[Intrusions] New SPAM Technique?

James C Slora Jr Jim.Slora at phra.com
Mon Jun 7 16:02:56 GMT 2004 

Could this be related to the object tag exploit spam that just got noticed
today?

We have received hundreds of copies of the exploit spam in all types of spam
- well beyond the ones that are listed in Clearswift and MessageLabs alerts
today. They have been circulating unnoticed since at least June 1 - about
the time you started noticing the wormlike Messenger spam behavior.

Search spam for <object - it is showing up in everything, and has obfuscated
links to hostile sites.



> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> triplecrown at optonline.net
> Sent: Monday, June 07, 2004 11:39
> To: intrusions at incidents.org
> Subject: Re: [Intrusions] New SPAM Technique?
> 
> I have seen messanger pop-up spam followed directly by an 
> lsass buffer overflow all originating from the same source IP. 
> 
> It appears to be worm related.
> 
> ----- Original Message -----
> From: "Carey, Steve T GARRISON" <steven-carey at us.army.mil>
> Date: Thursday, June 3, 2004 9:30 am
> Subject: [Intrusions] New SPAM Technique?
> 
> > Starting on 2 Jun 04, we have had an increasingly number of IP 
> > addresses sending the same SPAM message (see below), on UDP ports 
> > 1026/1027 (Windows Messaging).Up to 16 addresses involved with the 
> > same message, so far.  Anyone know if this is because of 
> compromised 
> > systems or a new version of spyware?
> > 
> > Steven T. Carey
> > LCIRT-R Team Leader
> > Comm (256) 876-5811, DSN 746-5811
> > Cell (256) 759-9767
> > 
> > 
> > 03-JUN-04 12:10:49.066703 68.213.240.40.2657 >
> > my.network.68.6.1026: udp 529
> >         45 00 02 2d 8a bd 00 00  6d 11 bf 31 44 d5 f0 28  |E..-
> > ....m..1DÕð(|         00 00 00 00 0a 61 04 02  02 19 48 ec 04 00 
> > 28 00  |.ÍD..a....Hì..(.|
> >         10 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> > |................|         00 00 00 00 f8 91 7b 5a  00 ff d0 11 a9 
> > b2 00 c0  |....ø.{Z.ÿÐ....À|
> >         4f b6 e6 fc 5f 0a ef ac  31 33 31 32 30 30 30 32
> > |O.æü_.ï.13120002|         32 30 31 30 00 00 00 00  01 00 00 00 00 
> > 00 00 00  |2010............|
> >         00 00 ff ff ff ff c1 01  00 00 00 00 13 00 00 00
> > |..ÿÿÿÿÁ.........|         00 00 00 00 13 00 00 00  20 20 20 20 20 
> > 20 20 4c  |........       L|
> >         45 42 5a 20 20 20 20 20  20 20 00 00 13 00 00 00  |EBZ    
> >   ......|
> >         00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 20
> > |........        |
> >         59 6f 75 20 20 20 20 20  20 20 00 00 75 01 00 00  |You    
> >   ..u...|
> >         00 00 00 00 75 01 00 00  0a 0a 54 4f 52 4f 4e 54
> > |....u.....TORONT|         4f 20 50 48 41 52 4d 41  43 45 55 54 49 
> > 43 41 4c  |O PHARMACEUTICAL|
> >         53 0a 0a 54 4f 50 20 4d  45 44 53 3a 20 56 49 41  |S..TOP
> > MEDS: VIA|
> >         47 52 41 2c 20 43 49 41  4c 49 53 2c 20 58 41 4e  |GRA, 
> > CIALIS, XAN|
> >         41 58 2c 20 56 41 4c 49  55 4d 2c 20 41 4d 42 49  
> |AX, VALIUM, 
> > AMBI|
> >         45 4e 20 2e 2e 2e 2e 0a  0a 4f 75 72 20 67 65 6e  |EN 
> > ......Our gen|
> >         65 72 69 63 73 20 61 72  65 20 74 68 65 20 65 78  
> |erics are 
> > the ex|
> >         61 63 74 20 73 61 6d 65  20 66 6f 72 6d 75 6c 61  |act same 
> > formula|
> >         20 61 73 20 74 68 65 20  6e 61 6d 65 20 62 72 61  | as the 
> > name bra|
> >         6e 64 73 2c 20 6f 6e 6c  79 20 6d 75 63 68 20 63  
> |nds, only 
> > much c|
> >         68 65 61 70 65 72 2e 0a  4e 6f 77 20 79 6f 75 20
> > |heaper..Now you |
> >         63 61 6e 20 73 61 76 65  20 6d 6f 6e 65 79 20 61  |can save 
> > money a|
> >         6e 64 20 72 65 63 65 69  76 65 20 74 68 65 20 73  
> |nd receive 
> > the s|
> >         61 6d 65 20 74 72 65 61  74 6d 65 6e 74 20 79 6f  |ame 
> > treatment yo|
> >         75 20 6e 65 65 64 21 0a  0a 4e 4f 20 70 72 69 6f  
> |u need!..NO 
> > prio|
> >         72 20 70 72 65 73 63 72  69 70 74 69 6f 6e 20 6e  |r 
> > prescription n|
> >         65 65 64 65 64 21 0a 4f  72 64 65 72 20 54 6f 72
> > |eeded!.Order Tor|
> >         6f 6e 74 6f 20 74 6f 20  67 65 74 20 74 68 65 20  
> |onto to get 
> > the |
> >         62 69 67 67 65 73 74 20  64 69 73 63 6f 75 6e 74
> > |biggest discount|
> >         73 21 0a 0a 54 79 70 65  20 74 68 65 20 66 6f 6c
> > |s!..Type the fol|
> >         6c 6f 77 69 6e 67 20 57  45 42 20 61 64 64 72 65  
> |lowing WEB 
> > addre|
> >         73 73 20 69 6e 20 79 6f  75 72 20 62 72 6f 77 73  
> |ss in your 
> > brows|
> >         65 72 3a 0a 0a 57 20 57  20 57 20 2e 20 4c 20 52  
> |er:..W W W 
> > . L R|
> >         20 42 20 5a 20 2e 20 55  20 53 0a 0a 00           | B Z . 
> > U S...|
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list