> -----Original Message----- > From: Thor Larholm [mailto:thor@xxxxxxxx] > Sent: Friday, May 14, 2004 3:45 PM > To: Greg Kujawa; bugtraq@xxxxxxxxxxxxxxxxx > Subject: RE: Still Vulnerable in MSIE > <snip> > > which uses the Object Data vulnerability to change your startpage to > > http://default-homepage-network.com/start.cgi?hkcu Bastards, watching my work. (reference) http://www.eeye.com/html/Research/Advisories/AD20030820.html <snip> > Other files that are attempted to be delivered are > > http://www.addictivetechnologies.net/DM0/cab/emCraft1.cab > http://www.addictivetechnologies.net/DM0/exe/emCraft1.exe > http://validation-required.info/ Money shot there. "validation-required.info" is the same site used by that phishing attack I just posted on. http://www.securityfocus.com/archive/1/363350/2004-05-14/2004-05-20/1 [ ISP Organization Information ] Org Name : Enterprise Networks Service Name : ENTERPRISENET Org Address : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam [ ISP IP Admin Contact Information ] Name : Hyo-Sun, Chang Phone : +82-2-2105-6082 Fax : +82-2-2105-6100 E-Mail : ip@xxxxxxxxxxxxxxxx The traceback on the email we received was to a BT British system, likely hacked... and as I have noted the same source code was posted on an Italian board in Italian with an Italian email address in December. (Not that the attacker was necessarily the same person or if he was, that he is Italian. Further, often these things are not done by lone individuals. Though they are simple enough to be done by lone individuals. Only smart criminals work by themselves. And, criminal tend to not be so smart until they retire.) > http://www.popmoney.net/ip/index.php > http://www.portalone.hostance.com.com/italia.exe > > > > > > Regards > > Thor Larholm > Senior Security Researcher > PivX Solutions > 24 Corporate Plaza #180 > Newport Beach, CA 92660 > http://www.pivx.com > thor@xxxxxxxx > Stock symbol: (PIVX) > Phone: +1 (949) 231-8496 > PGP: 0x5A276569 > 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 > > PivX defines a new genre in Desktop Security: Proactive Threat > Mitigation. > <http://www.pivx.com/qwikfix> > > > -----Original Message----- > From: Greg Kujawa [mailto:greg.kujawa@xxxxxxxxxxxxxxxxx] > Sent: Friday, May 14, 2004 7:37 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Still Vulnerable in MSIE > > > > > With the latest vendor AV definitions and all of the > Microsoft Security > Updates my MSIE 6 application still was vulnerable to some apparent > cross-site scripting exploit. I was hit with one of the many Agobot > variants when exiting a site detailing some IE vulnerabilities > (http://www.hnc3k.com). The site exit led to a series of pop-up and > pop-under ads. > > > > All of these site redirects apparently resulted in a > www2.flingstone.com > site dropping in a infamous.exe file onto my computer. All the while I > saw no prompts to download or execute anything whatsoever. > All I did was > close the windows that were coming up. > > > > Just an FYI since even the latest updates on all fronts cannot ensure > peace of mind. > >
