Very true, and it's mostly JavaScript and not Java language that's the problem. The vector is actually cross platform and affects all modern browsers on all platforms that the malware is aimed at including OSx. The malware writers use asynchronous data transfers to do data updates in the background. While the user is browsing the web, the data is going into the machine in the background. This is usually triggered by a compromised link, and is usually promoted at the top-most of the web search sites such as Google, Yahoo, and Bing by using browser search-bots. Having said this it's best never to click on the top-most search suggestions and if one needs to go to those places, type in the URL manually. The problem is the HTML page shows one thing, but the underlying HREF refers to the infected location.
Once the dropper (now called a Trojan Horse) comes down, via the browser connection, it does more work in the background such as downloading other parts, or compromising the machine in other methods. Some of the better antivirus programs, such as VIPRE and Malware Bytes will catch these, but usually these things go unnoticed until the user sees warnings on their screen about an infected machine, or hard drive failures among the many warnings. The only thing is these infections are false, and the only infection is the one that the user just received! The malware will then do other things such as hide files and disable user policies, as well as block administrator access, and CTRL+ALT+DEL. Some go as far as blocking Task Manager and antivirus programs from scanning. I have also found that using third-party tools such as Process Explorer instead of Task Manager are allowed, not always, but are. I noticed that they look at the specific filename in some cases and not the header information. I had some malware that disallowed Process Explorer too, as spelled. I changed the name to ProcXPLR and I was able to run the utility and remove the malware by suspending it and then removing the source. I have also found that if one can log in under another account, since these things are policy and account based, it's easy to then scan and remove the malware. This also includes Safemode without networking as this too as the actual administrator account and not a "super user" account as it is in Windows.
More recently when removing these infections, I use both methods. The first attempt to run Process Explorer from the user account first if I can. If I can suspend the malware at this point, I'll then run my other tools. If not I'll use a secondary account and work from there. Using this process, I have had a 97% success rate when removing malware from user machines.
Here's my list of my removal tools. I refer to them as my malware removal toolbox:
Process Explorer --- Task Manager replacement available from Microsoft www.sysinternals.com, or via TechNet.
Other tools:
Combofix --- checks for root kits.
Malware Bytes --- general antivirus Free version works great
Rogue Killer --- scripting, registry, and root kit
TDSS Killer --- malware removal
Unhide --- used to restore hidden desktop and user folders.
The links are available from www.bleepingcomputer.com
John
