Security Incidents mailing list archives
Re: sureseeker.com
From: Nate W <security () WHATEVER NET>
Date: Tue, 7 Nov 2000 22:54:39 -0800
On Mon, 6 Nov 2000, Sloan, Scott (CIT) wrote:
Sureseeker is a JavaScript Trojan that uses the ActiveX Control security vulnerabilities that were announced by Microsoft in MS-99-032 on August 31, 1999. You can find more information at the FedCIRC website.
The FedCIRC web site doesn't mention the fact that the trojan also adds 'sureseeker.com' to the HTTP_USER_AGENT string for IE users. It also describes the large-print/small-print message box that SureSeeker's ISP pointed to. The ISP reffered me (us?) to a page that was not associated with the HTA files and registry modifications described in the FedCIRC advisory. Rather, it merely invokes "homepage.setHomePage," and even that appears to be only applicable to IE users. This is definitely NOT the same code that impacted myself and the dozens of other sureseeker.com-tagged people you can find via deja.com. You can see why I have my doubts about the message box theory of operation. Given the fluid nature of web pages, and the fact that the offender is now no doubt aware that their actions are being scrutinized, it seems doubtful that the truth will ever be known. But, if anyone can provide a web page containing the actual trojan, that would at least be a step forward.
Current thread:
- Re: sureseeker.com Nate W (Nov 01)
- <Possible follow-ups>
- sureseeker.com Nate W (Nov 01)
- Re: sureseeker.com Melissa McPherson (Nov 02)
- Re: sureseeker.com Ken Grossman (Nov 07)
- Re: sureseeker.com Sloan, Scott (CIT) (Nov 08)
- Re: sureseeker.com Nate W (Nov 09)