GitHub Warns Java Developers of New Malware Poisoning NetBeans Projects

GitHub issued a security alert Thursday warning about new malware spreading on its site via boobytrapped Java projects, ZDNet reports: The malware, which GitHub's security team has named Octopus Scanner, has been found in projects managed using the Apache NetBeans IDE (integrated development environment), a tool used to write and compile Java applications. GitHub said it found 26 repositories uploaded on its site that contained the Octopus Scanner malware, following a tip it received from a security researcher on March 9.
But the article adds GitHub "believes that many more projects have been infected during the past two years." GitHub says that when other users would download any of the 26 projects, the malware would behave like a self-spreading virus and infect their local computers. It would scan the victim's workstation for a local NetBeans IDE installation, and proceed to burrow into the developer's other Java projects. The malware, which can run on Windows, macOS, and Linux, would then download a remote access trojan (RAT) as the final step of its infection, allowing the Octopus Scanner operator to rummage through an infected victim's computer, looking for sensitive information.

GitHub says the Octopus Scanner campaign has been going on for years, with the oldest sample of the malware being uploaded on the VirusTotal web scanner in August 2018, time during which the malware operated unimpeded.

Project maintainers

[jeromef]

What are project maintainers doing? Are they are not paying attention to what's being committed and pushed to GitHub?

Re:

[hcs_$reboot]

Do you really think maintainers spend hours to check thousands of lines?

Re:

[whizzter]

Thousands or not thousands of lines of code... they still should be checking what they commit themselves. Sadly a lot of developers just press IDE's "sync" button instead of adding changes manually and reviewing what they send off in commits.

Re:

[Tablizer]

Our chief data security officer has been down on Java for a while, cranking up the security restrictions on Java-based applications so high as to make many of them unusable. This won't help change his opinion.

However, I'm not convinced the alternatives are more reliable, except perhaps Microsoft has a better update & patch infrastructure in place because they are so ubiquitous that they have to.

Re:

[ebyrob]

I think the biggest problem with Java is the fact it kind of lost all top level maintenance for almost 2 decades so far. When Sun still owned it it was probably about the most secure at nearly everything it did.

If anything, we should be looking to other similar tools to gain similar problems in the near future, as some of these attacks seem to start with Java and then branch out to other technologies that could be similarly affected (like MS Build say).

As to judging, I wholeheartedly agree, Java is certain

Re:

[HiThere]

This, however, is not a Java specific type of attack. Anything that auto-loads code from a remote repository is susceptible. And that's becoming an increasingly common method of development. Languages that I can think of that use that approach include Javascript, perl, rust, and go. Some of them have mitigation tools, but I've never studied how effective those are as I just want to avoid the process.

The advantage, of course, is that a library can have it's bugs fixed without the end user intervention.

Re:

[Z00L00K]

Any external library or framework is suspect.

One of the problems today is that there's a huge amount of libraries and frameworks out there so just target a few for malware added piece by piece. Even better if that malware also offers functionality that actually do what it says because then it can be undetected for a long time. A good malware is working slowly behind the scenes - like the "telemetry" in Windows.

Re:

[theshowmecanuck]

It has seemed to me for awhile now, that people aren't learning languages anymore, as much as they are learning frameworks. You can be a great programmer in a language but won't get hired if you don't know a particular framework. And then the frameworks encourage you to not know what the "great-volume-of-iceberg-below-the-surface framework code actually does, while you implement your specific use case with it. And to compound it, many of these frameworks are stored in repositories online (e.g. maven reposit

Re:

[Z00L00K]

Good points though!

The actual skill of programming seems to be a declining art - and what happens when those that created the frameworks moves on to greener pastures?

Re:

[theshowmecanuck]

I guess you work mostly with COTS stuff then. I wouldn't trust truly enterprise systems with Microsoft solutions. I often get contracts from places that want to get rid of the MS and other vendor lock in systems that force you to kludge every integration and operation. Usually with other contractors who are supposed to be experts in them with their certs, who just make some dogs breakfast of an implementation. I just finished two years stripping layers and layers of that kind of shit out of a place and repl

Re:

[alvinrod]

But as everyone knows, it's Java and the performance is bad so it will infect more slowly than a good C virus. Silver lining I suppose.

Re:

[scdeimos]

I guess that's why it's only infected 26 projects over 2 years. Either that or Java's not anywhere near as popular as the developer surveys keep suggesting.

Re:

[organgtool]

For one thing, this only infects a particular IDE and I'm pretty sure IntelliJ and Eclipse are much more popular than NetBeans. In addition to that, I believe the infections were detected by looking at the project metadata in the Github repositories but many projects don't store their IDE metadata in their repos since different devs often use different IDEs. This means that it's possible there are many more infections than what can be found by scanning Github. Finally, NetBeans supports C and C++ project

Re:

[The_Noid]

It also only works on projects that use the Netbeans specific build system, not on Maven or Gradle projects. That rules out most java projects. So I doubt it infects projects using C, C++, PHP or any of the other languages supported by Netbeans.

Re:

[comodoro]

The surveys however usually are about software generally, not open source software. I don't think Java is nearly as popular for open source, its major uses are elsewhere.

Does GitHub run malware scans on all repos?

[ethanwilde]

It seems like one of the few upsides to centralized storage of other people's code on GitHub (read Microsoft) servers could be regular malware scans of those repos. Does GitHub do this? Just asking...

Re:

[RandomUsername99]

Github faithfully notifies me if one of my repositories includes a library/framework/etc. for which a significant security vulnerability has been reported. That's not true for every language, but it's true for my Python, Ruby, and Javascript projects... I don't think I've have gotten one for my Elixir projects. Pretty sure they don't scan BLOBs for malware— but I imagine that's a pretty obscure edge case. Something like source code heuristics scanning would probably be an insanely complex undertaking,

Re:

[RandomUsername99]

*effective

It affects the project files

[Wookie Monster]

The reason why this malware is going unnoticed is that it's modifying the project metadata files, not the Java source files. If there's a change to the metadata file, how can a committer know it's malicious or not? The metadata file is just a bunch of properties and whatnot that's a black box unless you know the inner workings of NetBeans.

Re:It affects the project files

[Luthair]

Its usually seen as bad form to commit IDE settings though.

Re:

[ebyrob]

+1 to parent. ANY commit change to most of these files would be highly unusual to begin with.

  In fact, often they might not be needed in a project at all if they can be regenerated by the IDE, though some of these files are required when a new project is created. On new project creation this type of problem sounds like it would be incredibly difficult to notice.

Re:

[Z00L00K]

Each time you add, remove or rename a source file or you change a project setting some project metadata is updated.

Re:

[Antique Geekmeister]

Or you can replace the entire branch and history with a completely historically independent repository branch. "git push :master" is a permitted operation for most repositories, which do not track history well enough to notice the insertion of security violating debris in the history. It's one of the issues of git's willngness to allow deletion of history.

Re:

[The_Noid]

The type of project this malware targets uses the Netbeans build system. You need those file to be able to build the project in the first place, so they have to be in the repository. This is comparable to infecting the pom.xml of a Maven project, or the gradle build files.

That said, this could be made to work just fine on Gradle, since Gradle build scripts are also executed scripts. Making this work for Maven projects is probably a lot harder, since the pom.xml of Maven is not a script. For Maven the malwar

Re:

[Luthair]

Maven has the antrun plugin and exec.

Re:

[radarskiy]

"How can a committer know it's malicious or not?"

If it's not a change intentionally made by the committer, why would the committer commit that change?

"Self-spreading virus"

[93 Escort Wagon]

Doesn't that make it a worm?

Re:

[hcs_$reboot]

It's java, so it's probably more of a bacteria.

Re:

[Gravis Zero]

bacterial infection*

Re:

[Z00L00K]

An evil caffeine molecule is my bet.

Re:

[ebyrob]

A virus needs to attach to a computer program (like netbeans) to propogate. A worm doesn't need to do that and may spread all on it's own.

I also recall worms being stated as having multiple infection vectors, but not finding that in searches at the moment.

People still use NetBeans?

[Somervillain]

I have not met a NetBeans user in over a decade. This is like hearing about malware for Windows Phone.

Re:

[hcs_$reboot]

Doesn't Netbeans include Eclipse?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[hcs_$reboot]

Doesn't Eclipse include Netbeans?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[luca]

I'm not a java developer (thank God) but recently I've been forced to write a simple java project. I started doing it with eclipse but, due to the extreme frustration with WindowMaker, I switched to NetBeans. Matisse is also a joke but less so than WindowMaker.

Re:

[Z00L00K]

Because the Oracle licensing have infected it.

Does NetBeans

[fredrated]

cause gas?

Apache response

[gholmer]

Apache NetBeans response to this "story": https://blogs.apache.org/netbe... [apache.org]