[OT] Trojan/[spy/ad]ware and thawte.com
This is the 2nd occurence of strange entries on my proxy logs, within a
few days (comments below):
***********************************************
10* - - [28/May/2004:14:09:17 +0200] "GET
http://delivery.inet-traffic.com/inetdl.exe HTTP/1.0" 200 247544
TCP_REFRESH_HIT:DIRECT
10* - - [28/May/2004:14:09:19 +0200] "GET
http://crl.thawte.com/ThawteServerCA.crl HTTP/1.0" 200 243691
TCP_CLIENT_REFRESH_MISS:DIRECT
***********************************************
And from another workstation's IP
***********************************************
10* - - [25/May/2004:16:42:35 +0200] "GET
http://www.mt-download.com/MediaTicketsInstaller.cab HTTP/1.0" 200 78402
TCP_MISS:DIRECT
10* - - [25/May/2004:16:42:36 +0200] "GET
http://crl.thawte.com/ThawtePremiumServerCA.crl HTTP/1.0" 200 852
TCP_CLIENT_REFRESH_MISS:DIRECT
10* - - [25/May/2004:16:42:36 +0200] "GET
http://crl.thawte.com/ThawteCodeSigningCA.crl HTTP/1.0" 200 8613
TCP_CLIENT_REFRESH_MISS:DIRECT
***********************************************
Here are questions I am wondering about :
1) What are those .crl files used for? Are they used by [spy/ad]wares for
some reason I ignore? Maybe they could be used to "corrupt" actual
browser's certs? This would be serious... Say some spyware changes certs
of banks, and modifies [\/etc\/hosts/lmosts]... Or maybe they are used for
something else I am not thinking of... I did not see HTTPS traffic (no
CONNECT) in the near future of these events in the logs.
2) I cannot believe this is a coincidence, as it has occured twice within
a few days. The [spy/ad]ware download and the cert retrieval definetely
seem related. Has anyone noticed the same behaviour? URLs on top are real,
and downloading and testing those files can easily be tested.
I thought I'd post these informations on this list, in case others have
noticed stuff.
Vincent
Reply to: