[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Misinformation on Scob/MSJect Corrected

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: [Full-Disclosure] Misinformation on Scob/MSJect Corrected
From: "Drew Copley" <dcopley@xxxxxxxx>
Date: Wed, 30 Jun 2004 16:05:44 -0700

Summary:

Microsoft is very wrong when presenting information
about Download.Ject [also known as: JS.Scob.Trojan, 
Scob, and JS.Toofeer.]

Many media sources have also been presenting infactual
information on these virii.


What Is Happening:

CERT advises people not to use Internet Explorer.

http://www.kb.cert.org/vuls/id/713878

This issue is a vulnerability which was found being
used by a spyware distributor in the wild. Many 
media sources are erroneously reporting this 
vulnerability as being the same one Microsoft speaks
of in the Scob/MS.Ject attack:

(from: "What You Should Know About Download.Ject)
http://www.microsoft.com/security/incident/download_ject.mspx

"The second is a recently discovered issue that 
Microsoft is currently investigating in order to 
provide a solution. Customers who are already 
following our safe browsing guidance significantly 
reduce their risk from this type of attack."

This is patently not true. Jelmer found this issue
some ten months ago. It is not the recently discovered
unknown vulnerability. This is the old adodb stream
issue.

And it is not being used by a spyware distributor,
it is being used to steal credit cards by out right
trojans.

BID: 10514
Previously: BID: 8577 
Published Date: Aug 23, 2003
http://www.securityfocus.com/bid/10514/credit/

http://www.securityfocus.com/bid/8577

The original published paper by Jelmer:
http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html

For this "previously unknown vulnerability". It has been
known for ten months.

To be fair, I think their tech writers and marketers got
confused in transmission from their IE security guys. It
is extremely confusing. 

But, this is a major warning they are giving to all
of their customers. They are a multibillion dollar
company who claims security is their first priority. They
need to be held to that standard.

References on SCob:
http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0
http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCo
mpromise.pdf
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerRepor
ts.pdf

The original surfacing of this attack used by the same
criminals in all likelihood (March 2004) -- yes, same
technique as Scob, same end result to steal CC info:
http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeBSD.csie.NC
TU.edu.tw&output=gplain



End Note:

It might be noted that these attacks are not so wide
spread to merit the kind of media attention they have
received. However, I see this as kind of a "misplaced"
new urgency, this urgency should have been there in
the first place. In its' lateness we also see a lot
of inaccuracy, though it might be noted these issues
are rather complex and can be very confusing because
of the lack of proper naming conventions and such.

In other words: Big money and zero day. The connection
has been made.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Misinformation on Scob/MSJect Corrected
  - From: Ron DuFresne

Prev by Date: Re: [Full-Disclosure] (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
Next by Date: RE: [Full-Disclosure] SSH vs. TLS
Previous by thread: Re: [Full-Disclosure] Web sites compromised by IIS attack
Next by thread: Re: [Full-Disclosure] Misinformation on Scob/MSJect Corrected
Index(es):
- Date
- Thread