OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mike Adams (mike.adams01HOME.COM)
Date: Sun Mar 04 2001 - 16:10:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    It looks more like the application is GETTING data rather than sending it.

    If you look at the page http://204.176.10.168/GCSE/Messages/todolist04.tag
    In a regular browser, It's actually commented as to what it does.

    It looks like it's some way for the application to import dynamic banners or
    links from the author's site. AIM, Odigo, and even CuteFTP do something
    similar with the in-application banner adds.

    Just my $0.02.

    I have pasted the contents of the page belowl.

    --- BEGIN PASTE ---

    <comment>
        Contain a list tags that specify things clients can do.
        Right now that is only one valid tag, <msg>. But we can
        add more tags anytime we want. Old clients will just
        ignore the new tags.

        There are two ways to comments your file
        1. Write your comment outside a tag, Make sure you don't have
           use any < or > characters in your comments.
        2. Write your comment inside a comment tag. You can put anything
           in your comment except the close comment tag, /command.
           This comment is inside a comment tag.
    </comment>

    Comment for msg tag
         msg - message that can be displayed by the client
         MsgId - id for current message. This is use to check if user has
    seem this
                      message already.
         StartUrl - points to a message that user will see
         EndUrl - points to a message that we want to user to go to.
                      We will not display this message again once user has
                      come here.
         priority - priority of the message, 1 is the highest
         expiration - expiration date of the message.

    <msg>
    [MsgId] 1001
    [StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html
    [EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp
    [priority] 1
    [expiration] 8/7/2000
    </msg>

    <msg>
    [MsgId] 1002
    [StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html
    [EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp
    [priority] 1
    [expiration] 9/22/2000
    </msg>

    <msg>
    [MsgId] 1003
    [StartUrl] http://www.realityfusion.com/gcse/ezonics/seesawdm/dm1.html
    [EndUrl] http://www.seesaw.com/promotions/ez/sb_ez_rfupdate/dm_moreinfo.asp
    [priority] 5
    [expiration] 8/1/2001
    </msg>

    --- END PASTE ---

    -----Original Message-----
    From: Bugtraq List [mailto:BUGTRAQSECURITYFOCUS.COM]On Behalf Of J
    Edgar Hoover
    Sent: Friday, March 02, 2001 8:03 PM
    To: BUGTRAQSECURITYFOCUS.COM
    Subject: trojaned Reality Fusion app

    The executable rfupd.exe included in the Reality Fusion products bundled
    with many popular cameras sends the following data to 204.176.10.168 port
    80 every time you use the app, reboot your computer or change
    configuration.

    -----
    GET /GCSE/Messages/todolist04.tag HTTP/1.1
    If-Modified-Since: Sat, 03 Mar 2001 00:43:39 GMT
    If-None-Match: "e9ffe1fc7aa3c01:87a"
    User-Agent: RFUPD
    Host: www.RealityFusion.com
    Connection: Keep-Alive
    -----

    This is particularly disturbing since the application by its nature
    enables video/audio surveillance of the user.

    I'm real curious what kind of information is obfuscated in the string
    If-None-Match: "e9ffe1fc7aa3c01:87a" too.

    Anyone interested in dissecting the (windows) application can find it at
    http://totally.righteous.net/rfupd.exe

    Cheers,
    zorch