1. Re: Color differences
- Posted by CoJaBo <cojabo at suscom.net>
Oct 03, 2004
-
Last edited Oct 04, 2004
Kat wrote:
>
> On 1 Oct 2004, at 20:07, CoJaBo wrote:
>
> >
> > posted by: CoJaBo <cojabo at suscom.net>
> >
> > Craig Welch wrote:
> > >
> > > Kat wrote:
> > >
> > > > What functions? the original url was blank, all javascript! There was
> > > > nothi=
> > > > ng=20 there, the page was blank!
> > >
> > > Javascript != 'blank'. Quite a nice functional web page, actually.
> > >
> > > Are you guys really risking being trojaned for=
> > > >
> > > > some code that you now say is inadequate?!?
> > >
> > > The mere presence of javascript does not in itself imply a risk of a
> > > trojan. Choice of browser, other security settings, all come into play.
> >
> > Kat does have a point:
> > The "nitrious" virus I discovered uses javascript to
> > open the popup for its install ActiveX script and to
> > prevent someone from closing the install popup,
> > as well as opening a large number of (apparently
> > random) websites for reasons I don't know(DDOS
> > attack maybe?) I have tested this on Mozilla
> > Firefox(since it is immune to the destructive
> > part of the virus) and the javascripts work
> > fine on it, the window won't close, and the
> > "DDOS" attack runs.
> >
> > Also I have recieved a number of phising e-mails
> > that use javascript to make the fake site look secure,
> > it works so well that the fake site looks identical
> > to the real one.
>
> The Citi phishing one was/is notorious, and it's still going around. Here's a
I think that was the one I got(13 of them actually)
> page that describes how to use Activex to do anything. This one spreads
> itself by advertising on irc, but it also replaces the windows system dlls, so
>
> the whole computer can be owned: <a
> href="http://charmy.tky.hut.fi/brit.txt">http://charmy.tky.hut.fi/brit.txt</a>
That code looks frighteningly familiar...
It looks identical to the code in the
installer for the "nitrious" virus,
except for the urls(nitrious used
"/iexplore.exe" and replaced internet explorer).
It then downloaded/created the folowing files in various places:
SwimSuitNetwork.exe (adware:
http://www.pestpatrol.com/pestinfo/s/swimsuitnetwork.asp)
xupiter.exe (couldn't find useful site)
nitrious.exe (seems to be a crack tool, all search results returned illeagal
software)
NE.EXE (site has popups... http://www.2-spyware.com/file-ne-exe.html)
MadOnion.exe (MadOnion is a benchmark suite?)
hotPLS.exe (too many useless results)
gator.cab (spyware: http://www.pchell.com/support/gator.shtml)
azul.exe (Nuker: http://www.pestpatrol.com/pestinfo/n/nuker_cgsi.asp)
catapult freeware(program) (somthing to do with ROMS, all search results
returned pirated software)
The page that installed the virus contained at least
20 exploits, some of which weren't discovered
for a while, if at all.
>
> Kat
>
>
