[ale] OT: Help me figure out what is happening?

James P. Kinney III jkinney at localnetsolutions.com
Fri Feb 22 07:15:02 EST 2002


Jeff,
This looks like a golden opportunity to sell yourself as a security
expert. I would be leery of wanting to affiliate myself with a company
that so poorly understands system security.

Your legwork is correct about what is going on. In a perfect world,
Omniform MF (use your own reverse acronym :) presents a form to a
computer newbie and extracts newbie applied text and sends it to a
receiving location. It is based on html forms. It has an embedded
java-based browser that supplies the screen and does the network
lifting. As it is not a very common application, it has not been subject
to much scrutiny. 

I wouldn't trust on anything but a disposable, standalone box that is OK
to fdisk afterwards.


On Thu, 2002-02-21 at 23:05, Jeff Hubbs wrote:
> I applied for a job yesterday and I got an e-mail back with what appears 
> to be a Windows executable attached that I am expected to run in order 
> to fill out and submit some kind of online form.
> 
> I have enough computer security 'fu to know that this is a very, very, 
> bad practice and that every applicant is placed at risk by this 
> practice.  So, I tried to fire it up under Wine to see what would 
> happen.  Wine churns for a while and I eventually get an error box 
> titled "OmniForm Mailable Filler" that says "Failed to launch 
> application."  I did just a bit of Google research on this app.  I want 
> to e-mail these people back and tell them that due to security concerns 
> I don't want to run this application; for those of us to whom the 
> reasons aren't plainly obvious, it's mostly because I have no way to 
> know if this binary has gotten virus-infected along the way and that 
> even if I had a Windows machine with anti-virus software, it isn't going 
> to be any more effective at detecting such a virus than any AV software 
> the sender used on it (presuming they even bothered).  
> 
> Anyway, my question to you is this:  I pulled this command line out of 
> /proc - can you tell me what OmniForm Mailable Filler is attempting to 
> do here?
> 
> /usr/bin/winereal--E:\EXEbaeb.tmp"E:\OFMbaec.tmp""F:\tmp\wine_c\JobAPPComplete.exe"\
> http://www.eomniform.com/OF5/nsplugins/OFMailX.cab 
> http://www.eomniform.com/OF5/nsplugins/OFMailNP.jar \
> http://www.eomniform.com/OF5/nsplugins/OFMailNP.xpi
> 
> Note:   "F:\tmp\wine_c\JobAPPComplete.exe" is the Windows filespec as 
> seen by Wine to refer to the app in question.
> 
> Without drilling real deeply here, it looks to me that the app tries to 
> call up other Web-downloaded code (.cab, .jar), which would seem to 
> further amplify the security risk (add to the virus risk the idea that I 
> have no idea what all this stuff wants to do in my system).  Looking 
> through my Google findings suggests that OmniForm Mailable Filler makes 
> use of browser plugins.  
> 
> If I had to guess, I'd suppose that the downloaded code constitutes an 
> SMTP UA, mailing my inputted data to some mail server somewhere (begs 
> the question, how am I being authenticated?).  
> 
> - Jeff
> 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list