[Dshield] port 1026-1031 update
Johannes B. Ullrich
jullrich at sans.org
Wed Dec 3 21:02:13 GMT 2003
> We concur: There doesn't seem to be anything malicious behind the
> obfuscation on the web page. However, I continue to suspect that the
> offered download is malicious. I know of one group that's working to
> reverse engineer it. So, perhaps we'll soon know.
Well, I do have a few reports from people that say they did see the
outbound 1026-1031 traffic after they installed "PopupadStop". I
installed it myself, and don't see the traffic. However, it does a
'version check' as it is installed, and it is possible that it
downloaded extra pieces in the past.
Other than that, we do have now a connection between the two-byte
UDP port 1026-1031 traffic and popup spam. If your system responds
to the two zero byte traffic, a popup spam will be send.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031203/71a9cbda/attachment.bin
More information about the list