lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ELEOLHOJFMBPBFCJHOCIEEBJDJAA.aditya.deshmukh@online.gateway.technolabs.net>
From: aditya.deshmukh at online.gateway.technolabs.net (Aditya, ALD [Aditya Lalit Deshmukh])
Subject: Re: http://federalpolice.com:article872@...5686747

this is not a zip file - its a windows exe complete with a MZ header and calls to LoadLibraryA  & GetProcAddress exported from KERNEL32.dll 

am debugging thu it - to see what exactly it does...

(this one is real good) but how come ie and mozilla started it up as a java applet without any error message ?

-aditya

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Nicola
> Fankhauser
> Sent: Monday, February 16, 2004 12:50 AM
> To: full-disclosure@...ts.netsys.com
> Subject: [Full-Disclosure] Re: [Full-Disclosure]
> http://federalpolice.com:article872@...5686747
> 
> 
> hi jedi
> 
> On Sun, 2004-02-15 at 18:45, Jedi/Sector One wrote: 
> >   This is equivalent to http://64.29.173.91/
> 
> ok, and the html of the index page is as following:
> 
> <html><body bgcolor=white link=#ffffff vlink=#ffffff alink=#ffffff>
> <h2>SERVER ERROR 550</h2>
> <applet ARCHIVE="javautil.zip" CODE="BlackBox.class" WIDTH=1 
> HEIGHT=1></applet></body></html>
> 
> now, the "SERVER ERROR 550" is clearly a fake - the java applet below
> just starts fine. strangely, the 'javautil.zip' is not a valid zip-file,
> yet 'appletviewer' and mozilla (don't know about MS IE; too dangerous :)
> happily start the applet without any hickups or exceptions and mozilla
> states 'Applet BlackBox started' in the status bar.
> 
> is there anybody knowledgable interested in un-zipping, de-compiling and
> analysing this surely malicious applet? I would like to know what
> mozilla just executed on my behalf there... :(
> 
> FYI, the file 'javautil.zip' attached is directly taken from the site
> mentioned above.
> 
> regards
> nicola
> 


________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ