[Dshield] Bizarre Activity Spurt...

jayjwa jayjwa at atr2.ath.cx
Wed Oct 19 11:13:14 GMT 2005


On Mon, 17 Oct 2005, Freek de Kruijf wrote:

-> I captured a number of these packages. I received these packages on the 
-> following ports; the number in the second column is the count for Oct 16:
-> 1026  523  
-> 1025  425  
-> 1027  44  
-> 1029  10       
-> 1028  10
-> 1030  5      

1025-27 is old, 1028 thru 1029 I just started seeing awhile back. This is of 
course MS Messenger "Net Send" spam.

This URL is the one I include in spam reports I send to ISP's, and it has alot 
of good info:

http://www.wilderssecurity.com/archive/index.php/t-4142.html

    This new form of spam is called messenger spam. Messenger (not to be
    confused with MSN messenger) is a service that is loaded by default upon
    the startup of Windows XP/2000/NT. Microsoft has used the messenger
    service for a number of years to send messages between its servers and
    clients. Here is Microsoft's official description of the messenger
    service:

    Messenger Service:
    Transmits "net send" and Alerter service messages between clients and
    servers. This service is not related to Windows Messenger. If this service
    is stopped, Alerter messages will not be transmitted. If this service is
    disabled, any services that explicitly depend on it will fail to start.


To make the distinction, I call one "System Messenger" the other I call "Chat 
Messenger", which I think is a good way to remember it. The one in use here is 
the system Messenger. I belive it's normally done using the 'net' utility on 
Windows, although there are now tools on the 'Net that are obviously meant for 
spamming that try to look legitamate.

If you use the service, firewall off those ports so outside hosts can't send 
to them. If you don't even need it, it can be shut down (there should be 
command line instructions in the above URL)

-> I analysed a small number of these packages on most of these ports. All had 
-> the format of the Windows Messenger and the message was:

-> CustName:   Dotster.com
-> Address:    11807 NE 99th Street, Suite 1100
-> City:       Vancouver
-> StateProv:  WA

-> The last 3 IP-addresses have all different owners. Only one 64.74.96.243 is 
-> also owned by the ISP Internap Network Services, but the owner is 
-> CustName:   eNom
-> Address:    16771 NE 80th Street
-> City:       Redmond
-> StateProv:  WA


Dotster, Internap and eNom are all spam-friendly domain sellers, Internap is 
supposedly an ISP. Some of them make it really hard to get an abuse contact 
address for.

I've complained to all of them, numerous times. eNom just last week. There was 
a "FixReg32.com", which I didn't see you list above, so maybe I got that one 
closed? Probably not, but even if so, more Messenger spammers will be back 
with more cheap domains to host this garbage on. Use some zombies to fire off 
UDP packets to everyone on the Internet, and you have almost unstoppable SPAM. 
I don't even log this stuff anymore, but this host slipped in because it was 
caught by an earlier rule in the chain:

220.164.140.226

One thing that I find kind of odd about the Messenger spammers is that they 
all seem to be running an older than dirt SSH server on port 22...

People say that the source IP's are spoofed, but I don't think they even go 
that far: they all are sitting on ISP's networks who don't seem to care, no 
matter how many times you report them. They're untouchable as it is, so why 
bother to spoof?


j


More information about the list mailing list