[prev in list] [next in list] [prev in thread] [next in thread] 

List:       patchmanagement
Subject:    RE: [9] Re: WMF exploits pages in the wild... take mitigation measures [as no patch]
From:       "Peter Kruse" <kruse () krusesecurity ! dk>
Date:       2005-12-31 7:56:55
Message-ID: 000501c60ddf$c49bf0e0$0202a8c0 () csiswormhole
[Download RAW message or body]

Hi Mark,

Please note that these sites rarely have data at the doc root.

They're usually under the /dl/ or /progs/ directories. 

They also frequently have names like:

http://[%malicious website%]/dl/adv522.php
http://[%malicious website%]/a/1/activex/
http://[%malicious website%]/tr/

And so on ...

That means that simply visiting the sites won't really tell us if a
specially crafted WMF is contained somewhere on that specific website. We
would often need the complete URL for confirmation.

Regards
Peter Kruse

-----Original Message-----
From: Mark Dormer [mailto:mark@inpac.com.au] 
Sent: 30. december 2005 19:20
To: Patch Management Mailing List
Subject: RE: [9] Re: WMF exploits pages in the wild... take mitigation
measures [as no patch]

www.toolbarbiz.biz The page cannot be found www.toolbarsite.biz The page
cannot be found www.toolbartraff.biz The page cannot be found
www.toolbarurl.biz The page cannot be found www.buytoolbar.biz The page
cannot be found www.buytraff.biz The page cannot be found www.iframebiz.biz
The page cannot be found www.iframecash.biz Loaded, nothing tried to install
www.iframesite.biz The page cannot be found www.iframetraff.biz The page
cannot be found www.iframeurl.biz The page cannot be found

www.crackz.ws Tries a popup blocked by SP2 blocker, popunder ads, tries to
infect you with JS:NoCheat-2, blocked by Avast, DEP prevented execution of
process rundll32.exe, possibly the wmf exploit.

www.unionseek.com The page cannot be found www.tfcco.com a couple of dead
gif links and a hyperlink to Waterfront living magazine www.Iframeurl.biz
The page cannot be found www.beehappyy.biz Site closed for violations

Tried this on XP SP2, with Avast AV and Spywareblaster installed.

Regards
Mark Dormer

-----Original Message-----
From: Shane Alexander [mailto:shane_alexander@hotmail.com]
Sent: Friday, 30 December 2005 8:29 PM
To: Patch Management Mailing List
Subject: [9] Re: WMF exploits pages in the wild... take mitigation measures
[as no patch]

Hi all,

Well does anyone want to browse to below and confirm...

(from www.updatexp.com)

Some known websites with the ability to infect you are:

www.toolbarbiz.biz
www.toolbarsite.biz
www.toolbartraff.biz
www.toolbarurl.biz
www.buytoolbar.biz
www.buytraff.biz
www.iframebiz.biz
www.iframecash.biz
www.iframesite.biz
www.iframetraff.biz
www.iframeurl.biz
www.crackz.ws
www.unionseek.com
www.tfcco.com
www.Iframeurl.biz
www.beehappyy.biz


On my home PC I've got DEP turned on (for all programs), plus ZoneAlarm, MS
AntiSpyware, SpyBot, HOSTS file blocking (of the above addresses), Sygate
Firewall, AVG antivirus, etc, and Im not willing to test it.

Anyone?

Shane




---
Looking for RSS? The Patchmanagement.org list is available via
http://listserver.patchmanagement.org/read/rss?forum=patchmanagement

PatchManagement.org is hosted by Shavlik Technologies

To unsubscribe send a blank email to
leave-patchmanagement@patchmanagement.org
If the above unsubscribe doesn't work, view your email headers (in Outlook,
open message, View-Options) and send a blank email to the address listed in
the header that starts with 'List-Unsubscribe'.
If you are unable to unsubscribe via the above email address, please email
owner-patchmanagement@patchmanagement.org



---
Looking for RSS? The Patchmanagement.org list is available via
http://listserver.patchmanagement.org/read/rss?forum=patchmanagement

PatchManagement.org is hosted by Shavlik Technologies

To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If the above unsubscribe doesn't work, view your email headers
(in Outlook, open message, View-Options) and send a blank email to the address
listed in the header that starts with 'List-Unsubscribe'.
If you are unable to unsubscribe via the above email address, please email
owner-patchmanagement@patchmanagement.org
[prev in list] [next in list] [prev in thread] [next in thread]