WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93121 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Theory

Started by Coyote , Mar 04 2005 10:10 AM

Please log in to reply

116 replies to this topic

#106 Guest_Paperghost_*

Guests

Posted 21 March 2005 - 05:55 AM

okay, i think i found something. i just posted this over at my site, based on some findings of firefox / mozilla users and researchers. its directly tied into this "Install" / "exploit" / "whatever" - though it would be great of we could all forget about the "click yes" issue and have a debate about it regardless of the install method.

i should also point out this is also done by IST, and served up by the same ysbweb.com site.

edit - one more thing. rather sad that these "disclaimers" now have to preclude any post involving issues regarding browsers, but still - i am fully aware that xpi exploits have been around for a while, leading to a rather well known patch that Mozilla did a while back. The point of the below is to illustrate the link between the install on the lyricspy site and this crack site - and the fact that its another site using the java applet method of entry. And in this case - using an .XPI to whack IE with xxx toolbar if you agree to the .XPI, and sidefind with a "cracks" toolbar if you say no to the .XPI but yes to the applet. Thank you

you may be interested to know that a new site is performing this install - only this time, an .Xpi is seemingly responsible (rather than the Win32 Exe as was the previous case). Once again, the same "Java install" technique is used and this time, an old vulnerability is being used to install it (according to Sophos and users of the Mozillazine forum, where this was initially highlighted). At this stage, it's not clear if the .XPI in question is an updated version of Troj/Briss-B, or if it's the same old doing the same old thing.

If you're running an old version of Firefox, then agreeing to the applet will (once again) infect IE, although this time round the effect is a little more subtle than the Lyricspy website install.

From the previous testing of the Lyricspy site, it was seen that disabling XPI installs would put the page into a permanent tailspin. I was then informed by members of the Mozillazine community that if the Javascript install from the Lyricspy page was attempting to do just that, then the page would end up in an endless merry-go-round. Checking the code, it is clear that this is attempted and the page attempts to feed Firefox an XPI package first, instead of a Java based installer applet:

if (InstallTrigger.updateEnabled()) {

InstallTrigger.install({'Content Access Plugin 1.01' : ''});

} else { location.replace(''); }

http://www.vitalsecu...using-java.html

Edited by Paperghost, 21 March 2005 - 06:53 AM.

Advertisements

Register to Remove

#107 Zero

Not really Less Than One ;-)

Authentic Member
268 posts

Interests:Long walks on the beach.

Posted 21 March 2005 - 07:05 AM

Yea... because an applet doing what its told is a browser problem. <_<

Im going to stop here, because I think you are beating a dead horse and just plain milking this issue which isn't even a big issue.

Edited by Zero, 21 March 2005 - 07:06 AM.

#108 Guest_Paperghost_*

Guests

Posted 21 March 2005 - 07:10 AM

Yea... because an applet doing what its told is a browser problem.

Im going to stop here, because I think you are beating a dead horse and just plain milking this issue which isn't even a big issue.

Seven pages of posting in under two days regarding xpis and whitelists on one thread and another one locate elsewhere by people using firefox seems rather valid for further exploration to me. However, once again you choose to take the easy way out and disregard any and all implications posed by this new discovery.

Someone is now apparently trying to use a variant of an .XPI for firefox to load IE with spyware, whilst using the same java install method. if that doesnt make an alarm bell go off in your head, then i dont know what will, quite frankly. it makes me rather worried.

Its okay everyone! Nothing to worry about :blink:

#109 ThaCrip

New Member

New Member
3 posts

Posted 22 March 2005 - 01:50 AM

well i did NOT get ANY popups whatsoever when going to that website that is supposedly infected with the java exploit that infects your IE etc ... im using Firefox v1.0.1 and the newest sun java which is... v1.5.0_02-b09.

UPDATE: my popup/advert blocker "AD-Muncher" must have initially blocked this cause when i disabled it's filtering ... i got the popup like it shows in the pics on this forums, BUT my NOD32 Anti-Virus stoped it before i even got the popup window like it was showed on these forums.

here is the pic of what i mean...

Posted Image

as u can see i dont have much to worry about myself

Edited by ThaCrip, 22 March 2005 - 02:14 AM.

#110 Guest_Paperghost_*

Guests

Posted 22 March 2005 - 11:38 AM

Nod is VERY good at blocking most (if not all) of th crudware from these particular installs. The sites also listed in Protowall now too - actually, has been for about a week or so i think. What im interested to see is if the .xpi from the "Newest" site (that is, the one from last year) has been updated to go along with the applet (which wasnt previously on that site, as far as i can tell).

#111 Guest_LostAccount_*

Guests

Posted 09 April 2005 - 10:43 PM

This is not a flaw in a browser, but what you are doing is an enhancement, is it? Paperghost, can you please explain the purpose of this topic? :weee:

#112 Guest_Paperghost_*

Guests

Posted 11 April 2005 - 01:06 PM

This is not a flaw in a browser, but what you are doing is an enhancement, is it?

Paperghost, can you please explain the purpose of this topic?

Well, I'm not 100% sure what you mean, but I didnt create this thread so you'd have to ask those who did

In a nutshell, bunch of people find an exploit supposedly "infecting" Firefox and the OS. I point out that the infection comes from a java applet served up when visiting the site in FF (and some other browsers), that then goes on to infect IE and the OS.

I write an article about it (and at NO POINT say that Firefox itself is "infected" with anything) and everyone goes nuts (apparently because they dont like being told end users will blindly click yes to things under the misguided impression that theyre "safe" from everything when using firefox, despite the fact that people do this all the time and stacks of site admins all proclaim loudly to "switch browsers" at every opportunity, then say "switching browsers for more security is a silly thing to do" when its pointed out that people can still get infected whilst using something other than IE).

Said people jump on me, and then go quiet when it turns out the Lyricspy site was trying to (also) install a crude Firefox specific .Xpi that infects IE with xxx toolbar when installed into Firefox, thus ending all the silliness over titles and semantics.

Numerous browser vendors agree that this is a browser issue and look to ways they can change the way browsers handle Java, ending the debate over exactly what constitutes a "browser issue".

Andrew Clover then points out the install can use CWS exploits to infect an OS with no clicking of a "yes" prompt actually needed, whether it be an active x control or a java applet, rendering all the hoohar about "clicking yes" a totally irrelevant point.

Suzi of Spywarewarrior.com discovers that the install bundles a tampered version of 180 Solutions, which appears to show that the end user agreed to the install, when they didn't (they agreed to IST).

The saga continues, but that's about it in a nutshell

Edited by Paperghost, 11 April 2005 - 01:28 PM.

#113 Guest_Paperghost_*

Guests

Posted 11 April 2005 - 10:58 PM

Okay, this is an amazing read - Wayne Porter of X-Block:

http://www.spywaregu...nstall__72.html

#114 Avohir

basic

Authentic Member
12 posts

Posted 11 April 2005 - 11:09 PM

the saga continues? I thought this whole bloody Jerry Springer style mess had finally faded... I know I have a good "beating a dead horse" .gif lying around on my harddrive somewhere...

To err is human, to really foul up requires a computer

#115 Guest_Paperghost_*

Guests

Posted 12 April 2005 - 02:13 AM

the saga continues? I thought this whole bloody Jerry Springer style mess had finally faded...

I know I have a good "beating a dead horse" .gif lying around on my harddrive somewhere...

I don't really see how a dead horse is being "beaten" by Suzi and Wayne (and certainly not by myself, I'm simply relaying new information relevant to the content of this thread, after all) - especially when there are some rather disturbing implications with regards exactly how the Spazbox.net site is generating the traffic and exactly who is supplying the cut and paste source code for these installs.

Wayne apparently has some more info in the pipeline regarding these installs - I don't know what they are personally, but it should be worth the wait. And as Suzi has pointed out, even without the Java applet, the fact alone that a supposedly reformed 180 Solutions are messing with the Sais.log to make it look like the end-user has agreed to the COAST approved version of 180 Solutions through these applets is incredible enough:

http://netrn.net/spy...d-web-we-weave/

The "Gerry Springer" antics were caused by someone not checking the facts before causing all hell to break loose - unfortunate, but thats how it happened. As far as im concerned, that is now over as i was completely exonerated by the discovery of the .Xpi installer. But that is not what is now being discussed. the install has moved on and developed, and is worthy of further debate / exploration accordingly. Hopefully people will simply digest the facts this time round, rather than go overboard because certain browsers etc happen to be mentioned.

the research into these installs has carried on regardless by a number of professional antispyware outfits and now the real meat of the story is coming to light. I can't see how "Keeping a lid" on this new information helps anyone. There appears to be a massive network of crudware installs going on here, with more and more junk being inserted with each new discovery of the applet. As Andrew Clover of Doxdesk has highlighted, these installs are now exploiting some CWS holes, so clicking "yes" or "no" potentially doesnt even come into it anymore, regardless of whether being served up an active x or a java prompt.

If you think this is a dead issue then fine - ignore it. But I'm sure theres plenty of people out there who will be following the developments over at Spywareguide.com and Revenews closely - especially as Ben Edelman has now gotten involved:

http://www.benedelma...s/041105-1.html

The most exciting thing about this now is that many spyware companies claiming to be legit are digging a hole for themselves with these installs, and its possibly the antispyware communities best chance to expose these people for what they are, and in a big way.

Edited by Paperghost, 12 April 2005 - 02:33 AM.

Advertisements

Register to Remove

#116 Guest_LostAccount_*

Guests

Posted 13 April 2005 - 09:28 AM

I still don't get how what the SpywareGuide webpage is trying to say. If you click no (to the java applet prompt), does the computer still get infected (in the case of spazbox.net)? By infected I meant the installation of malware, not the downloading... (the cache doesn't count here, though I know that there is still a risk of getting infected from the cache

Edited by LostAccount, 13 April 2005 - 09:31 AM.

#117 Guest_Paperghost_*

Guests

Posted 14 April 2005 - 12:03 AM

I still don't get how what the SpywareGuide webpage is trying to say. If you click no (to the java applet prompt), does the computer still get infected (in the case of spazbox.net)?

By infected I meant the installation of malware, not the downloading... (the cache doesn't count here, though I know that there is still a risk of getting infected from the cache ).

I will answer this later if possible (running out to work!) but for now, you may be interested to know we've uncovered a massive botnet on IRC that seems to be leading the mass victims to the Spazbox.net website. More here:

http://www.revenews....ves/000594.html

Body Background

skin color theme