Re: sureseeker.com

[Nate W <security () WHATEVER NET>]

On Mon, 6 Nov 2000, Sloan, Scott (CIT) wrote:

> Sureseeker is a JavaScript Trojan that uses the ActiveX Control security
> vulnerabilities that were announced by Microsoft in MS-99-032 on August 31,
> 1999.
>
> You can find more information at the FedCIRC website.

The FedCIRC web site doesn't mention the fact that the trojan also adds
'sureseeker.com' to the HTTP_USER_AGENT string for IE users.

It also describes the large-print/small-print message box that
SureSeeker's ISP pointed to.  The ISP reffered me (us?) to a page that was
not associated with the HTA files and registry modifications described in
the FedCIRC advisory.  Rather, it merely invokes "homepage.setHomePage,"
and even that appears to be only applicable to IE users.

This is definitely NOT the same code that impacted myself and the dozens
of other sureseeker.com-tagged people you can find via deja.com.  You can
see why I have my doubts about the message box theory of operation.

Given the fluid nature of web pages, and the fact that the offender is now
no doubt aware that their actions are being scrutinized, it seems doubtful
that the truth will ever be known.  But, if anyone can provide a web page
containing the actual trojan, that would at least be a step forward.