Re: AIM-based worm?

From: Adam Young (adamat_private)
Date: Fri Sep 27 2002 - 04:46:32 PDT

Next message: Ralph Emery: "RE: AIM-based worm?"

Previous message: webbiat_private: "RE: AIM-based worm?"
In reply to: Troy Ablan: "AIM-based worm?"
Next in thread: Ralph Emery: "RE: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 26 Sep 2002 15:51:47 -0400 (EDT)
Troy Ablan <bugtraqat_private> wrote:

> Question 1:  Is there a way a web page can add a buddy to your AIM list 
> without your knowledge?

	With "aim:" identifier, they can theoretically add a new buddy to your list. 
Though they have to 'trick' you into clicking the "AIM Link".
	ex. aim:addbuddy?screenname=FOO&group=BAR

> Question 2:  How was I prevented from viewing the source of the HTML page 
> in IE?

	You should always be able to view source.  Perhaps not through the menu's, but
prepend the URL with "view-source:" and you'll have no problems.
	eg. "view-source:http://www.foo-bar.com/"

> I wgetted the psecure20x-cgi-install.version6.01.bin.hx.com file as well 
> for anyone who wants to look at it, just in case the above link does not 
> work any more.
> 
> 
> -- BEGIN SOURCE --
> 
> <html><head><title>Browser Plugin Requried</title><meta 
> http-equiv="refresh" content="1; 
> url=psecure20x-cgi-install.version6.01.bin.hx.com"></head><body><h1>Browser 
> Plugin Required:</h1><br>You may need to restart your browser for changes 
> to take affect.<br>Security Certificate by <a 
> href="http://www.verisign.com">Verisign</a> 2002.<br>MD5: 
> 9DD756AC-80E057FC-E00703A2-F801F2E3<br><br>Click <a 
> href="psecure20x-cgi-install.version6.01.bin.hx.com">HERE</a> and choose 
> "Run" to install.</body></html>
> 
> -- END SOURCE --

	What would be more interesting is to find out what the ".com" file's source is.
 The above just tells me that after 1 second, it sends a refresh to the file in
question and through some sort of social engineering (I suppose you could say)
tactics, tries to get the user to run it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9lEUXUanLvazj+VgRAnp3AJ9IZDZ6zKpxg8yAQ58M4ZrEGLM/RQCfSUmX
d/bqTFdBjRPOhxowYhg8p8A=
=/x1t
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ralph Emery: "RE: AIM-based worm?"
Previous message: webbiat_private: "RE: AIM-based worm?"
In reply to: Troy Ablan: "AIM-based worm?"
Next in thread: Ralph Emery: "RE: AIM-based worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 27 2002 - 15:37:34 PDT