[Intrusions] New SPAM Technique?
Joe Stewart
jstewart at lurhq.com
Thu Jun 3 17:39:52 GMT 2004
On Thursday 03 June 2004 9:30 am, Carey, Steve T GARRISON wrote:
> Starting on 2 Jun 04, we have had an increasingly number of IP
> addresses sending the same SPAM message (see below), on UDP ports
> 1026/1027 (Windows Messaging). Up to 16 addresses involved with the
> same message, so far. Anyone know if this is because of compromised
> systems or a new version of spyware?
Lately we've been seeing Agobot variants with messenger-popup spam
capability. If you're seeing the same packet from multiple
dialup/broadband IP addresses, I'd bet that's what this is. Although it
is possible to spoof these packets, most popup-spam delivery systems
I've seen don't bother, including these Agobot variants.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
More information about the Intrusions
mailing list