Bugtraq mailing list archives

Re: trojaned Reality Fusion app

From: Mike Adams <mike.adams01 () HOME COM>
Date: Sun, 4 Mar 2001 14:10:52 -0800
It looks more like the application is GETTING data rather than sending it.

If you look at the page http://204.176.10.168/GCSE/Messages/todolist04.tag
In a regular browser, It's actually commented as to what it does.

It looks like it's some way for the application to import dynamic banners or
links from the author's site. AIM, Odigo, and even CuteFTP do something
similar with the in-application banner adds.

Just my $0.02.

I have pasted the contents of the page belowl.

--- BEGIN PASTE ---

<comment>
    Contain a list tags that specify things clients can do.
    Right now that is only one valid tag, <msg>. But we can
    add more tags anytime we want. Old clients will just
    ignore the new tags.

    There are two ways to comments your file
    1. Write your comment outside a tag, Make sure you don't have
       use any < or > characters in your comments.
    2. Write your comment inside a comment tag. You can put anything
       in your comment except the close comment tag, /command.
       This comment is inside a comment tag.
</comment>

Comment for msg tag
     msg - message that can be displayed by the client
     MsgId    -   id for current message. This is use to check if user has
seem this
                  message already.
     StartUrl -   points to a message that user will see
     EndUrl -     points to a message that we want to user to go to.
                  We will not display this message again once user has
                  come here.
     priority -   priority of the message, 1 is the highest
     expiration - expiration date of the message.

<msg>
[MsgId] 1001
[StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html
[EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp
[priority] 1
[expiration] 8/7/2000
</msg>

<msg>
[MsgId] 1002
[StartUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGL.html
[EndUrl] http://www.realityfusion.com/gcse/ezonics/FreeGL/FreeGLConfirm.asp
[priority] 1
[expiration] 9/22/2000
</msg>


<msg>
[MsgId] 1003
[StartUrl] http://www.realityfusion.com/gcse/ezonics/seesawdm/dm1.html
[EndUrl] http://www.seesaw.com/promotions/ez/sb_ez_rfupdate/dm_moreinfo.asp
[priority] 5
[expiration] 8/1/2001
</msg>

--- END PASTE ---


-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of J
Edgar Hoover
Sent: Friday, March 02, 2001 8:03 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: trojaned Reality Fusion app


The executable rfupd.exe included in the Reality Fusion products bundled
with many popular cameras sends the following data to 204.176.10.168 port
80 every time you use the app, reboot your computer or change
configuration.

-----
GET /GCSE/Messages/todolist04.tag HTTP/1.1
If-Modified-Since: Sat, 03 Mar 2001 00:43:39 GMT
If-None-Match: "e9ffe1fc7aa3c01:87a"
User-Agent: RFUPD
Host: www.RealityFusion.com
Connection: Keep-Alive
-----

This is particularly disturbing since the application by its nature
enables video/audio surveillance of the user.

I'm real curious what kind of information is obfuscated in the string
If-None-Match: "e9ffe1fc7aa3c01:87a" too.

Anyone interested in dissecting the (windows) application can find it at
http://totally.righteous.net/rfupd.exe

Cheers,
zorch
Current thread:

trojaned Reality Fusion app J Edgar Hoover (Mar 04)
- Re: trojaned Reality Fusion app Henrik Nordstrom (Mar 05)
- Re: trojaned Reality Fusion app Mike Adams (Mar 05)