaw in my article where I claimed that [[Gradle\|Gradle belongs to the Ant age!]] ~~- in~~ order to assemble a classpath (a prerequisite to editing [[Java]] sources) the [[IDE]] has to execute ''build.gradle'' which can do anything! When I wrote the article [[Gradle]] guys couldn't understand why having a [[Turing complete]] build system is wrong. ~~But~~ I assume they get it one day...	+	The current build systems pay little attention to security. Everyone shall be aware that by running a build one is executing a potentially untrusted code. The build systems themselves provide no isolation by itself, the best one can do is to create a virtually isolated environment to perform the build from scratch and throw the results away after that. However, the situation may be even tougher, certain build systems (and their IDE integration) may trigger the untrusted code even when you are inspecting the code - e.g. even without starting the build. [[I]] have described this flaw in my article where I claimed that [[Gradle\|Gradle belongs to the Ant age!]] In order to assemble a classpath (a prerequisite to editing [[Java]] sources) the [[IDE]] has to execute ''build.gradle'' which can do anything! When I wrote the article [[Gradle]] guys couldn't understand why having a [[Turing complete]] build system is wrong. [[I]] assume they get it one day...

	=== Maven & Apache NetBeans 12 ===		=== Maven & Apache NetBeans 12 ===

JaroslavTulach: /* Popularity is Popularity */

JaroslavTulach — Mon, 01 Jun 2020 07:36:44 GMT

Popularity is Popularity

←Older revision		Revision as of 07:36, 1 June 2020
Line 9:		Line 9:
	On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it be a student's prank against roommates? Might it be more serious?		On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it be a student's prank against roommates? Might it be more serious?

-	In any case it is clear, the malware developers could easily use the same attack vector against [[Make]], [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.	+	In any case it is clear, the malware developers could easily use the same attack vector against ''Make'', [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.

	=== Vulnerable Build Systems ===		=== Vulnerable Build Systems ===

JaroslavTulach: /* Vulnerable Build Systems */

JaroslavTulach — Mon, 01 Jun 2020 07:35:51 GMT

Vulnerable Build Systems

←Older revision		Revision as of 07:35, 1 June 2020
Line 13:		Line 13:
	=== Vulnerable Build Systems ===		=== Vulnerable Build Systems ===

-	The current build systems pay little attention to security. Everyone shall be aware that by running a build one is executing a potentially untrusted code. The build systems themselves provide no isolation by itself, the best one can do is to create a virtually isolated environment to perform the build from scratch and throw the results away after that. However, the situation may be even tougher, certain build systems (and their IDE integration) may trigger the untrusted code even when you are inspecting the code - e.g. even without starting the build. [[I]] have described this flaw in my article where I claimed that [[Gradle\|Gradle belongs to the Ant age!]] - in order to assemble a classpath (a prerequisite to editing [[Java]] sources) the [[IDE]] has to execute ''build.gradle'' which can do anything! When I wrote the article [[Gradle]] guys couldn't understand why having a [[Turing ~~Complete~~]] build system is wrong. But I assume they get it one day...	+	The current build systems pay little attention to security. Everyone shall be aware that by running a build one is executing a potentially untrusted code. The build systems themselves provide no isolation by itself, the best one can do is to create a virtually isolated environment to perform the build from scratch and throw the results away after that. However, the situation may be even tougher, certain build systems (and their IDE integration) may trigger the untrusted code even when you are inspecting the code - e.g. even without starting the build. [[I]] have described this flaw in my article where I claimed that [[Gradle\|Gradle belongs to the Ant age!]] - in order to assemble a classpath (a prerequisite to editing [[Java]] sources) the [[IDE]] has to execute ''build.gradle'' which can do anything! When I wrote the article [[Gradle]] guys couldn't understand why having a [[Turing complete]] build system is wrong. But I assume they get it one day...

	=== Maven & Apache NetBeans 12 ===		=== Maven & Apache NetBeans 12 ===

JaroslavTulach: /* Maven & Apache NetBeans 12 */

JaroslavTulach — Mon, 01 Jun 2020 07:35:06 GMT

Maven & Apache NetBeans 12

←Older revision		Revision as of 07:35, 1 June 2020
Line 19:		Line 19:
	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds, but should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.		Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds, but should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.

-	Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] ~~form~~ [[Maven]] ~~you have~~ ever seen!	+	Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] for [[Maven]] ever seen!

JaroslavTulach: /* Don't Blame the Editor! */

JaroslavTulach — Mon, 01 Jun 2020 07:31:01 GMT

Don't Blame the Editor!

←Older revision		Revision as of 07:31, 1 June 2020
Line 3:		Line 3:
	=== Don't Blame the Editor! ===		=== Don't Blame the Editor! ===

-	[[I]] have to admit I am not sure I should be ashamed or happy? Helping spreading viruses isn't really something one should be proud of, but at the end [[NetBeans]] IDE itself is quite innocent here. The attack doesn't use the [[NetBeans]] code itself, it just modifies the [[Ant]] build files written down by the IDE. It knows the layout of the files, it knows their structure and knows what to modify to spread itself. Blaming [[NetBeans]] for that is just like blaming your ''Makefile'' editor for saving files that get later modified and do a harm your computer. The problem isn't the IDE nor the editor, the problem is that the developer has allowed an untrusted code to run on own computer and modify local executable files.	+	[[I]] have to admit I am not sure I should be ashamed or happy? Helping spreading viruses isn't really something one should be proud of, but at the end [[NetBeans]] IDE itself is quite innocent here. The attack doesn't use the [[NetBeans]] code itself, it just modifies the [[Ant]] build files written down by the IDE. It knows the layout of the files, it knows their structure and knows what to modify to spread itself. Blaming [[NetBeans]] for that is just like blaming your ''Makefile'' editor for saving files that get later modified and do a harm to your computer. The problem isn't the IDE nor the editor, the problem is that the developer has allowed an untrusted code to run on own computer and modify local executable files.

	=== Popularity is Popularity ===		=== Popularity is Popularity ===

JaroslavTulach: /* Maven & Apache NetBeans 12 */

JaroslavTulach — Mon, 01 Jun 2020 07:28:32 GMT

Maven & Apache NetBeans 12

←Older revision		Revision as of 07:28, 1 June 2020
Line 17:		Line 17:
	=== Maven & Apache NetBeans 12 ===		=== Maven & Apache NetBeans 12 ===

-	Let's download just (about to be) released Apache NetBeans 12 to the rescue!	+	Let's download just (about to be) released [[Apache]] [[NetBeans]] 12 to the rescue! First an foremost [[NetBeans]] 12 supports [[Maven]] based projects out of the box - e.g. when you create new project, it is no longer [[Ant]] based, but [[Maven]] based. [[NetBeans]] still recognizes the [[Ant]] based projects, as well as [[Gradle]] based projects, but because of the [[declarative]] format of [[Maven]] and the ability of [[NetBeans]] to deduce classpath & co. without executing a single line of [[Maven]] code, we have decided to standardize around [[Maven]]. Developers still have to be careful when executing their [[Maven]] builds, but should an attack against that appear in the future, there is not going to be anything [[NetBeans]] specific in it.
		+
		+	Download [[Apache]] [[NetBeans]] 12 - the best [[UI]] form [[Maven]] you have ever seen!

JaroslavTulach: /* Popularity is Popularity */

JaroslavTulach — Mon, 01 Jun 2020 07:08:00 GMT

Popularity is Popularity

←Older revision		Revision as of 07:08, 1 June 2020
Line 7:		Line 7:
	=== Popularity is Popularity ===		=== Popularity is Popularity ===

-	On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it ~~have been~~ a student's prank against roommates? Might it be more serious?	+	On the other hand, [[I]] haven't noticed such amount of buzz about [[NetBeans]] for a long time. Even negative popularity is a popularity and [[I]] enjoy reading description of the virus attack against the [[Ant]] build files written down by [[NetBeans]] from independent researchers! Moreover, as the researchers noted, ''It was interesting that this malware attacked the [[NetBeans]] build process specifically since it is not the most common Java IDE in use today''. True, [[NetBeans]] is no longer hot and it is fair to ask why did the attackers choose [[NetBeans]]? My favorite explanation is that it was a ''targeted attack'' - an attack against somebody who was known to use [[NetBeans]] to develop some application using [[Ant]] based projects generated by [[NetBeans]]. Might it be a student's prank against roommates? Might it be more serious?

	In any case it is clear, the malware developers could easily use the same attack vector against [[Make]], [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.		In any case it is clear, the malware developers could easily use the same attack vector against [[Make]], [[Gradle]] and even [[Maven]]. The chances to spread the virus would be even higher given the dominance of these build systems over [[Ant]]. All that is needed is to locate sources of ''Makefile'', ''build.gradle'' and ''pom.xml'' and mangle them a bit to execute malicious code. In addition to that one can modify the locally cached [[JAR]] files in ''$HOME/.m2/repository'' directory & co. just like the octopus malware did for the [[Ant]] based projects.