I had a compromised Java version. How do I clean up afterwards?
January 12, 2013 5:14 AM   Subscribe

My AV program found 'Exploit:Java/CVE-2012-4681' on my laptop. It's a primer that sets up my machine for future exploits, but I haven't found any further infections using AV or Housecall. What steps should I be taking to assure myself that the machine is clean, and what can I do to prevent this kind of problem in the future.

3 days ago, Microsoft Security Essentials picked up 'Exploit:Java/CVE-2012-4681' on my laptop. By the looks of it, this is an exploit for Java that primes the browser's Java plugin so that when I visit an infected site, that site can install whatever.

When MSSE found the issue, I told MSSE to KILL IT WITH FIRE, which it did, but MSSE warned me to expect possible follow-on infections that the exploit helped to download. So far, I have seen nothing. I ran Trend Micro Housecall to look for anything MSSE missed, and that came back with nothing. I'm not seeing any obvious symptoms like unexplained popups or search hijacking.

This is nice to see, and the optimistic case is that some combination of my security precautions have saved my arse, but I want to be sure of that.

So, Metafilter, this is what I'd like to know:

1) What further steps should I take to find possible threats and make the machine safe? I have access to the original installation media, but would prefer not to use it unless really necessary. I'm also worried that a clean installation would simply get reinfected by music and other files when I restore the machine.

2) What symptoms would I expect to see if the machine is compromised?

Machine details: ~4 year old personal Windows 7 Professional laptop, with legit Win7 and Windows updates installed promptly. I use Security Essentials for AV, and keep that up to date with Windows Update. I browse with Firefox and thought I was keeping everything up to date, although apparently I was a bit patchy with the Adobe stuff. Firefox has Flashblock and NoScript installed, although it looks like I disabled Flashblock a while back to make something work and forgot to turn it back on. Windows Firewall is on. The machine is backed up online using Carbonite, but obviously that won't help if infected files have been synched over to the remote server.

I don't torrent or use pirated software. I am Windows-literate and comfortable working from the command line.

Thanks everyone.
posted by Urtylug to Computers & Internet (3 answers total) 1 user marked this as a favorite
Best answer: The exploit that MSSE revealed is a universal one -- Java itself should be disabled in your browser(s), basically, to prevent sites from installing unauthorized software. You can read a bit about this warning here.

However, the exploit's existence is not equivalent to its use on your system. It is unlikely that you have had rogue software installed, and you do not need to do anything more at this time. I would suggest keeping your AV software updated and follow your normal preventative steps (run scans regularly, install OS and AV updates, etc.).

Were your machine to have been compromised, the symptoms would depend upon what software was installed via the Java vulnerability. Typical cases of third-party malware that have been seen recently include fake anti-virus software messages that claim that you have been infected, and offer to "clean" your machine in exchange for buying some software, along with so-called "hostage ware" that locks the machine, typically at boot, until you offer up payment for access to it. Both are most likely attempts to gain your credit card or financial information.

For what it is worth, music files are unlikely to carry any kind of "infection"; they are not executable files, and as such, they have not been traditional vectors of malware or virus transmission.
posted by ellF at 6:07 AM on January 12, 2013

Response by poster: Ok, thanks. Java is disabled.

I had this idea that viruses tend to get themselves into documents and music and the like on victim machines to prevent the user getting rid. Sounds like I'm being paranoid.
posted by Urtylug at 9:52 AM on January 12, 2013

I had this idea that viruses tend to get themselves into documents and music and the like on victim machines to prevent the user getting rid. Sounds like I'm being paranoid.

I had a virus once that inserted itself into html files- if you opened one of them in a browser it would try to load a malware-serving website and download itself again. It was kind of lame- it would only work while that malware server was still online, and still serving something that the computer was vulnerable to, but I ended up having to write my own script to do a huge search-and-replace to get rid of them.

There was this one "exploit" using an mp3 used to jailbrake kindles. You could imagine such an exploit existing in, say, Windows Media Player, and a virus could go through and fiddle with your mp3s' ID3 tags to reinfect when played. Even if that happened you could just update WMP or whatever and the nasty ID3 tags would become harmless.
posted by BungaDunga at 12:38 PM on January 12, 2013

« Older Sites worth paying for membership ?   |   Please help me identify this noisy bird Newer »
This thread is closed to new comments.