About how often does Java issue updates? (suspected rootkits)

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
I've likely been infected by some sort of TDSS rootkit because of some symptoms like unauthorized google redirects and the blocking of certain AV programs, not to mention that Malwarebyte's has been giving me (likely false) negatives on basically every scan for the last month. I do keep it up to date.

Then I remembered that the Java auto updater has requested me to update basically daily, which I generally allow. Now that I think about it, this is somewhat suspicious as I doubt that updates would be issued on such a frequent basis. Is it a potential vector?

I run Windows 7 x64 Pro. TDSSkiller turns up nothing.

Any thoughts?
 

knothead34

[H]ard|Gawd
Joined
Apr 4, 2005
Messages
1,599
i dont recall java updating daily. i would try superantispwyware scan and see what that turns up. are you scanning in safe mode? also scan while windows boots up normally also. i would do a nice ccleaner cleanup if those two find anything.
 

evilsofa

[H]F Junkie
Joined
Jan 1, 2007
Messages
10,078
The last Java update was update 6.21, released July 9, and update 6.20 was released April 15, suggesting that it's on a 3 month release cycle. If it's updating at all, that is very suspicious.
 

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
I believe the rootkit is gone (or possibly some of the malware it has been hiding has been removed) as my browser stopped doing constant redirects to Infomash and the like (many thanks to MGtools). The constant Java updates have also stopped.

Not to mention the updater always popped up without warning in the UAC and I generally allowed it, so I seriously believe it's a vector.
 

QwertyJuan

[H]F Junkie
Joined
Aug 17, 2000
Messages
11,286
Take the HDD out, and scan in with another machine.... use MalwareBytes and MSSE(or your AV of choice)
 

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
Can't, it's the only SATA equipped machine I own. Everything else is IDE-only.
 

Flank3r

n00b
Joined
Oct 26, 2009
Messages
60
After you think you've cleaned ever last trace of virus/malware, check this program often for suspicious network activity

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
If you see outgoing connections when there are no programs running that need internet access check your system again(note: this process is a little tedious because there are so many programs which regularly check for updates online in the background or for whatever other reason.)
 

number69

[H]ard|Gawd
Joined
Jan 8, 2003
Messages
1,646
Can't really add anything that hasn't already been suggested to try and find any malware that may be on your drive. What I can add is... Java sucks.
 

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
I already scanned with the Avira CD 9the Linux live-CD one) and it didn't turn up anyting, but I'll try your advice.

Thanks all of you.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
of some symptoms like unauthorized google redirects and the blocking of certain AV programs, not to mention that Malwarebyte's has been giving me (likely false) negatives on basically every scan for the last month. I do keep it up to date.

Sounds like Olmarik trojan, Combofix time.
 

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
But thanks for the advice. I originally thought it was TDSS of some sort, but it didn't exhibit all the symptoms and TDSSkiller turned up nothing.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
64-bit. Sucks.

Gah...I overlooked that..my bad.
Combofix is the only thing I've used which has cleaned Olmarik. Although I've read in the Wilders forums that Eset came out with an Olmarik removal tool..may want to hunt that down. MalwareBytes and SuperAntiSpyware don't remove enough of it...it'll come back on ya, need to use a more powerful tool.
 

HoppyChris

Limp Gawd
Joined
Jan 23, 2008
Messages
313
As for the java update, another possibility is that it was the same update every time that didn't get installed correctly each time.
 
Top