RE: Source of Windows PopUp SPAM

["Lawrence Baldwin" <baldwinL () mynetwatchman com>]

After further investigation, it appears that the hosts sourcing this SPAM
are running VMWARE.

We've identified a commercial, Windows-based SPAM package which sends SPAM
via popups (all for $699).
I've confirmed that this particular package (which I can't name, yet..)
sends popups via MS RPC.
I suspect this package is running on these Linux systems under VMWARE
emulated Windows sessions.

What is also interesting is that some users, despite running personal
firewalls, are still reporting getting these popups.  This probably explains
the developers choice to use MS RPC (udp/135) for delivery instead of a
straight Netbios SMB call (tcp/139).  MS RPC would be less overhead, but
also has the potential to reach more people as even those with firewalls are
often giving 'svchost.exe' server priviledges because they assume it's
necessary:

http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat

Lawrence Baldwin
myNetWatchman.com
Atlanta, GA




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com