Bugtraq mailing list archives
Re: trojaned Reality Fusion app
From: Mike Adams <mike.adams01 () HOME COM>
Date: Sun, 4 Mar 2001 14:10:52 -0800
It looks more like the application is GETTING data rather than sending it. If you look at the page http://204.176.10.168/GCSE/Messages/todolist04.tag In a regular browser, It's actually commented as to what it does. It looks like it's some way for the application to import dynamic banners or links from the author's site. AIM, Odigo, and even CuteFTP do something similar with the in-application banner adds. Just my $0.02. I have pasted the contents of the page belowl. --- BEGIN PASTE --- <comment> Contain a list tags that specify things clients can do. Right now that is only one valid tag, <msg>. But we can add more tags anytime we want. Old clients will just ignore the new tags. There are two ways to comments your file 1. Write your comment outside a tag, Make sure you don't have use any < or > characters in your comments. 2. Write your comment inside a comment tag. You can put anything in your comment except the close comment tag, /command. This comment is inside a comment tag. </comment> Comment for msg tag msg - message that can be displayed by the client MsgId - id for current message. This is use to check if user has seem this message already. StartUrl - points to a message that user will see EndUrl - points to a message that we want to user to go to. We will not display this message again once user has come here. priority - priority of the message, 1 is the highest expiration - expiration date of the message. <msg> [MsgId] 1001 [StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html [EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp [priority] 1 [expiration] 8/7/2000 </msg> <msg> [MsgId] 1002 [StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html [EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp [priority] 1 [expiration] 9/22/2000 </msg> <msg> [MsgId] 1003 [StartUrl] http://www.realityfusion.com/gcse/ezonics/seesawdm/dm1.html [EndUrl] http://www.seesaw.com/promotions/ez/sb_ez_rfupdate/dm_moreinfo.asp [priority] 5 [expiration] 8/1/2001 </msg> --- END PASTE --- -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of J Edgar Hoover Sent: Friday, March 02, 2001 8:03 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: trojaned Reality Fusion app The executable rfupd.exe included in the Reality Fusion products bundled with many popular cameras sends the following data to 204.176.10.168 port 80 every time you use the app, reboot your computer or change configuration. ----- GET /GCSE/Messages/todolist04.tag HTTP/1.1 If-Modified-Since: Sat, 03 Mar 2001 00:43:39 GMT If-None-Match: "e9ffe1fc7aa3c01:87a" User-Agent: RFUPD Host: www.RealityFusion.com Connection: Keep-Alive ----- This is particularly disturbing since the application by its nature enables video/audio surveillance of the user. I'm real curious what kind of information is obfuscated in the string If-None-Match: "e9ffe1fc7aa3c01:87a" too. Anyone interested in dissecting the (windows) application can find it at http://totally.righteous.net/rfupd.exe Cheers, zorch
Current thread:
- trojaned Reality Fusion app J Edgar Hoover (Mar 04)
- Re: trojaned Reality Fusion app Henrik Nordstrom (Mar 05)
- Re: trojaned Reality Fusion app Mike Adams (Mar 05)