[Dshield] port 1026-1031 update

Johannes B. Ullrich jullrich at sans.org
Tue Dec 2 03:55:48 GMT 2003

Not sure if I posted this already. But here a couple of clarifications
and updates:

First of all "popup spam": Like regular spam, its more of an annoyance
then a security risk. But popup spam looks just like a system popup
dialog, which opens interesting options for social engineering /
cognitive hacking. 

There are three ways to send a popup message in windows:

(*) the shell command 'net send'. This uses dialog involving udp packets
on / from port 135. The dialog is includes the message and a reply to
confirm receipt.

(*) traditional popup spam. Only one UDP packet to port 135. The packet
includes the message and is typically 500-1000 bytes long. The receiving
host will still generate a received notice, but the sender ignores it.
The source IP could be spoofed, but from what I have seen/heard so far,
it is usually real.

(*) advanced popup spam. Instead of targeting the RPC service at port
135, the message is sent directly to the messaging service. While the
messaging service could listen at any port (RPC is supposed to handle
that), it typically listens at 1026-1031.

The traffic we are seeing for a week now is targetting 1026-1031. So it
could be "advanced popup spam". However, there are a couple of reasons
why it looks different:

- most of the payload is two bytes of 0. No spam message
- most of the 'advanced popup spam' we have seen so far comes from 
  a small number of hosts. The new traffic comes from an increasing 
  number of hosts.
- The advanced popup spam uses a source port of 666 and 4177. The 
  new traffic uses "natural" source ports in the 1024+ range 
  with a second peak in the "NAT area" (60000+).

As a new development: This morning, the 1026-1031 dropped for a while to
be replaced by a new pattern. I haven't analyzed all the various reports
yet. But it looks like the new traffic zooms in on certain ports in the
1026-1031 range.

My guess so far:
- The origin of the traffic is a botnet. It was likely build using some
random exploit not related to the messenger worm.
- For the last week, we saw a first run of a scan tool to check for
effective ways to spread "advanced popup spam"
- Today, the client running on these bots was updated with a newer

I will run a special ISP notification tomorrow to hopefully find a few
of the origin machines for analysis.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031201/fdf72e0d/attachment.bin

More information about the list mailing list