[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Increase probe on UDP port 1026

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Increase probe on UDP port 1026
From: Brian Eckman <eckman@umn.edu>
Date: Wed, 03 Dec 2003 11:58:43 -0600

(I am responding on behalf of myself, not Paul. I thought it might benefit the list to include a little more info, and I'm not sure if he was planning on replying.)

Nick FitzGerald wrote:

Paul Dokas <dokas@cs.umn.edu> replied to Nicob:
I captured some packets and it appears to be (only) a Windows Messenger
"spam" for a "penis enlargement" product.
I caught one last night scanning 1026/UDP and 1030/UDP ...
Sorry -- caught "one" what?? A local machine doing this type of scanning, or just similar incoming traffic?

A local machine.

To clarify for others who are curious, it sent out a lot of mostly empty UDP packets until it got the response that it wanted, then it sent the Messenger Spam. So, people reporting lots of mostly empty UDP packets could very well be observing this same thing. (I haven't personally observed the behavior, I am just repeating what I have heard.)

... and doing popups
directing people to www.PopAdStop.com.  The 1026/UDP and related traffic
is *definitely* popup spam related.  ...
Yep -- if you send Windows Messenger traffic to the "right" port you need not have "initiated" anything through the port mapper first and it seems that enough more or less default W2K and XP machines will have Windows Messenger listening on 1026 to make this a worthwhile "spamming" target.
...  At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE.  However, I have no proof of this yet.
Huh??

What malware?

If anything it is not at all clear what it is you have "detected". If you have found a local machine doing this type of spamming I'm sure I'm not the only one interested in learning more about what has been installed on it (and how?)...

The computer in question is in the dorms here. Since this is in the student's home, and it's their personally owned PC, we generally don't do forensic work on them (we usually just take away their network access until it's resolved). If/when we find one doing this that is not in the dorms, I'll probably visit it personally and report back.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Increase probe on UDP port 1026
  - From: Nicob <nicob@nicob.net>
- Re: [Full-Disclosure] Increase probe on UDP port 1026
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>

Prev by Date: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
Next by Date: Re: [Full-Disclosure] Yahoo Instant Messenger YAUTO.DLL buffer overflow
Previous by thread: RE: [Full-Disclosure] Increase probe on UDP port 1026
Next by thread: RE: [Full-Disclosure] Increase probe on UDP port 1026
Index(es):
- Date
- Thread