[Intrusions] New SPAM Technique?

Hillery rhillery at hawksi.org
Thu Jun 3 14:07:31 GMT 2004 

Steven,
  See also Peter Stewart's earlier post.  I've been seeing this since 
last summer (sent to IPs in the dartmouth.edu and comcast.net ranges, 
among others).  Sources are a variety of places - many .cn and .kr, some 
us dsl & broadband.  I haven't been able to get anything from a machine 
where they were outbound (the src), and have only seen the dst traffic.  
Earlier versions were using this spam technique to advertise anti-spam 
software.  Looks like it's shifting over to marketing the current buzz, 
Canadian pharmaceuticals to US customers.
  The one's I've played with cause the messenger associated pop-up, and 
disappear when the OK button is clicked without sending any traffic 
themselves. No changes apparent to local box sevices or ports open, 
either.  Mechanism appears to simply be triggering the ms messenger with 
the majority of the udp packet providing the message content.
  Just what the launching mechanism is -- spyware or other compromise on 
a spam-zombie -- would be determined by finding a box that's sending 
this stuff, & I haven't come across one yet.  Be worth looking for.

Bob Hillery
IntelGuardians

Carey, Steve T GARRISON wrote:

>Starting on 2 Jun 04, we have had an increasingly number of IP addresses sending
>the same SPAM message (see below), on UDP ports 1026/1027 (Windows Messaging).
>Up to 16 addresses involved with the same message, so far.  Anyone know if this
>is because of compromised systems or a new version of spyware?
>
>Steven T. Carey
>LCIRT-R Team Leader
>Comm (256) 876-5811, DSN 746-5811
>Cell (256) 759-9767
>
>
>03-JUN-04 12:10:49.066703 68.213.240.40.2657 > my.network.68.6.1026: udp 529
>	 45 00 02 2d 8a bd 00 00  6d 11 bf 31 44 d5 f0 28  |E..-....m..1DÕð(|
>	 00 00 00 00 0a 61 04 02  02 19 48 ec 04 00 28 00  |.ÍD..a....Hì..(.|
>	 10 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
>	 00 00 00 00 f8 91 7b 5a  00 ff d0 11 a9 b2 00 c0  |....ø.{Z.ÿÐ....À|
>	 4f b6 e6 fc 5f 0a ef ac  31 33 31 32 30 30 30 32  |O.æü_.ï.13120002|
>	 32 30 31 30 00 00 00 00  01 00 00 00 00 00 00 00  |2010............|
>	 00 00 ff ff ff ff c1 01  00 00 00 00 13 00 00 00  |..ÿÿÿÿÁ.........|
>	 00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 4c  |........       L|
>	 45 42 5a 20 20 20 20 20  20 20 00 00 13 00 00 00  |EBZ       ......|
>	 00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 20  |........        |
>	 59 6f 75 20 20 20 20 20  20 20 00 00 75 01 00 00  |You       ..u...|
>	 00 00 00 00 75 01 00 00  0a 0a 54 4f 52 4f 4e 54  |....u.....TORONT|
>	 4f 20 50 48 41 52 4d 41  43 45 55 54 49 43 41 4c  |O PHARMACEUTICAL|
>	 53 0a 0a 54 4f 50 20 4d  45 44 53 3a 20 56 49 41  |S..TOP MEDS: VIA|
>	 47 52 41 2c 20 43 49 41  4c 49 53 2c 20 58 41 4e  |GRA, CIALIS, XAN|
>	 41 58 2c 20 56 41 4c 49  55 4d 2c 20 41 4d 42 49  |AX, VALIUM, AMBI|
>	 45 4e 20 2e 2e 2e 2e 0a  0a 4f 75 72 20 67 65 6e  |EN ......Our gen|
>	 65 72 69 63 73 20 61 72  65 20 74 68 65 20 65 78  |erics are the ex|
>	 61 63 74 20 73 61 6d 65  20 66 6f 72 6d 75 6c 61  |act same formula|
>	 20 61 73 20 74 68 65 20  6e 61 6d 65 20 62 72 61  | as the name bra|
>	 6e 64 73 2c 20 6f 6e 6c  79 20 6d 75 63 68 20 63  |nds, only much c|
>	 68 65 61 70 65 72 2e 0a  4e 6f 77 20 79 6f 75 20  |heaper..Now you |
>	 63 61 6e 20 73 61 76 65  20 6d 6f 6e 65 79 20 61  |can save money a|
>	 6e 64 20 72 65 63 65 69  76 65 20 74 68 65 20 73  |nd receive the s|
>	 61 6d 65 20 74 72 65 61  74 6d 65 6e 74 20 79 6f  |ame treatment yo|
>	 75 20 6e 65 65 64 21 0a  0a 4e 4f 20 70 72 69 6f  |u need!..NO prio|
>	 72 20 70 72 65 73 63 72  69 70 74 69 6f 6e 20 6e  |r prescription n|
>	 65 65 64 65 64 21 0a 4f  72 64 65 72 20 54 6f 72  |eeded!.Order Tor|
>	 6f 6e 74 6f 20 74 6f 20  67 65 74 20 74 68 65 20  |onto to get the |
>	 62 69 67 67 65 73 74 20  64 69 73 63 6f 75 6e 74  |biggest discount|
>	 73 21 0a 0a 54 79 70 65  20 74 68 65 20 66 6f 6c  |s!..Type the fol|
>	 6c 6f 77 69 6e 67 20 57  45 42 20 61 64 64 72 65  |lowing WEB addre|
>	 73 73 20 69 6e 20 79 6f  75 72 20 62 72 6f 77 73  |ss in your brows|
>	 65 72 3a 0a 0a 57 20 57  20 57 20 2e 20 4c 20 52  |er:..W W W . L R|
>	 20 42 20 5a 20 2e 20 55  20 53 0a 0a 00           | B Z . U S...|
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>  
>

More information about the Intrusions mailing list