[Full-Disclosure] Spyware installs ... XP SP2 box
iamafraud at hotmail.com
Wed Oct 6 00:30:05 BST 2004
Thanks to everybody for all the info posted here. I wish I had a machine
available right now to set up a vanilla SP2 install so I could witness the
results of visiting the site again myself.
I did indeed say that I have visited the site in the past. However, I hadn't
in a number of months prior to this visit. I also did not discover any
adware/spyware that was installed on my machine prior to 10/2 (nor did
ad-aware, spybot, or pest-patrol). I trust in the info that has been posted
here, I just wish that I could witness it myself. I am very cautious when
surfing (I know somebody is going to tell me not cautious enough since I am
still using IE) so I am wondering what could have been installed prior to
this visit that allowed this install to happen without any interaction.
Regardless, thanks again to everybody for the good info, and a big fuck you
>From: "Castigliola, Angelo" <ACastigliola at unumprovident.com>
>To: "raize" <raize at gravito.com>, <full-disclosure at lists.netsys.com>
>Subject: RE: [Full-Disclosure] Spyware installs ... XP SP2 box
>Date: Tue, 5 Oct 2004 12:11:24 -0400
>Thank you for the test Raize. I appreciate your time.
> >One must assume that you are installing these "theme packs" via some
>BHO (Browser Helper Object) that you
> >installed previously or put the site on the "Always trust content from
>this provider". Perhaps someone
> >else can explain where I am missing the exploit, because a quick glance
>over seems to indicate there is
> >none for XP SP2. (I did not test this on SP1)
>I think you are right. It seems the only person that was not prompted
>for the install that was not running SP2 was the original author of this
>thread who said that it was a previously visited site.
>As far as users running SP1 there is no security warning that says an
>executable is about to be installed. There is no Microsoft Update that
>will prevent this from loading. Like most large organizations just
>jumping to SP2 is not an option. It needs go though rigorous testing to
>make sure it complies with all of our internal software.
>Angelo Castigliola III
>Operations Technical Analyst I
>UnumProvident IT Services
>From: full-disclosure-admin at lists.netsys.com
>[mailto:full-disclosure-admin at lists.netsys.com] On Behalf Of raize
>Sent: Tuesday, October 05, 2004 9:29 AM
>To: full-disclosure at lists.netsys.com
>Subject: Re: [Full-Disclosure] Spyware installs ... XP SP2 box
>The installed code is definitely:
>However, there is no exploit here. I loaded this with a default honeypot
>image of XPSP2 with IE as an Admin and nothing else installed other than
>the drop down that asked me if I really wanted to trust this site for
>installing an executable.
>One must assume that you are installing these "theme packs" via some BHO
>(Browser Helper Object) that you installed previously or put the site on
>the "Always trust content from this provider". Perhaps someone else can
>explain where I am missing the exploit, because a quick glance over
>seems to indicate there is none for XP SP2. (I did not test this on SP1)
>Spybot and Ad-aware do not catch and kill WinRebates and WinAd
>spy/adware properly, but I have a batch command that will do it for you.
>Included is a .zip of each IP contacted along with full URL request and
>output. It also contains the contents of this email and the batch file
>with these commands: (You'll want to rename the .txt to .bat)
>cd "C:\Program Files\Winad Client"
>taskkill /T /F /IM WinClt.exe
>taskkill /T /F /IM WinAd.exe
>taskkill /T /F /IM WebRebates0.exe
>taskkill /T /F /IM WebRebates1.exe
>rd /Q /S "Winad Client"
>rd /Q /S "Web_Rebates"
>taskkill /T /F /IM fjdria.exe
>taskkill /T /F /IM ezSP_Px.exe
>Full-Disclosure - We believe in it.
Express yourself instantly with MSN Messenger! Download today - it's FREE!
Full-Disclosure is hosted and sponsored by Secunia.