Re: [Full-Disclosure] Cool Web Search
Gregh <[EMAIL PROTECTED]> wrote: It was used by me to list various entries in registry which, when lumped together like that, show off CWS quite easily. Once they are there, removing them and the progs started by some of them is easy. This is not the case for all variants of CWS. The newer, sneakier variants can rebuild themselves if they detect a program like HijackThis removing their registry entries. This is part of a strong trend in unsolicited commercial software, copying survival techniques learned from virus authors. The use of constantly-loaded multiple DLLs and/or processes and/or services that all restart and repair each other if tampering is detected, is becoming widespread (see also CommonName, ClearSearch, TVMedia etc.). Where there are not short-cut workarounds this means removing the software manually is simply impossible. Currently a trip into Safe Mode can do the trick, by stopping any of the software running, but I'm sure that'll be worked around too eventually. (Rootkit-like spyware?) -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Cool Web Search
Dave Horsfall <[EMAIL PROTECTED]> wrote: Not really "new", in the scheme of things. Over 30 years ago, some bored prgrammer wrote something for one of the mainframes of the day (ICL? IBM? Burroughs?) called "Robin Hood and Friar Tuck". Yeah, I was aware of this story; the Jargon File attributes it to Moto staff working on Xerox CP-V. A few Win32 viruses copied the idea (notably Gemini, see Virus Bulletin Sep02); this is what I meant by parasite vendors stealing ideas from VXers. The first parasite I saw using this trick was CommonName/Comwiz, but the recent HuntBar/WinTools takes the biscuit by installing two processes, one service and one BHO, all looking out for each other. Charming behaviour for software purporting to be a search enhancer from a 'legitimate' company, eh? I preferred viruses. You knew where you stood with viruses. They printed a quote from a TV show and wiped your discs, you laughed at the funny gag and reinstalled, everyone was happy. (Well, ish.) Malware attaching its tentacles onto your machine to make a few dollars from advertising and spam is just so much more offensively sleazy. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Cool Web Search
Gregh <[EMAIL PROTECTED]> wrote: > the truth is that this way DOES get rid of it. There are > at LEAST 5 variants of CWS. Oh, there are *many* more than that. > I have met them all and beat them all. Obviously you have not met the CWS/About variant. This cannot be removed with only HijackThis and the Task Manager, as its process will recreate any registry entries you delete. Which process? Every process you are running, thanks to the AppInit_DLLs entry. > All easily beaten by using HiJackThis in the way I described. Well done. Now go install CWS/About, TVMedia/BHO, CommonName/Comwiz and HuntBar/WinTools, and see how you get on. HijackThis is a brilliant tool. But it is not a panacea, and the worst of the crop are starting to code around the things it can do. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Changes / Software Patents
Mark <[EMAIL PROTECTED]> wrote: > I wonder how many users will know that they can close the window, > opting not to display the activeX, instead of hitting OK Actually this is not the case (in the interim update anyway - presumably the final IE6SP1b will be similar). Closing the window does the same as clicking 'OK'. Blocking ActiveX must still be done using the normal security settings. (The only way to stop the plugin once one has reached the pointless dialogue is to kill the iexplore.exe process.) > It's pretty bad design to give the user a choice with only one > option I think this is deliberate. Faced with having to add a pointless legal contrivance, MS have made it as obviously stupid as possible. Perhaps this will encourage web authors to update. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Timo Sirainen <[EMAIL PROTECTED]> wrote: > You're thinking about how to do it currently in UNIX world. I'm thinking > about adding new concepts in kernel level. systrace would be much more > closer to it than chroot jails. Indeed, I've been thinking a lot about how to create the sort of desktop environment you describe, and I don't think it's 'properly' doable within the current Unix-style or Windows operating environments. It would require a pervasive system of fine-grained capabilities, from base OS level right up to user desktop services. Programs would have to get used to pre-requesting each service they require, and cope with being refused (either on policy grounds, or user choice, or the user themselves not having the required rights). There are also user interface concerns (ie. how to prevent an application 'faking' the system security interface). An attempt starting along these lines can be seen in Tiny Personal Firewall. Its interface isn't too great, it's not complete, and of course on a Windows platform there is nothing stopping a malicious process from subverting the protection, but it's an interesting glimpse at the sort of thing we might need. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Bogus] Microsoft AuthenticodeT webcam viewer plugin
Nick FitzGerald <[EMAIL PROTECTED]> wrote: > FWIW, I think the biggest "problem" here is that a CA (Thawte in this > case) allows code-signing certificates with such ambiguous "names" as > "Browser Plugin" They also have a very limited interpretation of "malicious code". Thawte have refused to revoke certs issued to firms spreading homepage hijackers, spyware and commercial RATs. Unless it actually formats your hard disc, they do not, apparently, consider it malicious. > Would they allow a cert in the company name "IE Plugins" too? See for yourself. www.ieplugin.com Given the ease of creating a misleading company name, and the unwillingness of CAs to police abuse of their certs, one can only conclude that the Authenticode process is 100% useless as a means of ensuring code is trustworthy. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Bogus] Microsoft AuthenticodeT webcam viewer plugin
Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Does their AUP/ToS/etc require that their certs not be used for such > things?? I believe - and I haven't seen the agreement myself - that it says the signer's code may not be 'malicious'. This is of course difficult to define. If the software installs underhandedly, pops up porn and leaks browing habits, but its primary purpose is to make money for the attacker rather than the malice of causing harm to user, does it count as malicious? > Ownership of a certificate simply means that someone stumped up the > cash (for a Thawte code signing cert that is about US$100/year) and the > CA was "suitably convinced" that they really were (or genuinely > represented) who they said they were (or represented). Indeed. Unfortunately the "identity" is expressed as an arbitrary string which is of no use to anyone. There's a little further information in the cert, which the ActiveX download process does not allow to be shown, but not nearly enough to track down the real authors and hold them to account. > an Authenticode "all clear" means that if you were stupid enough to > "trust" (in the big sense) a piece of signed code the CA can help you > locate the rat-bag who signed it should you want to fry their balls... Unfortunately this has turned out not to be the case with Thawte at least, who refused to disclose details for miscreants like the infamous Xupiter. > That Autheticode has been "sold" (and worse, accepted by some) as anything > else but a poor-man's excuse for "nothing much" is somewhere between really > sad and criminal... Quite agree. And of course half the pages that use ActiveX downloads promote this with text claiming that Authenticode guarantees the code's safety. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] [Bogus] Microsoft AuthenticodeT webcam viewer plugin
Nick FitzGerald <[EMAIL PROTECTED]> wrote: > Does their AUP/ToS/etc require that their certs not be used for such > things?? I believe - and I haven't seen the agreement myself - that it says the signer's code may not be 'malicious'. This is of course difficult to define. If the software installs underhandedly, pops up porn and leaks browing habits, but its primary purpose is to make money for the attacker rather than the malice of causing harm to user, does it count as malicious? > Ownership of a certificate simply means that someone stumped up the > cash (for a Thawte code signing cert that is about US$100/year) and the > CA was "suitably convinced" that they really were (or genuinely > represented) who they said they were (or represented). Indeed. Unfortunately the "identity" is expressed as an arbitrary string which is of no use to anyone. There's a little further information in the cert, which the ActiveX download process does not allow to be shown, but not nearly enough to track down the real authors and hold them to account. > an Authenticode "all clear" means that if you were stupid enough to > "trust" (in the big sense) a piece of signed code the CA can help you > locate the rat-bag who signed it should you want to fry their balls... Unfortunately this has turned out not to be the case with Thawte at least, who refused to disclose details for miscreants like the infamous Xupiter. > That Autheticode has been "sold" (and worse, accepted by some) as anything > else but a poor-man's excuse for "nothing much" is somewhere between really > sad and criminal... Quite agree. And of course half the pages that use ActiveX downloads promote this with text claiming that Authenticode guarantees the code's safety. ObOriginalTopic: tl4000 has been around for about 4 months now AFAICR. By the same people as the original 'TIBS' dialler, but code is unrelated. Same aggressive installation tactics. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] internet-explorer: bug or feature?
<[EMAIL PROTECTED]> wrote: > about:alert('*plopp*'); > a small alert popps up and says me '*plopp*', so it seems, that i can > inject any code i want. Originally reported here: http://www.doxdesk.com/personal/posts/bugtraq/20010819-ie.html This was eventually fixed in IE6 SP1, after it was discovered that due to a parsing error this could be abused to execute in the security context of any target domain. > i am not sure if its what the 'about:'-construct is for It was just another random pointless feature. IE has a lot of these. Sometimes they prove a security liability and very occasionally they get removed, but no-one seems to have thought of not including them in the first place. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] tvm.exe / poll each.exe / blehdefyreal toolbar
[EMAIL PROTECTED] wrote: Anybody know about some trojan(s) that spawn a "tvm.exe" process Probably the recent new TVMedia variant. inserts a "blehdefyreal" toolbar into IE There are a few parasites that use such random names. This is likely lop. and hijacks the IE homepage to point to allaboutsearching.com? This is definitely lop. This thing also opens pop-ups pointing to this page: http://69.20.62.53/yyy3.html That's Look2Me. The likelihood is you have *many* parasites installed. Ad-Aware and Spybot may be able to remove a lot, but if you're massively infected a reinstall may indeed be easier/safer. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] COELACANTH: Phreak Phishing Expedition
Larry Seltzer <[EMAIL PROTECTED]> wrote: And WTF is it with www.e-gold.com? Nothing else seems to work at all. e-gold has wildcard DNS, so anything.e-gold.com will work. For other domains the hostname lookup stage may fail. (I guess... I can't actually get the exploit to work for me, but still.) -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] CSS in E-Mails possible E-Mail-Validity Check for Spammers?
[EMAIL PROTECTED] wrote: Mozilla Mail 1.7.1 (W98) and 1.7.3 (W98) (didn't check different versions) automatically load CSS-files which are linked from within an html-page sent in an e-mail Yes. There have been other ways to force an HTTP request from HTML mail too (eg. background images, bug 239954) so this is not unexpected. The "block loading of remote images in mail messages" option isn't waterproof from a privacy point of view. It would be nice if it was, but I'm not sure this is actually Mozilla's goal; perhaps worth filing a bug to force the issue? - turn off HTML in E-Mails (not possible in Mozilla?) Should be possible - it is in Thunderbird (View->Message Body as->Plain Text) and I highly recommend doing so. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Firespoofing [Firefox 1.0]
James Greenhalgh <[EMAIL PROTECTED]> wrote: It also doesn't work on non-Windows or with non-default colours. Didn't work for Windows with default colours for me either; the real dialogue box jumped to the front. I am still on a nightly just before the 1.0 release though, and I believe it to be possible in theory. It could also, I think, be made to work without the 'browsing full screen' requirement. Really - this is more a window management thing surely? If someone fell for this, they'd deserve it to be honest. It's window management, yeah, probably applicable to other browsers too, and not nearly as bad as the IE chromeless window stuff because you do get those extra couple of pixels of window edge to clue you in. But it's still not good. The real solution is to force toolbar+menubar+addrtessbar on for all JavaScript pop-ups, at least as a default option setting. This would also fix the recently publicised problem with targeting other sites' pop-up windows for phishing. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
Paul Kurczaba <[EMAIL PROTECTED]> wrote: After some research, I found the script "exploit(s) an Internet Explorer vulnerability resulting in Internet Explorer displaying one location in the Address bar, but actually loading the content from a different site." Yep, this is a straight copy of my example posted here: http://www.doxdesk.com/personal/posts/bugtraq/20030713-ie I have seen a few other phish in the wild using this exploit too. I'm alarmed to see this still works in IE6SP2, as Microsoft fixed most of the problem in one of the SP2 betas, by limiting createPopup windows to the windows work area. Evidently they reversed the fix for the final SP2 release. SP2 is safe from the issue where popups can appear over dialogs, but it seems it is still vulnerable to spoofing everything else. Great. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Is there a 0day vuln in this phisher's site?
Larry Seltzer <[EMAIL PROTECTED]> wrote: this assumes the default placement of Address Bar if I'm not mistaken, so if the user changes their toolbar layout the popup will give itself away, correct? Correct. In my example I deliberately window.open()ed the target with fixed toolbar options, which helps a little; the attacks in the wild aren't bothering to do that, so it's more likely the URL popup will appear in the wrong place. [You can't change an existing window's options of course, but it would be possible to pop a new window then close the original. Theoretically IE disallows window.close() on top-level windows but that's easily avoided by assigning to window.opener.] I expect the tactic could be improved slightly by reading the screen position of the work area compared to the window outer area to guess the number of toolbars in use, or something. (One could probably even spoof the entire toolbar area and SSL padlock.) I couldn't be bothered myself, but believed a dedicated phisherman might put the effort in. However, it would seem that actually they're pretty lazy too. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html