IE URL obfuscation again

From: Stanislav Simakov (sts_at_DATAART.COM)
Date: 01/19/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Another pre release info [not NDA] regarding XP sp2" 
    Date:         Mon, 19 Jan 2004 20:03:47 +0300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hello.

    Looks like the first precedent of Internet fraud using IE URL obfuscation
    was established. During last month our company have been receiving a lot of
    angry e-mails and phone calls from Internet users. They accused us of
    infecting their computers by adware which constantly resets their home pages
    to http://www.coolsearch.com. We were surprised and couldn't understand
    what's going on. Users kept calling and e-mailing despite of assurances in
    full innocence of DataArt. Users even wrote complaints to SpeakEasy (our
    ISP) and they terminated their service. After thorough investigation we've
    found source of our troubles. It is http://cool-search.net. They use URL
    obfuscation in such manner:

    $ telnet cool-search.net 80
    Trying 69.31.80.212...
    Connected to cool-search.net.
    Escape character is '^]'.
    GET / HTTP/1.1
    Host: cool-search.net

    HTTP/1.1 302 Found
    Date: Sun, 18 Jan 2004 16:17:15 GMT
    Server: Apache/1.3.28 (Unix) PHP/4.3.3
    X-Powered-By: PHP/4.3.3
    Location:
    http://www.coolsearch.com[0x01]%00%00@cool-search.net/index.php?aid=30
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html

    0

    Connection closed by foreign host.

    So, victims of adware decided that they visit http://www.coolsearch.com
    which was registered to DataArt until Jan 18.

    The possibility of the similar frauds against other sites is very sad fact
    especially because Microsoft doesn't want to patch this bug in IE and I
    would like to warn everybody. Thank you. 

    --
Stanislav Simakov
DataArt Enterprises, Inc.
-----
Editor's Note: The 43rd Most Powerful Person in Networking says...
Out of Office replies to list messages cause you to be unsubscribed automatically. Either subscribe a Public Folder, or ensure your rules are set to ensure list messages are filtered prior to your Out of Office reply. Such automatic replies are a bane to posters, and cause us to have fewer researchers post to NTBugtraq.
-----
  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Another pre release info [not NDA] regarding XP sp2"