[Intrusions] New SPAM Technique?

Sean Rooney sean at coldstream.ca
Thu Jun 3 14:12:02 GMT 2004 

we're looking into this ourselves and request all available data in as 
much detail as possible please.

Thankyou
-sr

On Jun 3, 2004, at 9:30 AM, Carey, Steve T GARRISON wrote:

> Starting on 2 Jun 04, we have had an increasingly number of IP 
> addresses sending
> the same SPAM message (see below), on UDP ports 1026/1027 (Windows 
> Messaging).
> Up to 16 addresses involved with the same message, so far.  Anyone 
> know if this
> is because of compromised systems or a new version of spyware?
>
> Steven T. Carey
> LCIRT-R Team Leader
> Comm (256) 876-5811, DSN 746-5811
> Cell (256) 759-9767
>
>
> 03-JUN-04 12:10:49.066703 68.213.240.40.2657 > my.network.68.6.1026: 
> udp 529
> 	 45 00 02 2d 8a bd 00 00  6d 11 bf 31 44 d5 f0 28  |E..-....m..1DÕð(|
> 	 00 00 00 00 0a 61 04 02  02 19 48 ec 04 00 28 00  |.ÍD..a....Hì..(.|
> 	 10 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 	 00 00 00 00 f8 91 7b 5a  00 ff d0 11 a9 b2 00 c0  |....ø.{Z.ÿÐ....À|
> 	 4f b6 e6 fc 5f 0a ef ac  31 33 31 32 30 30 30 32  |O.æü_.ï.13120002|
> 	 32 30 31 30 00 00 00 00  01 00 00 00 00 00 00 00  |2010............|
> 	 00 00 ff ff ff ff c1 01  00 00 00 00 13 00 00 00  |..ÿÿÿÿÁ.........|
> 	 00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 4c  |........       L|
> 	 45 42 5a 20 20 20 20 20  20 20 00 00 13 00 00 00  |EBZ       ......|
> 	 00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 20  |........        |
> 	 59 6f 75 20 20 20 20 20  20 20 00 00 75 01 00 00  |You       ..u...|
> 	 00 00 00 00 75 01 00 00  0a 0a 54 4f 52 4f 4e 54  |....u.....TORONT|
> 	 4f 20 50 48 41 52 4d 41  43 45 55 54 49 43 41 4c  |O PHARMACEUTICAL|
> 	 53 0a 0a 54 4f 50 20 4d  45 44 53 3a 20 56 49 41  |S..TOP MEDS: VIA|
> 	 47 52 41 2c 20 43 49 41  4c 49 53 2c 20 58 41 4e  |GRA, CIALIS, XAN|
> 	 41 58 2c 20 56 41 4c 49  55 4d 2c 20 41 4d 42 49  |AX, VALIUM, AMBI|
> 	 45 4e 20 2e 2e 2e 2e 0a  0a 4f 75 72 20 67 65 6e  |EN ......Our gen|
> 	 65 72 69 63 73 20 61 72  65 20 74 68 65 20 65 78  |erics are the ex|
> 	 61 63 74 20 73 61 6d 65  20 66 6f 72 6d 75 6c 61  |act same formula|
> 	 20 61 73 20 74 68 65 20  6e 61 6d 65 20 62 72 61  | as the name bra|
> 	 6e 64 73 2c 20 6f 6e 6c  79 20 6d 75 63 68 20 63  |nds, only much c|
> 	 68 65 61 70 65 72 2e 0a  4e 6f 77 20 79 6f 75 20  |heaper..Now you |
> 	 63 61 6e 20 73 61 76 65  20 6d 6f 6e 65 79 20 61  |can save money a|
> 	 6e 64 20 72 65 63 65 69  76 65 20 74 68 65 20 73  |nd receive the s|
> 	 61 6d 65 20 74 72 65 61  74 6d 65 6e 74 20 79 6f  |ame treatment yo|
> 	 75 20 6e 65 65 64 21 0a  0a 4e 4f 20 70 72 69 6f  |u need!..NO prio|
> 	 72 20 70 72 65 73 63 72  69 70 74 69 6f 6e 20 6e  |r prescription n|
> 	 65 65 64 65 64 21 0a 4f  72 64 65 72 20 54 6f 72  |eeded!.Order Tor|
> 	 6f 6e 74 6f 20 74 6f 20  67 65 74 20 74 68 65 20  |onto to get the |
> 	 62 69 67 67 65 73 74 20  64 69 73 63 6f 75 6e 74  |biggest discount|
> 	 73 21 0a 0a 54 79 70 65  20 74 68 65 20 66 6f 6c  |s!..Type the fol|
> 	 6c 6f 77 69 6e 67 20 57  45 42 20 61 64 64 72 65  |lowing WEB addre|
> 	 73 73 20 69 6e 20 79 6f  75 72 20 62 72 6f 77 73  |ss in your brows|
> 	 65 72 3a 0a 0a 57 20 57  20 57 20 2e 20 4c 20 52  |er:..W W W . L R|
> 	 20 42 20 5a 20 2e 20 55  20 53 0a 0a 00           | B Z . U S...|
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
>

-------------------------------------------------------------
Sean Rooney, CTO
ColdStream Associates LLC.
www.coldstream.ca

PGP fingerprint: C32C 88A0 86A8 2BBE 2911  D855 1CE1 1679 6B52 405C
"Illos laetae devorunt, qui nos subicient."

More information about the Intrusions mailing list