So I paid it a visit using FF 1.01.
The pictures basically speek for themselves. (of course I clicked no)
I especially liked the advertisement for Firefox.
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Theory
Started by
Coyote
, Mar 04 2005 10:10 AM
116 replies to this topic
#16
Racktracker
-
- Authentic Member
-
- 381 posts
Hunter of Malware
Posted 06 March 2005 - 11:19 AM
So I paid it a visit using FF 1.01.
The pictures basically speek for themselves. (of course I clicked no)
I especially liked the advertisement for Firefox.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Register to Remove
#17
Crow
-
- Authentic Member
-
- 970 posts
WTT Tech Emeritus
- Interests:I play golf, I like to fish tournaments (or donate). I am a Certified Applicator by day, and electronics tech after 5.
Posted 06 March 2005 - 12:37 PM
hmm.... my log after visiting with FF
Logfile of HijackThis v1.99.1
Scan saved at 1:34:32 AM, on 3/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Documents and Settings\Crow\Desktop\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exe
O4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
"I am not sure what these four 9's mean.. but I think this Ace is kinda high"
#18
Danny_
-
- Authentic Member
-
- 1,323 posts
Emeritus-The Malware Remover
Posted 06 March 2005 - 07:42 PM
All that I'm hoping is that there isn't another infection the hijacks FF to that page....
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how!
Proud member of ASAP since 2005
Want to help others? Join the ClassRoom and learn how!
Proud member of ASAP since 2005
#20
Guest_Paperghost_*
Guest_Paperghost_*
-
- Guests
Posted 09 March 2005 - 06:37 PM
Theyre doing this by exploiting the Sun java runtime environment and forcing the initial install through a java applet rather than the usual Active X route. in this way, regardless of browser, if it recognises the applet and executes it then IE will be nailed even with the infection site on a blocklist of some description.
Writeup below - in the writeup i have decided to include the infection urls in the screenshots, as i feel that because this is already out there and most likely nailing people already, we have a duty to full disclosure. Security through obscurity just doesnt cut it. for info the browser results so far are as follows:
Firefox - The install works.
Mozilla - The install works.
Avant browser - The install works.
Netscape 7.2 - The dayam thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor - The install is blocked.
Opera - The install is blocked.
I'll be trying more tomorrow.
http://www.vitalsecu...infects-ie.html
Writeup below - in the writeup i have decided to include the infection urls in the screenshots, as i feel that because this is already out there and most likely nailing people already, we have a duty to full disclosure. Security through obscurity just doesnt cut it. for info the browser results so far are as follows:
Firefox - The install works.
Mozilla - The install works.
Avant browser - The install works.
Netscape 7.2 - The dayam thing kept crashing, but eventually I was able to discover that the install works.
NetCaptor - The install is blocked.
Opera - The install is blocked.
I'll be trying more tomorrow.
http://www.vitalsecu...infects-ie.html
Edited by Paperghost, 09 March 2005 - 06:38 PM.
#21
Guest_Paperghost_*
Guest_Paperghost_*
-
- Guests
Posted 10 March 2005 - 12:09 AM
I've had an update from Daniel Veditz, head of mozilla security - this WILL work in opera with the right permissions enabled and also in NetCaptor as long as it has some sort of native java support, which is likely.
#22
Coyote
-
- Authentic Member
-
- 979 posts
Emeritus-Expert
Posted 10 March 2005 - 12:19 AM
Paperghost thank you for your work on this
Go forth and conquer your goals with the renewed spirit of Coyote and do not let small setbacks stop you from Your Dreams
Microsoft MVP 2006-2007
May your day be blessed by those you love and those you love be blessed by HIM ;-)
Microsoft MVP 2006-2007
May your day be blessed by those you love and those you love be blessed by HIM ;-)
#23
Pipex
-
- New Member
-
- 3 posts
New Member
Posted 10 March 2005 - 02:10 AM
have highlighted the unfortunate news on my forum site and main site 
A reluctant (not for the wrong reasons) thank you to Efeis for bringing this to light.
A reluctant (not for the wrong reasons) thank you to Efeis for bringing this to light.
Edited by Pipex, 10 March 2005 - 02:18 AM.
<span style='font-size:11pt;line-height:100%'>Chris......</span>
#24
Guest_LostAccount_*
Guest_LostAccount_*
-
- Guests
Posted 10 March 2005 - 11:20 AM
Just did a google search on the site.
Found it...but didn't dare to tread in it.
Updated my HOSTS file for the site first... someone should tell the major HOSTS file owners the name of the site to protect temporarily...
EDIT: Are all versions of Java unsafe, including J2SE 1.5?
Edited by LostAccount, 10 March 2005 - 11:22 AM.
#25
Guest_Hound5150_*
Guest_Hound5150_*
-
- Guests
Posted 10 March 2005 - 11:21 AM
I have not been able to test much of this but if you have Java and Active-X disabled or set it for prompting is the site still able to bypass the browsers security? I personally dont have them enabled unless I visit a site that needs to use them. 
I am gong to setting up a PC for the perpose of testing theorys like these as well for safe infecting and troubleshooting.
I am gong to setting up a PC for the perpose of testing theorys like these as well for safe infecting and troubleshooting.
Edited by Hound5150, 10 March 2005 - 11:23 AM.
Register to Remove
#27
Guest_Hound5150_*
Guest_Hound5150_*
-
- Guests
Posted 11 March 2005 - 01:27 PM
This was a thought that I had after reading an artical testing different anti-spyware apps. I guess it falls in line with this problem a little cause of the threat against java now. But to add, it also needs to be said that the average browser is the affected person so education about these issues is important and thank god for these forums to do the job.
THOUGHT:
Just reading the artical you don't need to bog down your system with tons of anti-wares apps running to get maximun protection, it seems to be that running the right combonation of apps (1 or 2) will give you just as much protection. In addition if you turn off Active-X and Java during your browsing is that not enough. I know there are some sites that need to have those items to work right (like filling out a form or accessing a site with username an password) but is it nessasary to have them (java and active-x) running all the time? Any other opinions on this?
Edited by Hound5150, 11 March 2005 - 01:28 PM.
#28
grummy
-
- Authentic Member
-
- 22 posts
Retired Staff
Posted 11 March 2005 - 07:22 PM
After reading this thread I couldn't resist going to the site using FireFox. Guess what, on my version of FF (Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.7.6) Gecko/20050223 Firefox/1.0.1) instead of getting the Security Warning Pop Up like RackTracker got asking if I wanted to accept the signed applet , I got a tool bar Notification across the entire top of the browser that the entire exploit was blocked by FireFox !! Great news indeed. Perhaps my version of FF is newer ??
PS( tried to post a screen shot image but can't seem to get it to work)
Edited by grummy, 11 March 2005 - 07:32 PM.
"The secret to creativity is knowing how to hide your sources." Albert Einstein.
#29
Racktracker
-
- Authentic Member
-
- 381 posts
Hunter of Malware
Posted 11 March 2005 - 08:23 PM
If you look at my screen shot you can see the "toolbar" that Grummy refers to.
I used
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
The diference most likely (as mentioned before) is the use of sun java.
When I answered no to the popup, I was not infected with anything.
My hjt log looked the same as always.
I think it is important to add that if a user makes poor decisions while surfing the net, no software will keep them from being infected.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.
#30
grummy
-
- Authentic Member
-
- 22 posts
Retired Staff
Posted 11 March 2005 - 08:40 PM
RackTracker, I now see that both our browsers reacted the same as the to tool bar warning, but for some reason I didn't get the Pop Up ?? My Java Plug-in is version 1.4.1_07 Don't know ?
I do think the pop up in this case could confuse the user, so I'm happy to have not seen it . No Pop Up no click options so to speak. 
"The secret to creativity is knowing how to hide your sources." Albert Einstein.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
