This is priceless.

[coyoteden.livejournal.com]

Video of a fresh XP install getting pwn3d by visiting a website

The video is a screen-capture movie from Benedelman.org and shows how an unpatched WinXP system will get rooted and sutffed full of spyware just by visiting one website in IE. No confirmation box, no warning. By the time anything other than a blank page appears the system is already compromised.

He does note that XP SP2 isn't vulnerable. What he doesn't mention is that IE under every other platform is vulnerable even if it's patched to date, especially Windows 98/Me (and a lot of people do still run 9x). Ditto for Windows 2000 and XP SP1, and there are lot of corporate desktops in that category.
 
Firefox on any platform, of course, is not vulnerable.

I am so glad I no longer clean this shit up every day.

Comments

[jecook]

I would like to note that it uses Media Player 9, for all the old bastards that have not updated their machines in a while.

::grumbles::

I finally found a program at work that pukes if you try to install it on a SP2 machine. Fortunately, it's pretty easy to get around, as the problem appears to be well documented (except by the company who wrote it - they want you to pay for that privledge via a support contract).

[jecook]

::plays the video::

wow. All that from one URL. Amazing.

However, there are a few opurtunaties that the user could, in theory, NOT install the crap, although by that time it's probably too late anyway.

[loosechanj.livejournal.com]

I think I'm more interested in how it was recorded.

[tsutton.livejournal.com]

LOL, I was thinking the same thing! But it was a bad quality...

[valiskeogh.livejournal.com]

looks like winmedia encoder, you can get it at MS site, pretty easy to use, i use it all the time

the quality settings are very adjustable

[valiskeogh.livejournal.com]

looks like winmedia encoder, you can get it at MS site, pretty easy to use, i use it all the time

[tsutton.livejournal.com]

I'm interested to see WHICH website that do that. I want to see it myself on my spare PC.

[200iso.livejournal.com]

looks like xpire.inf/fa/?d=get
maybe

[tsutton.livejournal.com]

That's what I saw. And when you look at the popups... there are more addresses on the titlebar. Looks like it was made up just for the video!!

[200iso.livejournal.com]

Looks like it was made up just for the video!!
Yeah. Looks like. I'm not sure if this is really a fair, real-world situation. I've seen many customer's computers completely unusable due to spyway - but does it really happen this quickly? all at once?

[200iso.livejournal.com]

.info

xpire.info

[coyoteden.livejournal.com]

It's a real site, registered under fake contact details and hosted out of Korea. A lot of spammers use this same technique.

[taleya.livejournal.com]

This was recorded by using a vid card with TV-out - I've done the same for training in the past. You just run it from the TV-out into a VCR and hit record:)

It's definitely a fake - one of the popup windows has the url "www.sp2fucked.biz/user28/2dimension*something*ExploitsEmc.php"

Still, should be good for scaring the shit out of end users....

[gholam.livejournal.com]

I don't think he used TV-out to record that - notice the windows media something running in the background, I think that's the screen capturing program. The quality is too good for TV-out as well. Also, note that he used VMware - shows that he wasn't crazy enough to run it on an actual live PC :)

Now, back to watching Ad-Aware at work on another customer's PC... after neutralizing most of the spyware there with HijackThis, LSPFix and WinsockFix, it's up to 2887 critical objects and counting...

[loosechanj.livejournal.com]

Yeah, I gave it a shot myself, it's the windows media encoder. Pretty nifty that, recording desktop.

Definately NOT a fake.

[coyoteden.livejournal.com]

whois sp2fucked.biz

Domain Name: SP2FUCKED.BIZ
Domain ID: D7921805-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT. LTD., (D.B.A. DIRECTI.COM)
Sponsoring Registrar IANA ID: 303
Domain Status: clientDeleteProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Registrant ID: DI_937571
Registrant Name: John Miller
Registrant Organization: Liber Inc
Registrant Address1: 135/2 Washington str
Registrant City: Limasson
Registrant Postal Code: 06432
Registrant Country: Cyprus
Registrant Country Code: CY
Registrant Phone Number: +944.8735673
Registrant Email: support@coolsearch.biz

Details faked out the ass, but notice the support email: coolsearch.biz

sp2fucked.biz is CoolWebSearch

Re: Definately NOT a fake.

[dmsalem00.livejournal.com]

Bastards. Let's get Manhattan SVU's TARU unit to trace the IP. They can trace anything(as long as it begins with 300.xx)(yes I know that was a fake IP ;-p).

At any rate, it wouldn't surprise me not at all to learn CWS's creators are behind something THIS nasty. I gotta show this to our training managers.

[astevenson.livejournal.com]

not a fake, you can put whatever you want in the title bar.

[varjosusi.livejournal.com]

damn, can't watch it (running Knoppix, as my HD died, and i'm waiting for a paycheck to come in to buy a new one)

considering that the average time for an unpatched clean XP install to get hit by viruses/worms/etc is now down to 4 minutes, from 15...well, i'm glad I went to Linux ;)