Jump to content

Zerr0

Members
  • Content Count

    3
  • Joined

  • Last visited

About Zerr0

  • Rank
    New Member
  1. Thank you, that's good to hear. I have not encountered any more exploit detections since the 14 Jul. All three services are now all set to Automatic (Delayed start). I now have the following exclusions in place (see screenshot for details). I am quite sure that some of these are unnecessary but I wanted to cover all my bases.
  2. Malwarebytes (MB) is detecting 'exploit' conditions triggered by Jetbrains YouTrack, Hub and Upsource (standalone) developer web applications. Prevent Web-based Java Command Line (enabled by default) Java Malicious Inbound Shell Protection (enabled by default) Java Malicious Outbound Shell Protection (not enabled by default) These three conditions are located under Settings --> Protection --> Advanced Settings --> Java Protection (tab). I have created this thread at the urging of fellow YouTrack users and suggestion from the MB support agent who has been assisting me. Background Malwarebytes Premium Application 3.5.1.2522 Components: 1.0.374 Updates: 1.0.5871 JetBrains web apps: YouTrack 2018.2.42337 Standalone Hub 2018.2.9774 Standalone Upsource 2018.1.357 Standalone OS - Windows 10 - 1803 No malware scans (both threat and custom with all options enabled) have identified any threats before and since I installed these tools. Neither has my antivirus (ESET). Description Condition 1 was the original 'exploit' I encountered and was the basis for a Jetbrains YouTrack bug report that I submitted (i.e. https://youtrack.jetbrains.com/issue/JT-48019). All of the logs provided to my support agent as well as communications with him and JetBrains are attached to issue JT-48019. I have found condition 1 to be the most problematic for a number of reasons: a) all three web apps trigger the same 'exploit' detection, b) all three web services get stuck in a 'Starting' state, fail to start up and are unusable, c) given the architecture of these web apps significant changes may be required for a JetBrains-originated resolution, unless MB use a less crude detection mechanism. To quote from my MB service ticket (2351856) "This is not an False Positive issue. The majority of the time, Java launching a command prompt window is malicious, so this is a hard-coded block". d) it was only once I had disabled condition 1 that I started to encounter 'exploit' conditions (2 and 3) that are then detected. Conditions 2 and 3 are triggered by one or more of these three applications as they communicate with one another. One might suggest condition 3 (outbound connections) is less of a problem because is not enabled by default, however the defaults may change. The initial workaround I attempted was to disable these three conditions, which does work (after reboot). However, these are global settings and would leave my system with much poorer overall protection than if it could be more specifically excluded. I could not figure out how to add a 'previously encountered exploit' exclusion for any of these three (previously detected) types of 'exploit'. The only exclusion mechanism I have had some success with so far, has been folder-based. This involved creating rules for almost all 'Jetbrains' folders in my system. Once I figured out that reboots were necessary after adding exclusion rules this seemed to do the trick, at least for a while. A couple days later I noticed that I was starting to receive many reports of 'Java malicious outbound socket'(s) and for some reason these also appeared to be preventing the web app services from starting. However, this time I found no condition 1 'exploit' detections logged and haven't a clue how the condition 3 'exploit' detections could be preventing the services from starting. Questions for Malwarebytes and my fellow users: Why is it not possible to create exploit exclusions for any of these three previously detected 'exploits'? Am I missing something? Is there a more refined algorithm that MB could use for condition 1? What is it that makes MB think that YouTrack, Hub and Upsource's in/outbound communications are malicious (i.e. conditions 2 and 3)? Is the detection mechanism inferring maliciousness based on the "hard-coded" criteria used for condition 1? Why is there not more information about the process(es), IP address and port information in the logs for exploit conditions 2 and 3? All I can tell right now is that a Java application somewhere on my machine has just been blocked from sending or receiving data. Why is it that some exclusion rules sometimes appear to fail to remain enforced? When this happens why is the user not informed and an indication made as to which exclusion(s) are and are no longer in effect. If you reset the protection settings to their default values ('Restore Defaults' button) these seem to be applied and enforced instantaneously. Why is it that after the reset they appear to be ignoring my existing exclusion rules but offer no indication that they are not enforced? Perhaps another reboot cycle is needed before the exclusion rules are re-enforced? Sample detection logs Example condition 1 - "Exploit payload process blocked" 81103C2B70B13F565F94D19DC5414FFC09189D969C548E38C137C5A443D78168 { "applicationVersion" : "3.5.1.2522", "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.374", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.5871", "detectionDateTime" : "2018-07-11T18:10:14Z", "fileSystem" : "NTFS", "id" : "a27deb18-8535-11e8-ac73-e0d55e10177a", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows 10 (Build 17134.165)", "schemaVersion" : 9, "sourceDetails" : { "type" : "ae" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2018-07-11T18:10:14Z", "exploitData" : { "appDisplayName" : "Java", "blockedFileName" : "D:\\YouTrack\\cmd \\C bin\\youtrack.bat configure -f C:\\ProgramData\\JetBrains\\YouTrack\\temp\\internal\\services\\bundleProcess\\configure-args-6911961816430328675.properties", "layerText" : "Application Behavior Protection", "protectionTechnique" : "Exploit payload process blocked", "url" : "" }, "generatedByPostCleanupAction" : false, "id" : "a885c828-8535-11e8-b145-e0d55e10177a", "linkType" : "none", "objectMD5" : "", "objectPath" : "", "objectSha256" : "", "objectType" : "exploit" }, "ruleID" : 392684, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Malware.Exploit.Agent.Generic" } ], "threatsDetected" : 1 } Example condition 2 - "Java malicious inbound socket detected" 2A3747400A03F91AFC845BB1FF5A855605CD24EA642930B8B5B52D9B8BBAADDE { "applicationVersion" : "3.5.1.2522", "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "1.0.374", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "1.0.5781", "detectionDateTime" : "2018-07-05T14:16:37Z", "fileSystem" : "NTFS", "id" : "01aae230-805e-11e8-8db0-e0d55e10177a", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows 10 (Build 17134.137)", "schemaVersion" : 9, "sourceDetails" : { "type" : "ae" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2018-07-05T14:16:37Z", "exploitData" : { "appDisplayName" : "Java", "blockedFileName" : "", "layerText" : "Application Behavior Protection", "protectionTechnique" : "Java malicious inbound socket detected", "url" : "" }, "generatedByPostCleanupAction" : false, "id" : "07a314c8-805e-11e8-b7fe-e0d55e10177a", "linkType" : "none", "objectMD5" : "", "objectPath" : "", "objectSha256" : "", "objectType" : "exploit" }, "ruleID" : 392684, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Malware.Exploit.Agent.Generic" } ], "threatsDetected" : 1 } Example condition 3- "Java malicious outbound socket detected" 1CBB5403139737483F820AA69CD7037CED5FBC13187DE0E604FFA83F9FC46C57 { "applicationVersion" : "3.5.1.2522", "clientID" : "", "clientType" : "other", "componentsUpdatePackageVersion" : "", "cpu" : "x64", "dbSDKUpdatePackageVersion" : "", "detectionDateTime" : "2018-07-08T15:41:53Z", "fileSystem" : "NTFS", "id" : "6a047b8e-82c5-11e8-ba94-e0d55e10177a", "isUserAdmin" : true, "licenseState" : "licensed", "linkagePhaseComplete" : false, "loggedOnUserName" : "System", "machineID" : "", "os" : "Windows 10 (Build 17134.137)", "schemaVersion" : 9, "sourceDetails" : { "type" : "ae" }, "threats" : [ { "linkedTraces" : [ ], "mainTrace" : { "cleanAction" : "block", "cleanResult" : "successful", "cleanResultErrorCode" : 0, "cleanTime" : "2018-07-08T15:41:53Z", "exploitData" : { "appDisplayName" : "Java", "blockedFileName" : "", "layerText" : "Application Behavior Protection", "protectionTechnique" : "Java malicious outbound socket detected", "url" : "" }, "generatedByPostCleanupAction" : false, "id" : "7009a338-82c5-11e8-908c-e0d55e10177a", "linkType" : "none", "objectMD5" : "", "objectPath" : "", "objectSha256" : "", "objectType" : "exploit" }, "ruleID" : 392684, "rulesVersion" : "0.0.0", "threatID" : 0, "threatName" : "Malware.Exploit.Agent.Generic" } ], "threatsDetected" : 1 }
×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.