---------- Forwarded message ---------- From: Henri Salo henri@nerv.fi Date: Thu, 1 Jul 2010 14:36:40 +0300 Subject: [Full-disclosure] Someone using Wikipedia to infect others To: full-disclosure@lists.grok.org.uk, mark@wikimedia.org
Original email attached. Analysis of the malisious URL:
http://wepawet.iseclab.org/view.php?hash=ea568f176830f3151538ce46a1182be9&am...
Best regards, Henri Salo
On Thu, Jul 1, 2010 at 7:09 AM, Christopher Grant chrisgrantmail@gmail.com wrote:
---------- Forwarded message ---------- From: Henri Salo henri@nerv.fi Date: Thu, 1 Jul 2010 14:36:40 +0300 Subject: [Full-disclosure] Someone using Wikipedia to infect others To: full-disclosure@lists.grok.org.uk, mark@wikimedia.org
And another person who doesn't understand that the From address isn't authoritative.
On 1 July 2010 21:58, OQ overlordq@gmail.com wrote:
On Thu, Jul 1, 2010 at 7:09 AM, Christopher Grant chrisgrantmail@gmail.com wrote:
---------- Forwarded message ---------- From: Henri Salo henri@nerv.fi Date: Thu, 1 Jul 2010 14:36:40 +0300 Subject: [Full-disclosure] Someone using Wikipedia to infect others To: full-disclosure@lists.grok.org.uk, mark@wikimedia.org
And another person who doesn't understand that the From address isn't authoritative.
Is a obscure point. To know it you have to learn SMTP, probably reading the RFC.
>>>>>
When RFC 822 format [7, 32] is being used, the mail data include the memo header items such as Date, Subject, To, Cc, From. Server SMTP systems SHOULD NOT reject messages based on perceived defects in the RFC 822 or MIME [12] message header or message body." <<<<<<<<<<<
You seems a informed person. We have to ignore this message? It looks somewhat odd and out of context (mostly because the sender never added context). I can see how, if Wikipedia host pdf files, some of these can act as vector for malware. If wikipedia serve the files unmodified, I can see how is possible to write a "renderer to memory" that rebuild the whole file, withouth any scripting. But such thing may take lots of hours of programmers, and mediawiki seems very limited by that factor (and not epicness, there are lots of epics things in the mediawiki proyects... BRAVO!).
Well there's not much we really can do (apart from having the malware site taken down, but then they'll just start using another one). I just thought it was an interesting attack vector, trying to abuse people's trust of Wikipedia (I wonder how many people would actually click the cancel link instead of just letting it automatically expire like the email says it would).
-- Chris
On 7/2/2010 3:46 AM, Tei wrote:
On 1 July 2010 21:58, OQ overlordq@gmail.com wrote:
On Thu, Jul 1, 2010 at 7:09 AM, Christopher Grant chrisgrantmail@gmail.com wrote:
---------- Forwarded message ---------- From: Henri Salo henri@nerv.fi Date: Thu, 1 Jul 2010 14:36:40 +0300 Subject: [Full-disclosure] Someone using Wikipedia to infect others To: full-disclosure@lists.grok.org.uk, mark@wikimedia.org
And another person who doesn't understand that the From address isn't authoritative.
Is a obscure point. To know it you have to learn SMTP, probably reading the RFC.
Well I take my statement back, he posted a followup in which he knows it didn't come from wikipedia, but still chose to say "using Wikipedia to infect others" instead of "using Wikipedia's name to infect others"
On 2 July 2010 11:13, Q overlordq@gmail.com wrote:
On 7/2/2010 3:46 AM, Tei wrote:
On 1 July 2010 21:58, OQ overlordq@gmail.com wrote:
On Thu, Jul 1, 2010 at 7:09 AM, Christopher Grant chrisgrantmail@gmail.com wrote:
---------- Forwarded message ---------- From: Henri Salo henri@nerv.fi Date: Thu, 1 Jul 2010 14:36:40 +0300 Subject: [Full-disclosure] Someone using Wikipedia to infect others To: full-disclosure@lists.grok.org.uk, mark@wikimedia.org
And another person who doesn't understand that the From address isn't authoritative.
Is a obscure point. To know it you have to learn SMTP, probably reading the RFC.
Well I take my statement back, he posted a followup in which he knows it didn't come from wikipedia, but still chose to say "using Wikipedia to infect others" instead of "using Wikipedia's name to infect others"
Somwhat unrelated:
Google has this service to see PDF's online. http://docs.google.com/viewer?url=http://noscope.com/photostream/albums/vari...
Since it run on the browser, is safer than running any adobe monocultiveware.
wikitech-l@lists.wikimedia.org