lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200501081703.j08H32rs017335@lists.netsys.com> From: randallm at fidmail.com (RandallM) Subject: Microsoft AntiSpyware - First Impression KF (lists) wrote: >>>>>>>>>>>>>>>>>>>> Message: 11 Date: Fri, 07 Jan 2005 11:19:56 -0500 From: "KF (lists)" <kf_lists@...italmunition.com> Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions To: full-disclosure@...ts.netsys.com Message-ID: <41DEB6AC.5090405@...italmunition.com> Content-Type: text/plain; charset=windows-1252; format=flowed Do a software update check with this thing and you get GIANTAntiSpywareMain.exe listening on port 2571 until the software is closed. Feel free to beat on and fuzz that port fellas. =] -KF >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I found this with tcpview: GIANTAntiSpywareMain.exe:3424 TCP p4fast.xxxx.com:3256 216.32.240.26:http ESTABLISHED GIANTAntiSpywareMain.exe:3424 UDP p4fast:3255 *:* OrgName: Savvis OrgID: SAVVI-2 Address: 3300 Regency Parkway City: Cary StateProv: NC PostalCode: 27511 Country: US ReferralServer: rwhois://rwhois.exodus.net:4321/ NetRange: 216.32.0.0 - 216.35.255.255 CIDR: 216.32.0.0/14 NetName: SAVVIS NetHandle: NET-216-32-0-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: DNS01.SAVVIS.NET NameServer: DNS02.SAVVIS.NET NameServer: DNS03.SAVVIS.NET NameServer: DNS04.SAVVIS.NET Comment: RegDate: 1998-07-30 Updated: 2004-10-07 GET / HTTP/1.1 Host: 216.32.240.26 Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer: 5.0_Pub Date: Sat, 08 Jan 2005 16:40:07 GMT Connection: close If you look at for instance system process, BHO area and select an unknown, an option to "send to spynet for anayliss" is there. If you select this, it reports to the 216.31.240.26 also. On a funny note, under ActiveX area it list the microsoft update as this: "Microsoft Windows Update Control Engine This is an unknown ActiveX File path: C:\WINDOWS\System32\iuengine.dll Description: Windows Update Control Engine Publisher: Microsoft Corporation Last modified: Tue, 26 Aug 2003 01:19:52 GMT Installed version: 5,4,3790,14 Download location: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.827546 2963" It does look as if they jumped very quickly to launch this software! thank you Randall M
Powered by blists - more mailing lists