Reply
Contributor
Posts: 17
Registered: ‎03-17-2004
Accepted Solution

Constand Guard False Bot Positives

[ Edited ]

Again I received an email titled "Constant Guard Service Alert" from alerts@comcast.net with absolutely no other information. I checked with "Am I botted" and it shows the same so-called "Java_Exploit_Group" detected again with no other explanation. My own research has indicated that this notification pops if I bring a computer with Java installed online. I have 2 such computers. 1 runs linux and the other a fully updated and checked Windows 7. I have removed Java from all Windows computers. Just to keep you quiet I am removing Java from the remaining Windows computer since you seem to detect all Java installations in Windows as bots regardless of currency.

 

Please either fix this system or stop sending out aggrivating and incorrect warnings. I run Norton on all Windows computers except for 1 which runs Microsoft AV and repeated checks with the installed AVs and web-based scanners never show a problem.

 

You are rapidly losing all credibility as regards your ability to detect malware on your network. False positives are not benign - they destroy any condfidence in your competency.

Gold Problem Solver
BruceW
Posts: 7,730
Registered: ‎12-03-2007

Re: Constand Guard False Bot Positives

Some Java exploits are cross-platform. It would be best to check with Comcast Security Assurance before writing this off as a false positive: 1-888-565-4329 6am-2am Eastern time, http://security.comcast.net/get-help/contact-comcast-security.aspx.

Contributor
Posts: 17
Registered: ‎03-17-2004

What Does JAVA_EXPLOIT_GROUP mean?

What does "Java_Exploit_Group" mean on the AmiBotted site. So far the only reference I have found to this string in the internet is my earlier posting on the topic. If someone knows, please say so.

Silver Problem Solver
reasd
Posts: 6,127
Registered: ‎02-22-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?

Hello,

Doing some research on the web it is a virus. Here are some steps you can try to fix it but there is no guarantees. You might find some better maleware programs that can remove the virus that might be better.

 

1. delete java cache:
http://www.java.com/en/download/help/plu…


2. read & run:
http://www.bleepingcomputer.com/tutorial…


3. run free malwarebytes.

Contributor
Posts: 17
Registered: ‎03-17-2004

Re: What Does JAVA_EXPLOIT_GROUP mean?

[ Edited ]

I have Java installed on only 1 computer and that is the latest installation with all updates. I also have Norton AV Installed and run it regularly. There are no symptoms of virus infoection on any of my computers. And whay would the so-called botnet detector identify a virus as a bot - they are very different things. I also run Secunia PSI, which is the recommendation from the bleepingcomputer page you cited.

 

Where did you find the description of JAVA_Exploit_Group?

Bronze Star Contributor
Lunkwill
Posts: 489
Registered: ‎11-20-2003

Re: What Does JAVA_EXPLOIT_GROUP mean?

When you had Java installed, what version was it? There have been a number of zero-day security holes with recent releases (and the older ones).

 

Gold Problem Solver
BruceW
Posts: 7,730
Registered: ‎12-03-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?

[ Edited ]

AlexRetired2 wrote: ... whay would the so-called botnet detector identify a virus as a bot - they are very different things. ...

Comcast's system does not detect viruses or bots. It detects IP traffic to/from hosts it believes to be part of a botnet. Please see http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-Announces-Constant-Guard-security-progr....

Bronze Star Contributor
Lunkwill
Posts: 489
Registered: ‎11-20-2003

Re: What Does JAVA_EXPLOIT_GROUP mean?


BruceW wrote:

AlexRetired2 wrote: ... whay would the so-called botnet detector identify a virus as a bot - they are very different things. ...

Comcast's system does not detect viruses or bots. It detects IP traffic to/from hosts it believes to be part of a botnet. Please see http://forums.comcast.com/t5/Security-and-Anti-Virus/Comcast-Announces-Constant-Guard-security-progr....


I suspect AlexRetired2 is talking about the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. Someone there likely included detection for versions of Java prior to Java 6 Update 37 and Java 7 Update 9.

 

Gold Problem Solver
BruceW
Posts: 7,730
Registered: ‎12-03-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?


Lunkwill wrote: ... the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. ...

No, sorry, AmIBotted does not scan your system. It merely pulls up whatever information the botnet detection system has on your internet connection. The data is historical, not real-time.

 

Also note that the name the system reports is not necessarily the name of a piece of malware, it is the name of a botnet, or a botnet family. See the sample page at https://amibotted.comcast.net/images/preview.png and the description of the detection system.

Official Employee
jlivingood
Posts: 1,100
Registered: ‎05-09-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?


BruceW wrote:

Lunkwill wrote: ... the amibotted.comcast.net site that does run a script against your PC when you access it and click on the scan button. ...

No, sorry, AmIBotted does not scan your system. It merely pulls up whatever information the botnet detection system has on your internet connection. The data is historical, not real-time.

 

Also note that the name the system reports is not necessarily the name of a piece of malware, it is the name of a botnet, or a botnet family. See the sample page at https://amibotted.comcast.net/images/preview.png and the description of the detection system.


I can confirm this is 100% correct. The site does not scan you - it looks your IP up in our malware database.

JL
National Engineering & Technical Operations
Contributor
Posts: 17
Registered: ‎03-17-2004

Re: What Does JAVA_EXPLOIT_GROUP mean?

[ Edited ]

I checked amibotted again and found a new entry for the same "Java_Exploit_Group", so I called Comcast security and they were able to confirm that they have no way of identifying the source of this report beyond an ip address and no information as to what "Java_Exploit_Group" means. The tech, who was trying very hard to help, suggested that I scan the web for the string "Java_Exploit_Group". Unfortunately, scanning for this string returns ONLY my correspondence on this forum on this subject. There appears to be no such thing as "Java_Exploit_Group" anywhere else on the internet (itself unusual).

 

There was only 1 device on at the time given on the timestamp for amibotted, which I verified by checking the event log for each computer. That computer did have Java SE7 Update 09 installed, which is the latest version as of today. To resolve this I uninstalled Java from the one machine that had it and once again scanned it throughly with Norton and Bitdefender for any signs of malware. If the amibotted entry shows up again I will report it here as a definite false positive.

 

If anyone can come up with an Authoritative explanation for amibotted's "Java_Exploit_Group" please report it here.

 

If this keeps happening the alternative is, of course, a different ISP.

Official Employee
ComcastNirmal
Posts: 92
Registered: ‎05-23-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?

JAVA_EXPLOIT_GROUP is a generic name of a Zeus Botnet variant that exploits Microsoft OS & Java vulnerabilities to install a multi-purpose trojan.  

 

Uninstalling Java is unfortunately not sufficient if the malware was already installed. Please also make sure your windows machine is patched and you have also updated Adobe Flash.  However, I dont see any new activity for your IP; last seen was 11/20 at 10:20 EST.

 

Also have you tried Microsoft Security Essentials?  http://windows.microsoft.com/en-US/windows/security-essentials-download

 

 

Lastly there is lot of information available for Java vulnerabilties...here are two:

http://krebsonsecurity.com/2012/08/java-exploit-leveraged-two-flaws/

http://www.cso.com.au/article/442705/dorkbot_java_weapon_hit_3_5m_pcs_30_days/?fp=4&fpid=959105

 

- Nirmal 

Comcast

National Engineering & Technical Operations

Contributor
Posts: 17
Registered: ‎03-17-2004

Re: What Does JAVA_EXPLOIT_GROUP mean?

Thank you very much - now I know what botnet type to look for. The machines are all set to autoupdate with Microsoft and Flash is also checked as well.

 

BTW - I have two devices on my lan that could possibly be creating a positive. One is the Linksys Squeezebox Radio and the other is a Roku 2 XS. Have there been any reports of either of these devices having a problem? I'm pretty sure the Squeezebox runs Linux and maybe the Roku as well.

 

Again, thanks.

Official Employee
ComcastNirmal
Posts: 92
Registered: ‎05-23-2007

Re: What Does JAVA_EXPLOIT_GROUP mean?

I have not seen any malware that target/exploit Roku or Logitech* Squeezebox devices.  You are correct Roku is linux....but Squeezebox runs on Squeeze OS which is Logitech's own OS written in Lua.

 

- Nirmal 

Comcast

National Engineering & Technical Operations

 

Contributor
Posts: 17
Registered: ‎03-17-2004

Re: What Does JAVA_EXPLOIT_GROUP mean?

Thanks for the information. You're so far the best source of information I've found here. Congrats!

 

PS: say hello to Garfield