[Intrusions] (no subject)

Carey, Steve T GARRISON steven-carey at us.army.mil
Tue Jun 8 02:33:18 GMT 2004 

Must be something fairly new.  As of Saturday, our top 40 incoming scans, per
hour, are showing anywhere between 37 and 39 IP's just with that popup message.
Maybe I  should plug a vulnerable system in and see what happens.....

Steve Carey

>From : "James C Slora Jr" <Jim.Slora at phra.com> Save to Address Book     
To : "'Intrusions List (GCIA Practicals)'" <intrusions at lists.sans.org> 
Subject : RE: [Intrusions] New SPAM Technique? 
Date : Mon, 7 Jun 2004 12:02:56 -0400 

Could this be related to the object tag exploit spam that just got noticed
today?

We have received hundreds of copies of the exploit spam in all types of spam
- well beyond the ones that are listed in Clearswift and MessageLabs alerts
today. They have been circulating unnoticed since at least June 1 - about
the time you started noticing the wormlike Messenger spam behavior.

Search spam for <object - it is showing up in everything, and has obfuscated
links to hostile sites.



> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> triplecrown at optonline.net
> Sent: Monday, June 07, 2004 11:39
> To: intrusions at incidents.org
> Subject: Re: [Intrusions] New SPAM Technique?
> 
> I have seen messanger pop-up spam followed directly by an 
> lsass buffer overflow all originating from the same source IP. 
> 
> It appears to be worm related.
> 
> ----- Original Message -----
> From: "Carey, Steve T GARRISON" <steven-carey at us.army.mil>
> Date: Thursday, June 3, 2004 9:30 am
> Subject: [Intrusions] New SPAM Technique?
> 
> > Starting on 2 Jun 04, we have had an increasingly number of IP 
> > addresses sending the same SPAM message (see below), on UDP ports 
> > 1026/1027 (Windows Messaging).Up to 16 addresses involved with the 
> > same message, so far.  Anyone know if this is because of 
> compromised 
> > systems or a new version of spyware?
> > 
> > Steven T. Carey
> > LCIRT-R Team Leader
> > Comm (256) 876-5811, DSN 746-5811
> > Cell (256) 759-9767
> > 
> > 
> > 03-JUN-04 12:10:49.066703 68.213.240.40.2657 >
> > my.network.68.6.1026: udp 529
> >         45 00 02 2d 8a bd 00 00  6d 11 bf 31 44 d5 f0 28  |E..-
> > ....m..1DÕð(|         00 00 00 00 0a 61 04 02  02 19 48 ec 04 00 
> > 28 00  |.ÍD..a....Hì..(.|
> >         10 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> > |................|         00 00 00 00 f8 91 7b 5a  00 ff d0 11 a9 
> > b2 00 c0  |....ø.{Z.ÿÐ....À|
> >         4f b6 e6 fc 5f 0a ef ac  31 33 31 32 30 30 30 32
> > |O.æü_.ï.13120002|         32 30 31 30 00 00 00 00  01 00 00 00 00 
> > 00 00 00  |2010............|
> >         00 00 ff ff ff ff c1 01  00 00 00 00 13 00 00 00
> > |..ÿÿÿÿÁ.........|         00 00 00 00 13 00 00 00  20 20 20 20 20 
> > 20 20 4c  |........       L|
> >         45 42 5a 20 20 20 20 20  20 20 00 00 13 00 00 00  |EBZ    
> >   ......|
> >         00 00 00 00 13 00 00 00  20 20 20 20 20 20 20 20
> > |........        |
> >         59 6f 75 20 20 20 20 20  20 20 00 00 75 01 00 00  |You    
> >   ..u...|
> >         00 00 00 00 75 01 00 00  0a 0a 54 4f 52 4f 4e 54
> > |....u.....TORONT|         4f 20 50 48 41 52 4d 41  43 45 55 54 49 
> > 43 41 4c  |O PHARMACEUTICAL|
> >         53 0a 0a 54 4f 50 20 4d  45 44 53 3a 20 56 49 41  |S..TOP
> > MEDS: VIA|
> >         47 52 41 2c 20 43 49 41  4c 49 53 2c 20 58 41 4e  |GRA, 
> > CIALIS, XAN|
> >         41 58 2c 20 56 41 4c 49  55 4d 2c 20 41 4d 42 49  
> |AX, VALIUM, 
> > AMBI|
> >         45 4e 20 2e 2e 2e 2e 0a  0a 4f 75 72 20 67 65 6e  |EN 
> > ......Our gen|
> >         65 72 69 63 73 20 61 72  65 20 74 68 65 20 65 78  
> |erics are 
> > the ex|
> >         61 63 74 20 73 61 6d 65  20 66 6f 72 6d 75 6c 61  |act same 
> > formula|
> >         20 61 73 20 74 68 65 20  6e 61 6d 65 20 62 72 61  | as the 
> > name bra|
> >         6e 64 73 2c 20 6f 6e 6c  79 20 6d 75 63 68 20 63  
> |nds, only 
> > much c|
> >         68 65 61 70 65 72 2e 0a  4e 6f 77 20 79 6f 75 20
> > |heaper..Now you |
> >         63 61 6e 20 73 61 76 65  20 6d 6f 6e 65 79 20 61  |can save 
> > money a|
> >         6e 64 20 72 65 63 65 69  76 65 20 74 68 65 20 73  
> |nd receive 
> > the s|
> >         61 6d 65 20 74 72 65 61  74 6d 65 6e 74 20 79 6f  |ame 
> > treatment yo|
> >         75 20 6e 65 65 64 21 0a  0a 4e 4f 20 70 72 69 6f  
> |u need!..NO 
> > prio|
> >         72 20 70 72 65 73 63 72  69 70 74 69 6f 6e 20 6e  |r 
> > prescription n|
> >         65 65 64 65 64 21 0a 4f  72 64 65 72 20 54 6f 72
> > |eeded!.Order Tor|
> >         6f 6e 74 6f 20 74 6f 20  67 65 74 20 74 68 65 20  
> |onto to get 
> > the |
> >         62 69 67 67 65 73 74 20  64 69 73 63 6f 75 6e 74
> > |biggest discount|
> >         73 21 0a 0a 54 79 70 65  20 74 68 65 20 66 6f 6c
> > |s!..Type the fol|
> >         6c 6f 77 69 6e 67 20 57  45 42 20 61 64 64 72 65  
> |lowing WEB 
> > addre|
> >         73 73 20 69 6e 20 79 6f  75 72 20 62 72 6f 77 73  
> |ss in your 
> > brows|
> >         65 72 3a 0a 0a 57 20 57  20 57 20 2e 20 4c 20 52  
> |er:..W W W 
> > . L R|
> >         20 42 20 5a 20 2e 20 55  20 53 0a 0a 00           | B Z . 
> > U S...|
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> > 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions

More information about the Intrusions mailing list