lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4b6ee931050912072836f6cc6d@mail.gmail.com>
Date: Mon Sep 12 15:29:00 2005
From: xploitable at gmail.com (n3td3v)
Subject: Automated mass abuse of form mailers

A worm/virus code is in the underground, where the malicious code
searches for: http://groups.google.com/group/n3td3v/browse_thread/thread/74395c44ef94c107/729603543ed1379e?q=vxer+vectors&rnum=1#729603543ed1379e
And then sends whatever the service is invite/article or web link,
depending on what the form's function is, this will bring carriers to
a crawl, as the mass amount of mail being sent. This is nothing new,
and the most high profile offender was Yahoo Inc, as reported by me on
F-D a while back. Yahoo now have (unconfirmed) patched their mailers
and forms for invites to Yahoo services.

I have been researching the potential of VXers using the mass amount
of vulnerable webforms on the web for a long time. The most common
offender are online media news outlets, offering you to send an
article link to a friend.

The VXer wouldn't worry what the content of the mail being sent is,
weather it be a random invite to a service or a link/ news story, to
the VXer, all he cares about is the data being sent, to slow down
networks/ internet. Funnily tho, many web forms for invites and news
stories, allow the user to add their own message, so this can be
filled with garbage data, or include executable exploit code, for a
particular software flaw. Regradless of this, its the fact that these
web forms are accessable, with no word verification, to stop
bots/zombies/worm/virii code from exploiting these mailers.

CNET News is the _only_ media outlet or site generally that has
bothered to protect its send this article web form and functionality.
The rest from my observations are wide open, millions of them across
the web. Thats alot of data, that could be sent across web. To me its
a ticking time bomb.

The Yahoo thingy I just mentioned had an added twist that the invites
sent, by-passed Yahoo Mail's spam technology, sending all mail
straight to the inbox of the user, instead of the bulk folder. This
was because the mailers were trusted by Yahoo's anti-spam, thinking
the invites were coming from a trusted corporate source, but they
weren't.
http://seclists.org/lists/fulldisclosure/2004/Oct/0151.html
http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032128.html
http://lists.grok.org.uk/pipermail/full-disclosure/2004-September/026967.html
http://readlist.com/lists/lists.netsys.com/full-disclosure/1/8435.html
And so on.

Way back in 2004 was when I realised the threat to the wider web and
not just Yahoo's network.

You're talking about spammers using mailers to advertise a product,
their connected with, however the threat of infected computers sending
wanted invites, web links, news articles from websites to consumer and
corporate networks, is just as great, if not greater.

Thats all for now.

Thanks...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ