Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Misinformation on Scob/MSJect Corrected CORRECTION
From: "Drew Copley" <dcopley () eEye com>
Date: Wed, 30 Jun 2004 16:28:25 -0700

Whoops, correction:

I was wrong. 

Their "unknown vulnerability" probably is the 180solutions
issue, not the adodb issue, which they do not even discuss
at all, though Symantec notes it.

That's what I get for quitting caffiene and nicotine at
the same time...

-----Original Message-----
From: Drew Copley 
Sent: Wednesday, June 30, 2004 4:06 PM
To: '1 () malware com'
Subject: FW: Misinformation on Scob/MSJect Corrected

 

-----Original Message-----
From: Drew Copley 
Sent: Wednesday, June 30, 2004 4:06 PM
To: bugtraq () securityfocus com; 
ntbugtraq () listserv ntbugtraq com; full-disclosure () lists netsys com
Subject: Misinformation on Scob/MSJect Corrected

Summary:

Microsoft is very wrong when presenting information
about Download.Ject [also known as: JS.Scob.Trojan, 
Scob, and JS.Toofeer.]

Many media sources have also been presenting infactual
information on these virii.


What Is Happening:

CERT advises people not to use Internet Explorer.

http://www.kb.cert.org/vuls/id/713878

This issue is a vulnerability which was found being
used by a spyware distributor in the wild. Many 
media sources are erroneously reporting this 
vulnerability as being the same one Microsoft speaks
of in the Scob/MS.Ject attack:

(from: "What You Should Know About Download.Ject)
http://www.microsoft.com/security/incident/download_ject.mspx

"The second is a recently discovered issue that 
Microsoft is currently investigating in order to 
provide a solution. Customers who are already 
following our safe browsing guidance significantly 
reduce their risk from this type of attack."

This is patently not true. Jelmer found this issue
some ten months ago. It is not the recently discovered
unknown vulnerability. This is the old adodb stream
issue.

And it is not being used by a spyware distributor,
it is being used to steal credit cards by out right
trojans.

BID: 10514
Previously: BID: 8577 
Published Date: Aug 23, 2003
http://www.securityfocus.com/bid/10514/credit/

http://www.securityfocus.com/bid/8577

The original published paper by Jelmer:
http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html

For this "previously unknown vulnerability". It has been
known for ten months.

To be fair, I think their tech writers and marketers got
confused in transmission from their IE security guys. It
is extremely confusing. 

But, this is a major warning they are giving to all
of their customers. They are a multibillion dollar
company who claims security is their first priority. They
need to be held to that standard.

References on SCob:

http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0
http://tms.symantec.com/documents/040617-Analysis-FinancialIns
titutionCompromise.pdf
http://tms.symantec.com/documents/040624-Alert-CompromisedIISS
erverReports.pdf

The original surfacing of this attack used by the same
criminals in all likelihood (March 2004) -- yes, same
technique as Scob, same end result to steal CC info:
http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeB
SD.csie.NCTU.edu.tw&output=gplain



End Note:

It might be noted that these attacks are not so wide
spread to merit the kind of media attention they have
received. However, I see this as kind of a "misplaced"
new urgency, this urgency should have been there in
the first place. In its' lateness we also see a lot
of inaccuracy, though it might be noted these issues
are rather complex and can be very confusing because
of the lack of proper naming conventions and such.

In other words: Big money and zero day. The connection
has been made.







_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • RE: Misinformation on Scob/MSJect Corrected CORRECTION Drew Copley (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault