lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: randallm at fidmail.com (RandallM)
Subject: Microsoft AntiSpyware - First Impression

KF (lists) wrote:
 
>>>>>>>>>>>>>>>>>>>>
Message: 11
Date: Fri, 07 Jan 2005 11:19:56 -0500
From: "KF (lists)" <kf_lists@...italmunition.com>
Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First
	Impressions
To: full-disclosure@...ts.netsys.com
Message-ID: <41DEB6AC.5090405@...italmunition.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

Do a software update check with this thing and you get 
GIANTAntiSpywareMain.exe  listening on port 2571 until the software is 
closed. Feel free to beat on and fuzz that port fellas. =]
-KF
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


I found this with tcpview:
 
 
GIANTAntiSpywareMain.exe:3424 TCP p4fast.xxxx.com:3256 216.32.240.26:http
ESTABLISHED 
GIANTAntiSpywareMain.exe:3424 UDP p4fast:3255 *:*  

OrgName:    Savvis 
OrgID:      SAVVI-2
Address:    3300 Regency Parkway
City:       Cary
StateProv:  NC
PostalCode: 27511
Country:    US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   216.32.0.0 - 216.35.255.255 
CIDR:       216.32.0.0/14 
NetName:    SAVVIS
NetHandle:  NET-216-32-0-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:    
RegDate:    1998-07-30
Updated:    2004-10-07


GET / HTTP/1.1 Host: 216.32.240.26 Connection: close User-Agent: Sam Spade
1.14  HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer:
5.0_Pub Date: Sat, 08 Jan 2005 16:40:07 GMT Connection: close

If you look at for instance system process, BHO area and select an unknown,
an option to "send to spynet for anayliss" is there. If you select this, it
reports to the 216.31.240.26 also.

On a funny note, under ActiveX area it list the microsoft update as this:

"Microsoft Windows Update Control Engine
This is an unknown ActiveX

File path: C:\WINDOWS\System32\iuengine.dll
Description: Windows Update Control Engine
Publisher: Microsoft Corporation
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Installed version: 5,4,3790,14
Download location:
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.827546
2963"

It does look as if they jumped very quickly to launch this software!


 
thank you
Randall M

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ