About how often does Java issue updates? (suspected rootkits)

Pylon

[H]ard|Gawd
Joined
Dec 28, 2008
Messages
1,299
I've likely been infected by some sort of TDSS rootkit because of some symptoms like unauthorized google redirects and the blocking of certain AV programs, not to mention that Malwarebyte's has been giving me (likely false) negatives on basically every scan for the last month. I do keep it up to date.

Then I remembered that the Java auto updater has requested me to update basically daily, which I generally allow. Now that I think about it, this is somewhat suspicious as I doubt that updates would be issued on such a frequent basis. Is it a potential vector?

I run Windows 7 x64 Pro. TDSSkiller turns up nothing.

Any thoughts?
 
i dont recall java updating daily. i would try superantispwyware scan and see what that turns up. are you scanning in safe mode? also scan while windows boots up normally also. i would do a nice ccleaner cleanup if those two find anything.
 
The last Java update was update 6.21, released July 9, and update 6.20 was released April 15, suggesting that it's on a 3 month release cycle. If it's updating at all, that is very suspicious.
 
I believe the rootkit is gone (or possibly some of the malware it has been hiding has been removed) as my browser stopped doing constant redirects to Infomash and the like (many thanks to MGtools). The constant Java updates have also stopped.

Not to mention the updater always popped up without warning in the UAC and I generally allowed it, so I seriously believe it's a vector.
 
Take the HDD out, and scan in with another machine.... use MalwareBytes and MSSE(or your AV of choice)
 
Can't, it's the only SATA equipped machine I own. Everything else is IDE-only.
 
After you think you've cleaned ever last trace of virus/malware, check this program often for suspicious network activity

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
If you see outgoing connections when there are no programs running that need internet access check your system again(note: this process is a little tedious because there are so many programs which regularly check for updates online in the background or for whatever other reason.)
 
Can't really add anything that hasn't already been suggested to try and find any malware that may be on your drive. What I can add is... Java sucks.
 
I already scanned with the Avira CD 9the Linux live-CD one) and it didn't turn up anyting, but I'll try your advice.

Thanks all of you.
 
of some symptoms like unauthorized google redirects and the blocking of certain AV programs, not to mention that Malwarebyte's has been giving me (likely false) negatives on basically every scan for the last month. I do keep it up to date.

Sounds like Olmarik trojan, Combofix time.
 
But thanks for the advice. I originally thought it was TDSS of some sort, but it didn't exhibit all the symptoms and TDSSkiller turned up nothing.
 
64-bit. Sucks.

Gah...I overlooked that..my bad.
Combofix is the only thing I've used which has cleaned Olmarik. Although I've read in the Wilders forums that Eset came out with an Olmarik removal tool..may want to hunt that down. MalwareBytes and SuperAntiSpyware don't remove enough of it...it'll come back on ya, need to use a more powerful tool.
 
As for the java update, another possibility is that it was the same update every time that didn't get installed correctly each time.
 
Back
Top