Java, or Java applets are programs that can be embedded in to websites. They are generally poorly written, and hardly ever function right. Most people will probably never even need java, and in fact the only website I can think of that I ever use it on is Facebook’s shitty multi-photo uploader which I use only a handful of times a year.
Why am I writing about this? Because I had a Windows 7 machine that was fully updated, running an updated Firefox with Java (Java may have not been up to date), and a fully updated Antivirus program. By clicking one simple link, the machine was infected through the Java run time in Firefox. Despite clicking “Deny” on the Java question, the app still managed to run itself. It looked like it caused some type of crash in the Java run time and allowed itself to execute code. The virus then proceeded to attempt to hijack the browser and insert other malicious code in to the system. Avira Antivirus was able to block most of these attempts, but it did miss something. I have a feeling that this was a new strain of the virus, so I’m not going to place too much blame on Avira here. After all was said and done I ran the infected file through an online scanner, and only 1 of 41 virus engines detected it. Yikes!
Before shutting down the system I had ran FULL scans with Malwarebytes and Avira, both came back clean. I rebooted the system and that is when it happened. 7 load screen… blue screen…. reboot. Over and over. Safe mode was of no use, other methods of recovery didn’t work, the bluescreen yielded no useful information. It wouldn’t even point me to the file causing the crash (which would of helped me tremendously). To make a long story short (I put probably 4 hours in to fixing this bluescreen), the virus had attempted to insert code in to my iaStor.sys driver. This is an Intel Storage driver, vital to system operation. I believe that because this was a Windows 7 machine, it was unable to successfully hijack this file (the virus was probably written to hijack XP machines). I found the lone infected file by pulling the drive out of the laptop and using a separate computer running Nod32 to scan the entire drive, and replaced the infected file with a good copy I had in my archives. The really strange thing about it was the good file and infected file were the same exact size, but the infected file no longer had the Intel signature and had a different MD5 hash then the good file. The virus obviously tried to re-write some part of my storage driver… who knows what though.
Nod32 identified it as Olmarik.pv which from what I can tell is a pretty new strain.
To bring this story back to it’s point, a fully updated system, running Firefox still caught an infection thanks to shitty ass Java. So, do yourself a favor out there RIGHT NOW. Disable Java.
Tools -> Options -> Content
Un-check Enable Java:
The nice part about this is that if you do end up on a site that you TRUST and need to enable it, you can simple check the box again and reload the page and it will work. You don’t have to restart your browser. Just be sure to disable it again after you’re done to keep your browser safe!
I have made this change on all of my machines and I strongly encourage you to as well!