Re: trojaned Reality Fusion app

[Henrik Nordstrom <hno () HEM PASSAGEN SE>]

Seems to be some automatic advertising / content push thingy, but who
knows what other functions there might be in the client.

The digit string is supposed to be a HTTP/1.1 ETag value, but I have to
agree with you that this server behaves more than odd with the ETag
values which MIGHT indicate the usage of hidden HTTP/1.1 cookies.
However, I haven't actually tested how IIS/5.0 behaves wrt ETag support
so the seen irregularities might simply be bugs/misfeatures in the
server..

--
Henrik Nordstrom


J Edgar Hoover wrote:
> The executable rfupd.exe included in the Reality Fusion products bundled
> with many popular cameras sends the following data to 204.176.10.168 port
> 80 every time you use the app, reboot your computer or change
> configuration.
>
> -----
> GET /GCSE/Messages/todolist04.tag HTTP/1.1
> If-Modified-Since: Sat, 03 Mar 2001 00:43:39 GMT
> If-None-Match: "e9ffe1fc7aa3c01:87a"
> User-Agent: RFUPD
> Host: www.RealityFusion.com
> Connection: Keep-Alive
> -----
>
> This is particularly disturbing since the application by its nature
> enables video/audio surveillance of the user.
>
> I'm real curious what kind of information is obfuscated in the string
> If-None-Match: "e9ffe1fc7aa3c01:87a" too.
>
> Anyone interested in dissecting the (windows) application can find it at
> http://totally.righteous.net/rfupd.exe
>
> Cheers,
> zorch