RE: [incidents] RE: AIM Password theft

From: [POPLAR IT] Paul Teggart (pteggart_at_poplarit.com)
Date: 09/25/03

  • Next message: Mark Coleman: "AIM Password theft SUMMARY"
    To: "incidents@securityfocus.com" <incidents@securityfocus.com>
    Date: Wed, 24 Sep 2003 23:14:13 +0100
    
    

    Zone Alarm also gives the opportunity to block access on this URL
    Rgds
    --Paul

    -----Original Message-----
    From: Tim Kennedy [SMTP:tim@timkennedy.net]
    Sent: 24 September 2003 17:35
    To: Andrew McKnight
    Cc: Lothar Kimmeringer; incidents@securityfocus.com
    Subject: Re: [incidents] RE: AIM Password theft

    CA's eTrust EZ Deskshield/Mail Watcher tell you when emails or web pages are
    a) trying to access your filesystem
    b) trying to access your email systems

    So far, even though MS Update says I'm completely up to date, Mail
    Watcher has notified me when I hit the sample url:
    http://www.heise.de/security/dienste/browsercheck/demos/ie/htacheck.shtml

    that the web page was trying to access the filesystem, and gave me a
    chance to disallow permissions.

    The eTrust AV client also recognizes the code as the
    VBS.ObjectDataHTA virus, and tried to clean it up, although it says:
    File status: Cure failed, file restored.

    But it at least stopped it from modifying files on my system.

    -Tim

    On Wed, 24 Sep 2003, Andrew McKnight wrote:

    > Is there a specific patch for this vulernability? Windows Update is telling me I'm completely up to date but I'm still vulernable.
    >
    > Andy.
    > IT Guy.
    >
    > -----Original Message-----
    > From: Lothar Kimmeringer [mailto:bugtraq@kimmeringer.de]
    > Sent: 24 September 2003 00:44
    > To: incidents@securityfocus.com
    > Subject: Re: AIM Password theft
    >
    >
    > On Tue, 23 Sep 2003 10:53:59 -0400, Mark Coleman wrote:
    >
    > >I just started investigating a report that appears to have merit of a
    > >username/password theft of AIM accounts.
    > >
    > >Users are being directed to a web page located at www.haxr.org where the
    > >source appears to run a javascript program that is proportedly stealing
    > >AIM usernames/passwords/buddy lists.
    > >
    > >Does anyone have any information related to www. haxr.org or the
    > >technique being used?
    >
    > The technique uses a flaw in Internet Explorer with the OBJECT-tag
    > allowing code to be executed locally that is loaded from a website.
    >
    > The tag
    > <![CDATA[
    > <object data=tracker.php></object>
    > ]]>
    > lets IE download a HTML-application that will be executed after
    > loading.
    >
    > A testpage where you can test your locally installed Internet
    > Explorer for being vulnerable can be found at
    > http://www.heise.de/security/dienste/browsercheck/demos/ie/htacheck.shtml
    > If your installation is vulnerable, a program will be downloaded
    > to C:\browsercheck.exe that will executed afterwards leading to
    > a window popping up. The page is in German.
    >
    >
    > Regards, Lothar
    >
    > --
    > Lothar Kimmeringer E-Mail: mailbody@kimmeringer.de
    > PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)
    >
    > Always remember: The answer is forty-two, there can only be wrong
    > questions!
    >
    >
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    >
    >
    > ----------------------------------------------------------------------
    >
    > The information in this email is intended solely for the use of the
    > individual or entity to whom it is addressed and may be legally
    > privileged. Access to this email by anyone else is unauthorised
    > If you are not the intended recipient, any disclosure, copying,
    > distribution or any action taken or omitted to be taken in reliance
    > on it is prohibited and may be unlawful. If you believe you
    > have received this email in error please contact the
    > sender.
    >
    > Any views expressed in this email do not necessarily represent
    > those of Castle Leisure Group.
    >
    > Castle Leisure Group reserves the right to monitor and record
    > e-mail messages sent to and from this address for the purposes
    > of investigating or detecting any unauthorised use of its system
    > and ensuring its effective operation.
    >
    > ---------------------------------------------------------------------------
    > ----------------------------------------------------------------------------
    >
    >
    >

    -- 
    There are 10 types of people on Earth.  Those who understand binary, and those who don't.
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ---
    Incoming mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.518 / Virus Database: 316 - Release Date: 11/09/03
    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.518 / Virus Database: 316 - Release Date: 11/09/03
     
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Mark Coleman: "AIM Password theft SUMMARY"

    Relevant Pages

    • Re: temp files
      ... Such as .exe files. ... >>> Outgoing mail is certified Virus Free. ... >>> Checked by AVG anti-virus system. ...
      (microsoft.public.windowsxp.general)
    • Re: temp files
      ... Such as .exe files. ... >>> Outgoing mail is certified Virus Free. ... >>> Checked by AVG anti-virus system. ...
      (microsoft.public.windowsxp.newusers)
    • Re: temp files
      ... Such as .exe files. ... >>> Outgoing mail is certified Virus Free. ... >>> Checked by AVG anti-virus system. ...
      (microsoft.public.windowsxp.perform_maintain)
    • Re: temp files
      ... Such as .exe files. ... >>> Outgoing mail is certified Virus Free. ... >>> Checked by AVG anti-virus system. ...
      (microsoft.public.windowsxp.hardware)
    • RE: dijkstra algorithm by object oriented
      ... But i don't know if i'm going in the rigth way. ... Incoming mail is certified Virus Free. ... Checked by AVG anti-virus system. ... Outgoing mail is certified Virus Free. ...
      (comp.lang.python)