[Dshield] Bizarre Activity Spurt...

Chris Brenton cbrenton at chrisbrenton.org
Sat Oct 15 00:38:02 GMT 2005


On Fri, 2005-10-14 at 17:33 -0500, Robert Nelson wrote:
>
> Yessirree Bob, right on time. 20 hits each from 8 different addresses
> (spoofed of course) for a total of 160 hits. All from port 52624 this time.

Geesh, didn't take long to generate this capture. ;-)

Appears to be some slimebags attempting to dup users into thinking their
registry is corrupted. Some decodes for those who are interested:


U 221.6.163.50:52620 -> 64.222.191.6:1026
  ..(.......................{Z........O....&.7...k...Oz.......................................FROM........................TO..............<.......<...S
  TOP! WINDOWS REQUIRES IMMEDIATE ATTENTION...Windows has found 51
Critical System Errors...To fix the errors please do the following:..1.
Download Rep
  air Registry Pro from: fix-ms.com.2. Install Repair Registry Pro.3.
Run Repair Registry Pro.4. Reboot your computer..FAILURE TO ACT NOW MAY
LEAD TO S
  YSTEM FAILURE!:..
#
U 202.99.172.160:48970 -> 64.222.191.4:1026
  ..(.......................{Z........O...D...\....'.2.}~.....................................SECURITY....................ALERT.......................W
  indows has encountered an Internal Error.Your windows registry is
corrupted...We recommend a complete system
scan...Visit..http://FixRegNow.com..To r
  epair now...
#

The URLs in the payload get redirected to:
http://www.registryupdate.com/
http://www.repairregistrypro.com/?hop=cleanerreg

Translation: "Our product sucks so bad we need to use FUD to sell it".
So I wonder if these products report bogus problems as well as part of
the scam?

Happy trails,
Chris




More information about the list mailing list