[Intrusions] New SPAM Technique?
Carey, Steve T GARRISON
steven-carey at us.army.mil
Fri Jun 4 12:53:28 GMT 2004
Overnight we have seen an increase from 16 IP addresses to around 230 IP
addresses sending out the same pop-up message.
Any chance that a spammer has a 'new' worm that propagates their pop-up, along
with a compromise.
Steve
-----Original Message-----
From: Carey, Steve T GARRISON
Sent: Thursday, June 03, 2004 8:31 AM
To: intrusions at incidents.org
Subject: [Intrusions] New SPAM Technique?
Starting on 2 Jun 04, we have had an increasingly number of IP addresses sending
the same SPAM message (see below), on UDP ports 1026/1027 (Windows Messaging).
Up to 16 addresses involved with the same message, so far. Anyone know if this
is because of compromised systems or a new version of spyware?
Steven T. Carey
LCIRT-R Team Leader
Comm (256) 876-5811, DSN 746-5811
Cell (256) 759-9767
03-JUN-04 12:10:49.066703 68.213.240.40.2657 > my.network.68.6.1026: udp 529
45 00 02 2d 8a bd 00 00 6d 11 bf 31 44 d5 f0 28 |E..-....m..1DÕð(|
00 00 00 00 0a 61 04 02 02 19 48 ec 04 00 28 00 |.ÍD..a....Hì..(.|
10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 00 f8 91 7b 5a 00 ff d0 11 a9 b2 00 c0 |....ø.{Z.ÿÐ....À|
4f b6 e6 fc 5f 0a ef ac 31 33 31 32 30 30 30 32 |O.æü_.ï.13120002|
32 30 31 30 00 00 00 00 01 00 00 00 00 00 00 00 |2010............|
00 00 ff ff ff ff c1 01 00 00 00 00 13 00 00 00 |..ÿÿÿÿÁ.........|
00 00 00 00 13 00 00 00 20 20 20 20 20 20 20 4c |........ L|
45 42 5a 20 20 20 20 20 20 20 00 00 13 00 00 00 |EBZ ......|
00 00 00 00 13 00 00 00 20 20 20 20 20 20 20 20 |........ |
59 6f 75 20 20 20 20 20 20 20 00 00 75 01 00 00 |You ..u...|
00 00 00 00 75 01 00 00 0a 0a 54 4f 52 4f 4e 54 |....u.....TORONT|
4f 20 50 48 41 52 4d 41 43 45 55 54 49 43 41 4c |O PHARMACEUTICAL|
53 0a 0a 54 4f 50 20 4d 45 44 53 3a 20 56 49 41 |S..TOP MEDS: VIA|
47 52 41 2c 20 43 49 41 4c 49 53 2c 20 58 41 4e |GRA, CIALIS, XAN|
41 58 2c 20 56 41 4c 49 55 4d 2c 20 41 4d 42 49 |AX, VALIUM, AMBI|
45 4e 20 2e 2e 2e 2e 0a 0a 4f 75 72 20 67 65 6e |EN ......Our gen|
65 72 69 63 73 20 61 72 65 20 74 68 65 20 65 78 |erics are the ex|
61 63 74 20 73 61 6d 65 20 66 6f 72 6d 75 6c 61 |act same formula|
20 61 73 20 74 68 65 20 6e 61 6d 65 20 62 72 61 | as the name bra|
6e 64 73 2c 20 6f 6e 6c 79 20 6d 75 63 68 20 63 |nds, only much c|
68 65 61 70 65 72 2e 0a 4e 6f 77 20 79 6f 75 20 |heaper..Now you |
63 61 6e 20 73 61 76 65 20 6d 6f 6e 65 79 20 61 |can save money a|
6e 64 20 72 65 63 65 69 76 65 20 74 68 65 20 73 |nd receive the s|
61 6d 65 20 74 72 65 61 74 6d 65 6e 74 20 79 6f |ame treatment yo|
75 20 6e 65 65 64 21 0a 0a 4e 4f 20 70 72 69 6f |u need!..NO prio|
72 20 70 72 65 73 63 72 69 70 74 69 6f 6e 20 6e |r prescription n|
65 65 64 65 64 21 0a 4f 72 64 65 72 20 54 6f 72 |eeded!.Order Tor|
6f 6e 74 6f 20 74 6f 20 67 65 74 20 74 68 65 20 |onto to get the |
62 69 67 67 65 73 74 20 64 69 73 63 6f 75 6e 74 |biggest discount|
73 21 0a 0a 54 79 70 65 20 74 68 65 20 66 6f 6c |s!..Type the fol|
6c 6f 77 69 6e 67 20 57 45 42 20 61 64 64 72 65 |lowing WEB addre|
73 73 20 69 6e 20 79 6f 75 72 20 62 72 6f 77 73 |ss in your brows|
65 72 3a 0a 0a 57 20 57 20 57 20 2e 20 4c 20 52 |er:..W W W . L R|
20 42 20 5a 20 2e 20 55 20 53 0a 0a 00 | B Z . U S...|
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list