Warning to those using Sun Java on their systems.

  • Thread starter Thread starter John Corliss
  • Start date Start date
Using sock puppets to avoid my filter, eh?

Ummm, no. Haven't changed a thing. Your filter must be as screwed up as
you.
Now we all know you're a
troll. And a very juvenile one at that. Grow up.
Click to expand...

Yeah, that's me.
 
I certainly never said that. But you're right. It should have occured
to me that the homepage for the spyware would rape one's computer.
Guess I forgot because I'd already removed Java from my system and
also am using Kerio.

Here's a better site that gives tons of info on how the spyware works:

http://kalsey.com/2002/11/java_spyware/

It's hard to say which files are depended on to do the spying though,
since it's a server side spyware, depends on cookies and runs a java
applet. Somehow, files are freely modified without one's permission.
For example: when opened in Wordpad, the file I referred to
(C:\WINDOWS\.plugin141_03.trace) read like this on Dec. 27, last year:
_____________________________________________________
Java(TM) Plug-in: Version 1.4.1_03
Using JRE version 1.4.1_03 Java HotSpot(TM) Client VM
User home directory = C:\WINDOWS
Proxy Configuration: No proxy


----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------
_____________________________________________________

Then a couple of days ago, it included the link to the Redsheriff
site. I'll try reinstalling Java to see of the file is part of Java
itself. If it's a standard part of it, then it's open to an exploit
and Java goes away permanently. I never have liked it anyway.
This is the file to watch out for: measure.class
Click to expand...

I also read this info at the site I mention above. There was no such
file(s) on my system. However, I noticed there were a lot of files
whose names started out with "measure.class", but had a long string of
characters after that and then either ended in .class or .idx. When I
opened one of them up in Wordpad, it contained a reference to the
Redsheriff website's privacy statement. Those files resided in the
following folder on my system:

C:\WINDOWS\.jpi_cache\file\1.0

Gone now.

At the site I mention above, one of the people in the discussion claim
that another file name to be wary of is sleepthread.class.

I still maintain that the best way to prevent this spyware from
working is to TOTALLY REMOVE SUN SYSTEM'S JAVA FROM YOUR COMPUTER. May
sound like overkill, but maybe Sun will get the message eventually and
sue Redsheriff and-or take other measures to stop the exploit.
 
Badger said:
My version of AdAware caught Redsheriff recently. I'm using Version 6, Build
6.181. What version do you use? Maybe you need to upgrade.
Badger
Click to expand...
6.0. You're right. I'll download the upgrade now, but I thought that
keeping the signature file would have allowed detection of Redsheriff.
 
Brian said:
It says it's an applet (if it is true). Just disable/block Java applets
in your browser.
Click to expand...

I always run with Java blocked in Mozilla, but not so in IE (which I
have to run once in a while to access certain sites.) That must be
what made me susceptible. Taking Java off my machine entirely will put
an end to the problem for now.
 
John said:
I certainly never said that. But you're right. It should have occured to
me that the homepage for the spyware would rape one's computer. Guess I
forgot because I'd already removed Java from my system and also am using
Kerio.

Here's a better site that gives tons of info on how the spyware works:

http://kalsey.com/2002/11/java_spyware/
(snip)
Click to expand...

Whoops. Here's the site with all the stuff I refer to in that last post:

http://www.inluminent.com/weblog/archives/2002/11/06/defeating_tracking_software_redsherrif.php

(link may wrap)
 
Henk de Jong said:
I haven't found a 'plugin141_03.trace', a 'measure.class' or something
that 'looks' like Redsheriff on my system, but I have Java installed.
Click to expand...
I haven't either. I find no files of type ".trace" on my system.
All I've found in the java cache subdirectory are jpeg images from sites
I've visited and ".class" files containing references to those same
sites (references such as captions, etc.). Still, I wonder whether
deleting the cache's contents at system startup wouldn't be a good idea.
You know, with a line in a batch file as with removing IE's cache? Does
anyone here currently do that? Still, I'm off to do some more reading on
the subject, you betcha.
 
I always run with Java blocked in Mozilla, but not so in IE (which I
have to run once in a while to access certain sites.) That must be
what made me susceptible. Taking Java off my machine entirely will put
an end to the problem for now.
Click to expand...
Hello John

I've found myself unable to access sites, like optics and mechanical demos.
because the MS product is defective.

Is there another option than Sun, or would perhaps deleteing the dodgy
files make it safe?

mike r
 
mike said:
Hello John
I've found myself unable to access sites, like optics and mechanical demos.
because the MS product is defective.
Is there another option than Sun, or would perhaps deleteing the dodgy
files make it safe?
Click to expand...

Mike,

From what I've read, deleting the files does no good because they
just come back when you visit a site that uses the Redsheriff applet.
However, this site details how to defeat Redsheriff:

http://www.kalsey.com/2002/11/java_spyware/

and this site has even more info:

http://www.inluminent.com/weblog/archives/2002/11/06/defeating_tracking_software_redsherrif.php
 
Mike,

From what I've read, deleting the files does no good because they
just come back when you visit a site that uses the Redsheriff applet.
However, this site details how to defeat Redsheriff:

http://www.kalsey.com/2002/11/java_spyware/

and this site has even more info:

http://www.inluminent.com/weblog/archives/2002/11/06/defeating_tracking
_software_redsherrif.php
Click to expand...
Thanks, John, I just disabled java in IE, and I'll read up on the
vulnerabilities to see if that's enough.

(I know I could go away from IE, but BTDT, and I'm beginning to think I
need a damn good reason to go away from native apps, even IE!)

mike r
 
Thanks, John, I just disabled java in IE, and I'll read up on the
vulnerabilities to see if that's enough.

(I know I could go away from IE, but BTDT, and I'm beginning to think I
need a damn good reason to go away from native apps, even IE!)
Click to expand...

Even Moz based browser users are more secure without Java. I've not
found any use for it myself. Access to my mutual fund personal info
only requires Java Script.


Art
http://www.epix.net/~artnpeg
 
Does anyone actually have the original measure.class? Being a Java
programmer myself, I'd love to decompile it and see what's going on in
the source.

If anyone has the original measure.class, email me and I'll post what I
find after decompiling it.

brian
 
I still maintain that the best way to prevent this spyware from
working is to TOTALLY REMOVE SUN SYSTEM'S JAVA FROM YOUR COMPUTER. May
sound like overkill, but maybe Sun will get the message eventually and
sue Redsheriff and-or take other measures to stop the exploit.
Click to expand...

Ah, no, that is overkill - unless of course you don't use Java for
anything else anyway or access any other useful Web sites that use it
for something.

And Sun isn't going to sue them - on what grounds? Misuse of Java?
That would get laughed out of court. There's nothing particularly
illegal about dropping a Java applet on someone's machine as part of
Web site analysis. It may be offensive, but it's not illegal AFAIK
(IANAL, YMMY, etc.). Whether it should be or not is another question.

I understand from my Google search last night that the BBC was caught
using RedSherill's Web bug or something. Raised a bit of a row. Point
is some very large outfits use them for Web analysis. It's generally
not considered spyware of the sort that rummages through your hard
drive and sends Lord knows what away from who knows what purpose.

Since it apparently can be blocked easily enough, totally removing
Java is not really necessary.
 
Brian said:
Does anyone actually have the original measure.class? Being a Java
programmer myself, I'd love to decompile it and see what's going on in
the source.
If anyone has the original measure.class, email me and I'll post what I
find after decompiling it.
Click to expand...

I hope somebody can help you out with this Brian, since I've already
deleted all the files. And as I mentioned, on my system I had a lot of
files whose names started out with "measure.class", but had a long
string of characters after that and then either ended in .class or
..idx. When I opened one of them up in Wordpad, it contained a
reference to the Redsheriff website's privacy statement. Those files
resided in the following folder on my system:

c:\WINDOWS\.jpi_cache\file\1.0

I also had this file on my system:

c:\WINDOWS\.plugin141_03.trace

and it contained the address for the RedSheriff privacy policy. Since
you're a Java programmer, can you tell me anything about that file?
 
Back
Top