Full Disclosure mailing list archives
RE: Increase probe on UDP port 1026
From: "Bill Royds" <full-disclosure () royds net>
Date: Tue, 2 Dec 2003 23:17:24 -0500
Doing some tracing using Sam Spade (times EST) 12/02/03 22:59:54 dns http://www.PopAdStop.com Canonical name: PopAdStop.com Aliases: www.PopAdStop.com Addresses: 66.225.219.162 ===reverse DNS lookup on this IP 12/02/03 22:59:58 Dns 66.225.219.162 nslookup 66.225.219.162 Canonical name: unknown.servercentral.net Addresses: 66.225.219.162 === this indicates it is in servercentral.net IP space, but host doesn't resolve. Doing an ARIN lookup on the IP address 12/02/03 23:06:49 IP Block 66.225.219.162 Trying 66.225.219.162 at ARIN Trying 66.225.219 at ARIN Server Central Network SCN-2 (NET-66-225-192-0-1) 66.225.192.0 - 66.225.223.255 HostForWeb Inc. HOSTFORWEB-1 (NET-66-225-217-0-1) 66.225.217.0 - 66.225.223.255 # ARIN WHOIS database, last updated 2003-12-02 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. ========== Looking at details of HostforWeb Inc. gets: 12/02/03 23:07:07 whois !NET-66-225-217-0-1 () whois arin net whois -h whois.arin.net !net-66-225-217-0-1 ... OrgName: HostForWeb Inc. OrgID: HOSTF-1 Address: PO BOX 1164 City: Chicago StateProv: IL PostalCode: 60690 Country: US NetRange: 66.225.217.0 - 66.225.223.255 CIDR: 66.225.217.0/24, 66.225.218.0/23, 66.225.220.0/22 NetName: HOSTFORWEB-1 NetHandle: NET-66-225-217-0-1 Parent: NET-66-225-192-0-1 NetType: Reallocated Comment: RegDate: 2003-10-07 Updated: 2003-10-07 OrgTechHandle: ADMIN240-ARIN OrgTechName: Administrator OrgTechPhone: +1-312-343-4678 OrgTechEmail: alex.k () hostforweb com # ARIN WHOIS database, last updated 2003-12-02 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. ==========which gives a contact address to query and perhaps sue since it was unauthorized computer access. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Nick FitzGerald Sent: December 2, 2003 9:47 PM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Increase probe on UDP port 1026 Paul Dokas <dokas () cs umn edu> replied to Nicob:
I captured some packets and it appears to be (only) a Windows Messenger "spam" for a "penis enlargement" product.I caught one last night scanning 1026/UDP and 1030/UDP ...
Sorry -- caught "one" what?? A local machine doing this type of scanning, or just similar incoming traffic?
... and doing popups directing people to www.PopAdStop.com. The 1026/UDP and related traffic is *definitely* popup spam related. ...
Yep -- if you send Windows Messenger traffic to the "right" port you need not have "initiated" anything through the port mapper first and it seems that enough more or less default W2K and XP machines will have Windows Messenger listening on 1026 to make this a worthwhile "spamming" target.
... At this point, I suspect that the malware is getting onto computers via .HTA mime or ADODB.Stream
vulnerabilites
in IE. However, I have no proof of this yet.
Huh?? What malware? If anything it is not at all clear what it is you have "detected". If you have found a local machine doing this type of spamming I'm sure I'm not the only one interested in learning more about what has been installed on it (and how?)...
BTW, I did `wget http://www.PopAdStop.com` a little bit ago. Looks like they could win an obfuscated JavaScript contest.
Lessee... index.htm == 13,082 bytes consisting of a trivial HTML header, a bunch of script that assigns long string values to a couple of variables, the script commands: e=unescape("%25%37%33[...]); eval(unescape(e)); and a noscript tag explaining the viewer must have JavaScript enabled in their browser to view the page. Double-unescaping "e" you get a rather typical (for these types of thing) Caesar (sp?) cipher routine that uses the shorter of the two string variables as the index for decrypting the longer string, which turns out to be partially Unicode- encoded HTML with the important part starting: document.write("\u003Ctable\u0020border\u003D\u00220\u0022[...] In turn that decodes to a fairly straightforward page which links to a similarly obfuscated download page. I'd say about par for the course these days, as far as web page obfuscation goes... Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Increase probe on UDP port 1026 Irwan Hadi (Dec 01)
- Re: Increase probe on UDP port 1026 srenna (Dec 01)
- Re: Increase probe on UDP port 1026 bowwow (Dec 03)
- <Possible follow-ups>
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 01)
- RE: Increase probe on UDP port 1026 Nicob (Dec 02)
- RE: Increase probe on UDP port 1026 Rodrigues, Philip (Dec 02)
- Re: Increase probe on UDP port 1026 Paul Dokas (Dec 02)
- Re: Increase probe on UDP port 1026 George Capehart (Dec 02)
- Re: Increase probe on UDP port 1026 Nick FitzGerald (Dec 02)
- RE: Increase probe on UDP port 1026 Bill Royds (Dec 02)
- Re: Increase probe on UDP port 1026 Brian Eckman (Dec 03)
- RE: Increase probe on UDP port 1026 Nicob (Dec 02)