RE: Still Vulnerable in MSIE

["Drew Copley" <dcopley () eeye com>]

> -----Original Message-----
> From: Thor Larholm [mailto:thor () pivx com] 
> Sent: Friday, May 14, 2004 3:45 PM
> To: Greg Kujawa; bugtraq () securityfocus com
> Subject: RE: Still Vulnerable in MSIE

<snip>

> which uses the Object Data vulnerability to change your startpage to
>
> http://default-homepage-network.com/start.cgi?hkcu

Bastards, watching my work.

(reference)
http://www.eeye.com/html/Research/Advisories/AD20030820.html


<snip>

> Other files that are attempted to be delivered are
>
> http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab
> http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe
> http://validation-required.info/


Money shot there. "validation-required.info" is the same 
site used by that phishing attack I just posted on.

http://www.securityfocus.com/archive/1/363350/2004-05-14/2004-05-20/1

[ ISP Organization Information ]
Org Name : Enterprise Networks
Service Name : ENTERPRISENET
Org Address : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam 
[ ISP IP Admin Contact Information ]
Name : Hyo-Sun, Chang
Phone : +82-2-2105-6082
Fax : +82-2-2105-6100
E-Mail : ip () epnetworks co kr

The traceback on the email we received was to a BT British system,
likely hacked... and as I have noted the same source code was posted
on an Italian board in Italian with an Italian email address in
December.

(Not that the attacker was necessarily the same person or if he
was, that he is Italian. Further, often these things are not done
by lone individuals. Though they are simple enough to be done by
lone individuals. Only smart criminals work by themselves. And, criminal
tend to not be so smart until they retire.)


> http://www.popmoney.net/ip/index.php
> http://www.portalone.hostance.com.com/italia.exe
>
>
>
>
>
> Regards
>
> Thor Larholm
> Senior Security Researcher
> PivX Solutions
> 24 Corporate Plaza #180
> Newport Beach, CA 92660
> http://www.pivx.com
> thor () pivx com
> Stock symbol: (PIVX)
> Phone: +1 (949) 231-8496
> PGP: 0x5A276569
> 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569
>
> PivX defines a new genre in Desktop Security: Proactive Threat
> Mitigation. 
> <http://www.pivx.com/qwikfix>
>
>
> -----Original Message-----
> From: Greg Kujawa [mailto:greg.kujawa () diamondcellar com] 
> Sent: Friday, May 14, 2004 7:37 AM
> To: bugtraq () securityfocus com
> Subject: Still Vulnerable in MSIE
>
>
>
>
> With the latest vendor AV definitions and all of the 
> Microsoft Security
> Updates my MSIE 6 application still was vulnerable to some apparent
> cross-site scripting exploit. I was hit with one of the many Agobot
> variants when exiting a site detailing some IE vulnerabilities
> (http://www.hnc3k.com). The site exit led to a series of pop-up and
> pop-under ads. 
>
>
>
> All of these site redirects apparently resulted in a 
> www2.flingstone.com
> site dropping in a infamous.exe file onto my computer. All the while I
> saw no prompts to download or execute anything whatsoever. 
> All I did was
> close the windows that were coming up.
>
>
>
> Just an FYI since even the latest updates on all fronts cannot ensure
> peace of mind.