RE: New MSN Messenger Worm

["Rocky Stefano" <rstefano () echelonsystems com>]

I just saw a posting regarding messenger. Perhaps something that has to do
with what you are talking about.

--8 February 2002 MSN Messenger Vulnerability
Maliciously constructed JavaScript could be used to filch MSN Messenger
nicknames and buddy lists; e-mail addresses could be revealed as well.
An update is scheduled for release soon.
http://zdnet.com.com/2100-1105-833293.html

Rocky Stefano
Echelon Systems Inc.
rstefano () echelonsystems com
www.echelonsystems.com
B 905-303-2811
F 905-303-2855
Systems that work...

----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------
This email may contain confidential and/or privileged information for the
sole use of the intended recipient.  Any review or distribution by others is
strictly prohibited. If you have received this email in error, please
contact the sender and delete all copies. Opinions, conclusions or other
information expressed or contained in this email are not given or endorsed
by the sender unless otherwise affirmed independently by the sender.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------



-----Original Message-----
From: Drew Smith [mailto:drew () eastvan bc ca]
Sent: Wednesday, February 13, 2002 8:10 AM
To: incidents () securityfocus com; bugtraq () securityfocus com
Subject: New MSN Messenger Worm



        Heya folks,

        Ok, let's try this again, with a little more time spent on my side.
;)
Tried to submit this earlier today, but got bounced for attaching the
worm source to the message.  So, this time, I'm attaching a URL instead,
where you can go get the source if you want to see it.

        This worm *ripped* through our office today - it's one part flaw in
Microsoft's security model and one part social engineering; it is a
NON-MALICIOUS worm, but it effectively proves the concept, and I don't
foresee more than a week or two before there's a nasty version.

        We've been calling it the "cool worm", after the original filename,
"cool.html".

        I said *ripped*.  I meant it.  40 people affected/infected in under
30
seconds.  That's the dangerous part, I didn't even have time to go to
the other room to let coworkers know what was up.

        The worm shows up as an MSN Messenger message that says "Go To
http://www.masenko-media.net/cool.html NoW !!!".  The user, obviously,
clicks the URL, which takes them to the site, where the malicious code
sits.  The code opens the MSN Contacts list, then messages every contact
with the message "Go To http://www.masenko-media.net/cool.html NoW
!!!".

        Think about that for a second.

        Anyhow - the worm does nothing nasty, but the source to the (now
down)
masenko-media.net site also mails the hostname and user agent of the
connecting host to "mmargae () wanadoo nl".

        Looks to me like an experiment that got loose from the lab, but it
demonstrates a *dangerous* flaw.  Why can a webpage open the contacts
list in the first place?  What other hooks does MSN Messenger provide?
Can you harvest email addresses from a contact list?

        Too many scary implications.

        Worm source (with a few important lines removed, so that it doesn't
start popping up *everywhere*), available at:

        http://riotnrrd.com/cool-source.zip

        Cheers,
        - Drew.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com