[19473] in bugtraq
Re: trojaned Reality Fusion app
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Mon Mar 5 13:28:19 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AA2D33A.22BF1296@hem.passagen.se>
Date: Mon, 5 Mar 2001 00:43:54 +0100
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: J Edgar Hoover <zorch@TOTALLY.RIGHTEOUS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Seems to be some automatic advertising / content push thingy, but who
knows what other functions there might be in the client.
The digit string is supposed to be a HTTP/1.1 ETag value, but I have to
agree with you that this server behaves more than odd with the ETag
values which MIGHT indicate the usage of hidden HTTP/1.1 cookies.
However, I haven't actually tested how IIS/5.0 behaves wrt ETag support
so the seen irregularities might simply be bugs/misfeatures in the
server..
--
Henrik Nordstrom
J Edgar Hoover wrote:
>
> The executable rfupd.exe included in the Reality Fusion products bundled
> with many popular cameras sends the following data to 204.176.10.168 port
> 80 every time you use the app, reboot your computer or change
> configuration.
>
> -----
> GET /GCSE/Messages/todolist04.tag HTTP/1.1
> If-Modified-Since: Sat, 03 Mar 2001 00:43:39 GMT
> If-None-Match: "e9ffe1fc7aa3c01:87a"
> User-Agent: RFUPD
> Host: www.RealityFusion.com
> Connection: Keep-Alive
> -----
>
> This is particularly disturbing since the application by its nature
> enables video/audio surveillance of the user.
>
> I'm real curious what kind of information is obfuscated in the string
> If-None-Match: "e9ffe1fc7aa3c01:87a" too.
>
> Anyone interested in dissecting the (windows) application can find it at
> http://totally.righteous.net/rfupd.exe
>
> Cheers,
> zorch
