Developers
June 9, 2020

Java developers: Beware, there is a malware infecting NetBeans projects.

GitHub announced the threat, the infected files are sophisticated, the malware has been in the community for years.
Source: Pixabay

Today we will talk about a threat to the security of your projects. The threat affects Java developers, and the projects affected are NetBeans projects.

GitHub, the largest developer’s community issued a public warning on their front page about this threat. Rest assured it´s important to pay attention to this kind of notices.  

The Malware uses what is IT security is known as a backdoor. A backdoor is a way that a hacker can access a computer bypassing the security mechanisms. The backdoor can either be found, as a leak of security, or forced, by trying to break a security mechanism.

The security team of GitHub has found 26 files posted that contained the virus. They named it the "Octopus Scanner". They don't know for how long this has been occurring, and how many developers are affected. 

What they do know, is that this is a targeted attack, as they never found the same kind of malware in any of other programs or languages. The malware targeted the Netbeans build process, the most used Java IDE.

The malware infects your local computer upon downloading any of the 26 projects. Nobody knows if there are more infected files by this malware or even by other malware. This occurrence without a doubt called the attention of many developers who contribute and download files every day from GitHub.
Is there any solution? Well, one possibility might be for GitHub to raise their security when it comes to file detection. They should scan the files before allowing the user to upload it to the platform. In this way, there would be much less risk as it can´t be uploaded neither reach the local computer of users.

 What does the malware do?

The malware infects local computers upon being downloaded. Currently, there are 26 discovered files but there might be many more that are not yet discovered. Octopus Scanner scans the victim´s computer and looks for the NetBeans IDE. Any discovered projects in the PC are then infected by the malware.

This kind of malware is a Trojan, meaning that when the file is executed, the attacker has remote access to the computer. This malware installs the RAT (Remote Access Trojan) directly. With no need for another file. Attackers can then steal sensitive information and code. As the attack is geared towards a development environment their goal may be to steal projects.

The projects can then be sold or used to blackmail the developer. Some projects take months and years to develop. As we all know it costs a lot of money to develop software. This attack is the equivalent of stealing money, the only thing is that it is done through software.

The oldest infected software that has been discovered has a date of August 2018, but GitHub publicly states that the chances are that there are many more undiscovered files infected and that this is not something new. The files have been infected for years, affecting thousands of projects and developers.

The following steps explain how the Malware operates.

  1. Identify user's NetBeans directory
  2. Enumerate all projects in the NetBeans directory
  3. Copy malicious payload cache.dat to nbproject/cache.dat
  4. Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  5. If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected. 

GitHub tries to eliminate the files

GitHub tried to get in touch with the owners of the infected files and request them to delete all the discovered files. They thought this was enough to make the environment safe again. But it didn´t suffice. This wouldn’t remove the infection from the local computers of the developers that had already downloaded the files.

And the news was different from expectation, it would not prevent other developers from not getting infected either. As the malware also infected JAR files in the project. Security testers found many versions of the malware. They also discovered that anyone that cloned a project from an infected repository will also result in an infected file.  

In conclusion, GitHub announced that there were files discovered containing malware. This malware comes in the form of a RAT (Remote access trojan) it grants access to the attacker to the infected computer. As the Virus is geared towards the Netbeans IDE, the most used IDE in Java, it is thought that the attackers steal projects and then sell them or blackmail the owner of the project for money. As It is expensive and time taking, this kind of attack is the equivalent of stealing money. The Malware is sophisticated and even by the intent of requesting the owner of the files to remove them from GitHub, there was no way to secure the JAR infected files. The files have been for years in the community and nobody knows how many people got infected. GitHub and the community suspect that despite there are 26 discovered files, there might be many more, and other malware too. It is a good moment for GitHub to raise the level of security of their platform.

TagsJavaGitHub
Lucas Bonder
Technical Writer
Lucas is an Entrepreneur, Web Developer, and Article Writer about Technology.

Related Articles

Back
DevelopersJune 9, 2020
Java developers: Beware, there is a malware infecting NetBeans projects.
GitHub announced the threat, the infected files are sophisticated, the malware has been in the community for years.

Today we will talk about a threat to the security of your projects. The threat affects Java developers, and the projects affected are NetBeans projects.

GitHub, the largest developer’s community issued a public warning on their front page about this threat. Rest assured it´s important to pay attention to this kind of notices.  

The Malware uses what is IT security is known as a backdoor. A backdoor is a way that a hacker can access a computer bypassing the security mechanisms. The backdoor can either be found, as a leak of security, or forced, by trying to break a security mechanism.

The security team of GitHub has found 26 files posted that contained the virus. They named it the "Octopus Scanner". They don't know for how long this has been occurring, and how many developers are affected. 

What they do know, is that this is a targeted attack, as they never found the same kind of malware in any of other programs or languages. The malware targeted the Netbeans build process, the most used Java IDE.

The malware infects your local computer upon downloading any of the 26 projects. Nobody knows if there are more infected files by this malware or even by other malware. This occurrence without a doubt called the attention of many developers who contribute and download files every day from GitHub.
Is there any solution? Well, one possibility might be for GitHub to raise their security when it comes to file detection. They should scan the files before allowing the user to upload it to the platform. In this way, there would be much less risk as it can´t be uploaded neither reach the local computer of users.

 What does the malware do?

The malware infects local computers upon being downloaded. Currently, there are 26 discovered files but there might be many more that are not yet discovered. Octopus Scanner scans the victim´s computer and looks for the NetBeans IDE. Any discovered projects in the PC are then infected by the malware.

This kind of malware is a Trojan, meaning that when the file is executed, the attacker has remote access to the computer. This malware installs the RAT (Remote Access Trojan) directly. With no need for another file. Attackers can then steal sensitive information and code. As the attack is geared towards a development environment their goal may be to steal projects.

The projects can then be sold or used to blackmail the developer. Some projects take months and years to develop. As we all know it costs a lot of money to develop software. This attack is the equivalent of stealing money, the only thing is that it is done through software.

The oldest infected software that has been discovered has a date of August 2018, but GitHub publicly states that the chances are that there are many more undiscovered files infected and that this is not something new. The files have been infected for years, affecting thousands of projects and developers.

The following steps explain how the Malware operates.

  1. Identify user's NetBeans directory
  2. Enumerate all projects in the NetBeans directory
  3. Copy malicious payload cache.dat to nbproject/cache.dat
  4. Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build
  5. If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected. 

GitHub tries to eliminate the files

GitHub tried to get in touch with the owners of the infected files and request them to delete all the discovered files. They thought this was enough to make the environment safe again. But it didn´t suffice. This wouldn’t remove the infection from the local computers of the developers that had already downloaded the files.

And the news was different from expectation, it would not prevent other developers from not getting infected either. As the malware also infected JAR files in the project. Security testers found many versions of the malware. They also discovered that anyone that cloned a project from an infected repository will also result in an infected file.  

In conclusion, GitHub announced that there were files discovered containing malware. This malware comes in the form of a RAT (Remote access trojan) it grants access to the attacker to the infected computer. As the Virus is geared towards the Netbeans IDE, the most used IDE in Java, it is thought that the attackers steal projects and then sell them or blackmail the owner of the project for money. As It is expensive and time taking, this kind of attack is the equivalent of stealing money. The Malware is sophisticated and even by the intent of requesting the owner of the files to remove them from GitHub, there was no way to secure the JAR infected files. The files have been for years in the community and nobody knows how many people got infected. GitHub and the community suspect that despite there are 26 discovered files, there might be many more, and other malware too. It is a good moment for GitHub to raise the level of security of their platform.

Java
GitHub
About the author
Lucas Bonder -Technical Writer
Lucas is an Entrepreneur, Web Developer, and Article Writer about Technology.

Related Articles