[Intrusions] New SPAM Technique?
triplecrown at optonline.net
triplecrown at optonline.net
Mon Jun 7 15:39:16 GMT 2004
I have seen messanger pop-up spam followed directly by an lsass buffer overflow all originating from the same source IP.
It appears to be worm related.
----- Original Message -----
From: "Carey, Steve T GARRISON" <steven-carey at us.army.mil>
Date: Thursday, June 3, 2004 9:30 am
Subject: [Intrusions] New SPAM Technique?
> Starting on 2 Jun 04, we have had an increasingly number of IP
> addresses sending
> the same SPAM message (see below), on UDP ports 1026/1027 (Windows
> Messaging).Up to 16 addresses involved with the same message, so
> far. Anyone know if this
> is because of compromised systems or a new version of spyware?
>
> Steven T. Carey
> LCIRT-R Team Leader
> Comm (256) 876-5811, DSN 746-5811
> Cell (256) 759-9767
>
>
> 03-JUN-04 12:10:49.066703 68.213.240.40.2657 >
> my.network.68.6.1026: udp 529
> 45 00 02 2d 8a bd 00 00 6d 11 bf 31 44 d5 f0 28 |E..-
> ....m..1DÕð(| 00 00 00 00 0a 61 04 02 02 19 48 ec 04 00
> 28 00 |.ÍD..a....Hì..(.|
> 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> |................| 00 00 00 00 f8 91 7b 5a 00 ff d0 11 a9
> b2 00 c0 |....ø.{Z.ÿÐ....À|
> 4f b6 e6 fc 5f 0a ef ac 31 33 31 32 30 30 30 32
> |O.æü_.ï.13120002| 32 30 31 30 00 00 00 00 01 00 00 00 00
> 00 00 00 |2010............|
> 00 00 ff ff ff ff c1 01 00 00 00 00 13 00 00 00
> |..ÿÿÿÿÁ.........| 00 00 00 00 13 00 00 00 20 20 20 20 20
> 20 20 4c |........ L|
> 45 42 5a 20 20 20 20 20 20 20 00 00 13 00 00 00 |EBZ
> ......|
> 00 00 00 00 13 00 00 00 20 20 20 20 20 20 20 20
> |........ |
> 59 6f 75 20 20 20 20 20 20 20 00 00 75 01 00 00 |You
> ..u...|
> 00 00 00 00 75 01 00 00 0a 0a 54 4f 52 4f 4e 54
> |....u.....TORONT| 4f 20 50 48 41 52 4d 41 43 45 55 54 49
> 43 41 4c |O PHARMACEUTICAL|
> 53 0a 0a 54 4f 50 20 4d 45 44 53 3a 20 56 49 41 |S..TOP
> MEDS: VIA|
> 47 52 41 2c 20 43 49 41 4c 49 53 2c 20 58 41 4e |GRA,
> CIALIS, XAN|
> 41 58 2c 20 56 41 4c 49 55 4d 2c 20 41 4d 42 49 |AX,
> VALIUM, AMBI|
> 45 4e 20 2e 2e 2e 2e 0a 0a 4f 75 72 20 67 65 6e |EN
> ......Our gen|
> 65 72 69 63 73 20 61 72 65 20 74 68 65 20 65 78 |erics
> are the ex|
> 61 63 74 20 73 61 6d 65 20 66 6f 72 6d 75 6c 61 |act
> same formula|
> 20 61 73 20 74 68 65 20 6e 61 6d 65 20 62 72 61 | as
> the name bra|
> 6e 64 73 2c 20 6f 6e 6c 79 20 6d 75 63 68 20 63 |nds,
> only much c|
> 68 65 61 70 65 72 2e 0a 4e 6f 77 20 79 6f 75 20
> |heaper..Now you |
> 63 61 6e 20 73 61 76 65 20 6d 6f 6e 65 79 20 61 |can
> save money a|
> 6e 64 20 72 65 63 65 69 76 65 20 74 68 65 20 73 |nd
> receive the s|
> 61 6d 65 20 74 72 65 61 74 6d 65 6e 74 20 79 6f |ame
> treatment yo|
> 75 20 6e 65 65 64 21 0a 0a 4e 4f 20 70 72 69 6f |u
> need!..NO prio|
> 72 20 70 72 65 73 63 72 69 70 74 69 6f 6e 20 6e |r
> prescription n|
> 65 65 64 65 64 21 0a 4f 72 64 65 72 20 54 6f 72
> |eeded!.Order Tor|
> 6f 6e 74 6f 20 74 6f 20 67 65 74 20 74 68 65 20 |onto
> to get the |
> 62 69 67 67 65 73 74 20 64 69 73 63 6f 75 6e 74
> |biggest discount|
> 73 21 0a 0a 54 79 70 65 20 74 68 65 20 66 6f 6c
> |s!..Type the fol|
> 6c 6f 77 69 6e 67 20 57 45 42 20 61 64 64 72 65 |lowing
> WEB addre|
> 73 73 20 69 6e 20 79 6f 75 72 20 62 72 6f 77 73 |ss in
> your brows|
> 65 72 3a 0a 0a 57 20 57 20 57 20 2e 20 4c 20 52 |er:..W
> W W . L R|
> 20 42 20 5a 20 2e 20 55 20 53 0a 0a 00 | B Z .
> U S...|
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list