Jump to content
Zerr0

MB detects 'exploits' triggered by JetBrains YouTrack, Hub & Upsource

Recommended Posts

Malwarebytes (MB) is detecting 'exploit' conditions triggered by Jetbrains YouTrack, Hub and Upsource (standalone) developer web applications.

  1. Prevent Web-based Java Command Line (enabled by default)
  2. Java Malicious Inbound Shell Protection (enabled by default)
  3. Java Malicious Outbound Shell Protection (not enabled by default)

These three conditions are located under Settings --> Protection --> Advanced Settings -->  Java Protection (tab).

2141543866_2018-07-0915_43_08-Malwarebytes.png.1186a1bc6b5edc4abb44f521f03a191f.png

I have created this thread at the urging of fellow YouTrack users and suggestion from the MB support agent who has been assisting me.

Background

Malwarebytes Premium

  • Application 3.5.1.2522
  • Components: 1.0.374
  • Updates: 1.0.5871

JetBrains web apps:

  • YouTrack 2018.2.42337 Standalone
  • Hub 2018.2.9774 Standalone
  • Upsource 2018.1.357 Standalone

OS - Windows 10 - 1803

No malware scans (both threat and custom with all options enabled) have identified any threats before and since I installed these tools. Neither has my antivirus (ESET).

Description

Condition 1 was the original 'exploit' I encountered and was the basis for a Jetbrains YouTrack bug report that I submitted (i.e. https://youtrack.jetbrains.com/issue/JT-48019). All of the logs provided to my support agent as well as communications with him and JetBrains are attached to issue JT-48019.

condition1_Malwarebytes_exploit_prompt.png.81438a053d9841a4e9be86457d4403b3.png

condition1_Malwarebytes_exploit_report.thumb.png.20e9c6a4c31ca8ba5d126e6a8dad1097.png

I have found condition 1 to be the most problematic for a number of reasons:
a) all three web apps trigger the same 'exploit' detection,
b) all three web services get stuck in a 'Starting' state, fail to start up and are unusable,
c) given the architecture of these web apps significant changes may be required for a JetBrains-originated resolution, unless MB use a less crude detection mechanism. To quote from my MB service ticket (2351856) "This is not an False Positive issue. The majority of the time, Java launching a command prompt window is malicious, so this is a hard-coded block".
d) it was only once I had disabled condition 1 that I started to encounter 'exploit' conditions (2 and 3) that are then detected.

java_inbound_exploit_automatically_detected_prompt.png.a7dbab7feecb95b63fe22684c97d0a7f.png

Conditions 2 and 3 are triggered by one or more of these three applications as they communicate with one another. One might suggest condition 3 (outbound connections) is less of a problem because is not enabled by default, however the defaults may change.

The initial workaround I attempted was to disable these three conditions, which does work (after reboot). However, these are global settings and would leave my system with much poorer overall protection than if it could be more specifically excluded.

I could not figure out how to add a 'previously encountered exploit' exclusion for any of these three (previously detected) types of 'exploit'.

The only exclusion mechanism I have had some success with so far, has been folder-based. This involved creating rules for almost all 'Jetbrains' folders in my system. Once I figured out that reboots were necessary after adding exclusion rules this seemed to do the trick, at least for a while. A couple days later I noticed that I was starting to receive many reports of  'Java malicious outbound socket'(s) and for some reason these also appeared to be preventing the web app services from starting. However, this time I found no condition 1 'exploit' detections logged and haven't a clue how the condition 3 'exploit' detections could be preventing the services from starting.

Questions for Malwarebytes and my fellow users:

  1. Why is it not possible to create exploit exclusions for any of these three previously detected 'exploits'? Am I missing something?
  2. Is there a more refined algorithm that MB could use for condition 1?
  3. What is it that makes MB think that YouTrack, Hub and Upsource's in/outbound communications are malicious (i.e. conditions 2 and 3)?
  4. Is the detection mechanism inferring maliciousness based on the "hard-coded" criteria used for condition 1?
  5. Why is there not more information about the process(es), IP address and port information in the logs for exploit conditions 2 and 3? All I can tell right now is that a Java application somewhere on my machine has just been blocked from sending or receiving data.
  6. Why is it that some exclusion rules sometimes appear to fail to remain enforced? When this happens why is the user not informed and an indication made as to which exclusion(s) are and are no longer in effect.
  7. If you reset the protection settings to their default values ('Restore Defaults' button) these seem to be applied and enforced instantaneously. Why is it that after the reset they appear to be ignoring my existing exclusion rules but offer no indication that they are not enforced? Perhaps another reboot cycle is needed before the exclusion rules are re-enforced?

Sample detection logs

Example condition 1 - "Exploit payload process blocked"

81103C2B70B13F565F94D19DC5414FFC09189D969C548E38C137C5A443D78168
{
   "applicationVersion" : "3.5.1.2522",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.374",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.5871",
   "detectionDateTime" : "2018-07-11T18:10:14Z",
   "fileSystem" : "NTFS",
   "id" : "a27deb18-8535-11e8-ac73-e0d55e10177a",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10 (Build 17134.165)",
   "schemaVersion" : 9,
   "sourceDetails" : {
      "type" : "ae"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-07-11T18:10:14Z",
            "exploitData" : {
               "appDisplayName" : "Java",
               "blockedFileName" : "D:\\YouTrack\\cmd \\C bin\\youtrack.bat configure -f C:\\ProgramData\\JetBrains\\YouTrack\\temp\\internal\\services\\bundleProcess\\configure-args-6911961816430328675.properties",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Exploit payload process blocked",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "a885c828-8535-11e8-b145-e0d55e10177a",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "exploit"

         },
         "ruleID" : 392684,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Example condition 2 - "Java malicious inbound socket detected"

2A3747400A03F91AFC845BB1FF5A855605CD24EA642930B8B5B52D9B8BBAADDE
{
   "applicationVersion" : "3.5.1.2522",
   "clientID" : "",
   "clientType" : "other",
   "componentsUpdatePackageVersion" : "1.0.374",
   "cpu" : "x64",
   "dbSDKUpdatePackageVersion" : "1.0.5781",
   "detectionDateTime" : "2018-07-05T14:16:37Z",
   "fileSystem" : "NTFS",
   "id" : "01aae230-805e-11e8-8db0-e0d55e10177a",
   "isUserAdmin" : true,
   "licenseState" : "licensed",
   "linkagePhaseComplete" : false,
   "loggedOnUserName" : "System",
   "machineID" : "",
   "os" : "Windows 10 (Build 17134.137)",
   "schemaVersion" : 9,
   "sourceDetails" : {
      "type" : "ae"
   },
   "threats" : [
      {
         "linkedTraces" : [

         ],
         "mainTrace" : {
            "cleanAction" : "block",
            "cleanResult" : "successful",
            "cleanResultErrorCode" : 0,
            "cleanTime" : "2018-07-05T14:16:37Z",
            "exploitData" : {
               "appDisplayName" : "Java",
               "blockedFileName" : "",
               "layerText" : "Application Behavior Protection",
               "protectionTechnique" : "Java malicious inbound socket detected",
               "url" : ""
            },
            "generatedByPostCleanupAction" : false,
            "id" : "07a314c8-805e-11e8-b7fe-e0d55e10177a",
            "linkType" : "none",
            "objectMD5" : "",
            "objectPath" : "",
            "objectSha256" : "",
            "objectType" : "exploit"
         },
         "ruleID" : 392684,
         "rulesVersion" : "0.0.0",
         "threatID" : 0,
         "threatName" : "Malware.Exploit.Agent.Generic"
      }
   ],
   "threatsDetected" : 1
}

Example condition 3- "Java malicious outbound socket detected"

    1CBB5403139737483F820AA69CD7037CED5FBC13187DE0E604FFA83F9FC46C57
    {
       "applicationVersion" : "3.5.1.2522",
       "clientID" : "",
       "clientType" : "other",
       "componentsUpdatePackageVersion" : "",
       "cpu" : "x64",
       "dbSDKUpdatePackageVersion" : "",
       "detectionDateTime" : "2018-07-08T15:41:53Z",
       "fileSystem" : "NTFS",
       "id" : "6a047b8e-82c5-11e8-ba94-e0d55e10177a",
       "isUserAdmin" : true,
       "licenseState" : "licensed",
       "linkagePhaseComplete" : false,
       "loggedOnUserName" : "System",
       "machineID" : "",
       "os" : "Windows 10 (Build 17134.137)",
       "schemaVersion" : 9,
       "sourceDetails" : {
          "type" : "ae"
       },
       "threats" : [
          {
             "linkedTraces" : [

             ],
             "mainTrace" : {
                "cleanAction" : "block",
                "cleanResult" : "successful",
                "cleanResultErrorCode" : 0,
                "cleanTime" : "2018-07-08T15:41:53Z",
                "exploitData" : {
                   "appDisplayName" : "Java",
                   "blockedFileName" : "",
                   "layerText" : "Application Behavior Protection",
                   "protectionTechnique" : "Java malicious outbound socket detected",
                   "url" : ""
                },
                "generatedByPostCleanupAction" : false,
                "id" : "7009a338-82c5-11e8-908c-e0d55e10177a",
                "linkType" : "none",
                "objectMD5" : "",
                "objectPath" : "",
                "objectSha256" : "",
                "objectType" : "exploit"
             },
             "ruleID" : 392684,
             "rulesVersion" : "0.0.0",
             "threatID" : 0,
             "threatName" : "Malware.Exploit.Agent.Generic"
          }
       ],
       "threatsDetected" : 1
    }

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download Malwarebytes Support Tool
  • Once the file is downloaded, open your Downloads folder/location of the downloaded file
  • Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  • Place a checkmark next to Accept License Agreement and click Next
  • You will be presented with a page stating, "Welcome to the Malwarebytes Support Tool!"
  • Click the Advanced Options link

    welcome mbst.png
     
  • Click the Gather Logs button

    gatherlogs.png
     
  • A progress bar will appear and the program will proceed to gather troubleshooting information from your computer
  • Upon completion, click OK
  • A file named mbst-grab-results.zip will be saved to your Desktop
  • Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:

     notify me.jpeg  


    Click "Reveal Hidden Contents" below for details on how to attach a file:
     
    Spoiler

    To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

    mb_attach.jpg.220985d559e943927cbe3c078b
     

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

Greetings,

Thank you for documenting these issues so thoroughly.  I will report this information to the Developer and Product teams for investigation and hopefully they will be able to at least address the bugs you seem to have discovered (failing to load exclusions upon creation if Exploit Protection is already active and failing to honor existing exclusions if Exploit Protection settings are restored to defaults).

As for the condition of the detection itself, I can only speak to the very generic signature-less, behavior based nature of the Anti-Exploit component and its strict enforcement of those rules, particularly in the case of Java as it is historically by far one of the most commonly exploited applications in existence by malware authors, particularly for executing malicious scripts and downloading and executing malicious payloads so any activity which is even remotely suspect is likely to be flagged by these protections if enabled.  This being the case, unless the Developer and/or Researchers can determine a way to safely exclude these applications' activities without compromising system security for all users, it is likely that, at least for the time being, that you may have to continue to use the exclusion feature as you have or to disable the particular Java shielding settings in the Exploit Protection component whenever you plan to use these applications because unfortunately, while it is understandable that this is a great inconvenience in this particular case, these protective shields have proven vastly effective against both existing/known and new/unknown exploit kits and attacks in the wild which have attempted to exploit Java when installed and active on users' systems.  That said, I only speak from my own general working knowledge of the situation and the Developer and/or Researchers would have to address any specifics with regards to these functions and any limitations which might exist that could prevent easily whitelisting these applications by Malwarebytes.  It is entirely possible that they could be safely whitelisted on our side without compromising users' safety, however I do not know enough about its internal workings to say for certain one way or the other.  I am only stating the information I have based on my general knowledge of the component having worked for the company for several years and personally using their products on my own systems.

Your patience is appreciated, and as I said, I will be reporting this information to the team for review, so hopefully they will be able to address your situation in a satisfactory manner.

Share this post


Link to post
Share on other sites

Thank you, that's good to hear.

I have not encountered any more exploit detections since the 14 Jul.

  • All three services are now all set to Automatic (Delayed start).
  • I now have the following exclusions in place (see screenshot for details). I am quite sure that some of these are unnecessary but I wanted to cover all my bases.

Malwarebytes_Premium 3.5.1_screenshot_mod_201807191512.png

Share this post


Link to post
Share on other sites

Excellent, I'm glad to hear it :)

I heard back from the Developer and he explained that since Java often spawns multiple processes (java.exe, javaw.exe, j2...exe, etc.) and that since the detected process needs to be unloaded/re-loaded for the exclusions to take effect, that could be the cause of it (the Anti-Exploit component works by injecting its DLL into protected/shielded processes, so to apply exclusions the shielded app, in this case Java, needs to be closed and re-launched).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.