Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: sureseeker.com

Re: sureseeker.com

From: Melissa McPherson <MMcPherson_at_IDEFENSE.COM>
Date: Tue, 31 Oct 2000 22:13:30 -0500

Nate -
        F-Secure is reporting this as a Trojan already.
http://www.data-fellows.com/v-descs/seeker.htm
In fact, it's nothing of the sort. The "somewhere out there on the web" is a
porn site, according to Sureseeker's ISP. And in order to have the Trojan
load, one has to click on an "OK" box - the standard, "I assert that I am
18" box with small type saying, "I also allow sureseeker to change my
default browser start page". Or something along those lines.

hope that helps -
        Melissa

PS - I'm registered to the list via another address, so if this doesn't go
through, I'd appreciate if you'd pass it on, if you think others would be
interested....

---------------------------------------
Melissa McPherson, PhD
Manager for Intelligence Collection
Infrastructure Defense, Inc.    
 
mmcpherson_at_idefense.com <mailto:mmcpherson_at_idefense.com>
703/219-2439 wk
703/868-6848 cell
----------------------------------------

> -----Original Message-----
> From: Nate W [mailto:security_at_WHATEVER.NET]
> Sent: Monday, October 30, 2000 5:18 PM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: sureseeker.com
>
>
> If anyone can think of a better place to report this, other than
> incidents_at_securityfocus.com and cert_at_cert.org, do let me know.
>
> Looks like somewhere out there is a web server that cracks into web
> clients and does a little bit of reconfiguring without the users's
> knowledge or consent.
>
> The main objective of the malicious code is to set the user's
> start page
> to a cheesy "portal" web site, www.sureseeker.com. The sureseeker web
> site consists largely of 'affiliate clickthrough' links, for
> example news
> headlines from isyndicate.com, web searches from goto.com and
> searchtraffic.com, and so on.
>
> The method appears to begin with the installation of an 'html
> application'
> called runme.hta in the StartUp directory. runme.hta appears
> to re-set
> the start pages for Internet Explorer and Netscap, and also re-set the
> seach URLs used by IE in various places. I say "appears to" because I
> don't actually have a copy of the file - a second file, called
> removeit.hta, is placed in the c:\ directory and executed via
> a link from
> the StartUp folder. removeit.hta deletes runme.hta in an
> attempt to cover
> their tracks. Removeit.hta doesn't get deleted though, and a
> set of .reg
> files named 'backup1.reg' and 'backup2.hta' and 'homereg111.reg' also
> remain on the victim's hard drive.
>
> The malicous code also puts 'sureseeker.com' in the HTTP-User-Agent
> string, so that victims are left running about advertising their
> misfortune to every web server they visit. Furthermore,
> sureseeker's tag
> appears in the articles they post to newsgroups using IE and
> deja.com, as
> in this case:
>
http://www.deja.com/getdoc.xp?AN=680049493&fmt=text

I have notified sureseeker's internet service providers (ni.net,
primenetworks.net, and verio.net just in case either of those is in
cahoots with the sureseeker people).

I'm not sure what steps to take next, but if anyone has ideas I'm all
ears.

Thanks,

Nate Waddoups
Redmond WA USA
Received on Nov 02 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos