Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Open Source Security Java Programming Apache

GitHub Warns Java Developers of New Malware Poisoning NetBeans Projects (zdnet.com) 45

GitHub issued a security alert Thursday warning about new malware spreading on its site via boobytrapped Java projects, ZDNet reports: The malware, which GitHub's security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9.
But the article adds GitHub "believes that many more projects have been infected during the past two years." GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers. It would scan the victim's workstation for a local NetBeans IDE installation, and proceed to burrow into the developer's other Java projects. The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim's computer, looking for sensitive information.

GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.

This discussion has been archived. No new comments can be posted.

GitHub Warns Java Developers of New Malware Poisoning NetBeans Projects

Comments Filter:
  • by jeromef ( 2726837 ) on Saturday May 30, 2020 @06:51PM (#60126650)
    What are project maintainers doing? Are they are not paying attention to what's being committed and pushed to GitHub?
    • Do you really think maintainers spend hours to check thousands of lines?
      • Thousands or not thousands of lines of code... they still should be checking what they commit themselves. Sadly a lot of developers just press IDE's "sync" button instead of adding changes manually and reviewing what they send off in commits.
  • It seems like one of the few upsides to centralized storage of other people's code on GitHub (read Microsoft) servers could be regular malware scans of those repos. Does GitHub do this? Just asking...
    • Github faithfully notifies me if one of my repositories includes a library/framework/etc. for which a significant security vulnerability has been reported. That's not true for every language, but it's true for my Python, Ruby, and Javascript projects... I don't think I've have gotten one for my Elixir projects. Pretty sure they don't scan BLOBs for malware— but I imagine that's a pretty obscure edge case. Something like source code heuristics scanning would probably be an insanely complex undertaking,

  • by Wookie Monster ( 605020 ) on Saturday May 30, 2020 @07:43PM (#60126750)
    The reason why this malware is going unnoticed is that it's modifying the project metadata files, not the Java source files. If there's a change to the metadata file, how can a committer know it's malicious or not? The metadata file is just a bunch of properties and whatnot that's a black box unless you know the inner workings of NetBeans.
    • by Luthair ( 847766 ) on Saturday May 30, 2020 @08:47PM (#60126852)
      Its usually seen as bad form to commit IDE settings though.
      • by ebyrob ( 165903 )

        +1 to parent. ANY commit change to most of these files would be highly unusual to begin with.

          In fact, often they might not be needed in a project at all if they can be regenerated by the IDE, though some of these files are required when a new project is created. On new project creation this type of problem sounds like it would be incredibly difficult to notice.

        • by Z00L00K ( 682162 )

          Each time you add, remove or rename a source file or you change a project setting some project metadata is updated.

          • Or you can replace the entire branch and history with a completely historically independent repository branch. "git push :master" is a permitted operation for most repositories, which do not track history well enough to notice the insertion of security violating debris in the history. It's one of the issues of git's willngness to allow deletion of history.

      • by The_Noid ( 28819 )

        The type of project this malware targets uses the Netbeans build system. You need those file to be able to build the project in the first place, so they have to be in the repository. This is comparable to infecting the pom.xml of a Maven project, or the gradle build files.

        That said, this could be made to work just fine on Gradle, since Gradle build scripts are also executed scripts. Making this work for Maven projects is probably a lot harder, since the pom.xml of Maven is not a script. For Maven the malwar

    • "How can a committer know it's malicious or not?"

      If it's not a change intentionally made by the committer, why would the committer commit that change?

  • Doesn't that make it a worm?

  • by Somervillain ( 4719341 ) on Saturday May 30, 2020 @08:36PM (#60126820)
    I have not met a NetBeans user in over a decade. This is like hearing about malware for Windows Phone.
  • cause gas?

  • Apache NetBeans response to this "story": https://blogs.apache.org/netbe... [apache.org]

If all else fails, lower your standards.

Working...