lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: AOL IM Worm

"Justin Baldini" <> wrote:

> There appears to be an AOL IM worm going around.

It's arguably not a worm (many say fully automated spread is a 
requirement for such).  It _is_ very like FriendGreetings but using AOL 
IM rather than SMTP as its "advertising medium".

> It's coming in as a link to here...
> (Without the XXX)

...and the bit after the "?" is variable/random.

> When run, it appears to load up some fake game, ...

Well, it is an ".SWF game".

> ... installs a bunch of shit,
> and then sends itself to everyone on your IM list.

What you so inelgantly missed is that when you visit the IM-spammed URL 
you referred to, you are prompted to download and install an ActiveX 
control.  If you accept it's "game over" (security-wise -- no pun 
intended...).  Intelligent admins whose advice is appreciated and acted 
on won't have users running IE, so this won't be an issue for them but 
the remaining 99.973% of Windows machines are likely to have some 
exposure.  However, clueful Windows admins who have to watch over 
hoards of the great unwashed and have been forced, against their better 
judgement, to allow or even encourage or -- gak! -- _require_ the use 
of IE, will at least have locked out said hoard with an "only run  
administrator approved ActiveX controls" policy.

Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

Powered by blists - more mailing lists