"Good will towards everyone"



A current Visa/CitiBank account phishing e-mail has been posted by CitiBank at

http://www.citi.com/domain/spoof/report_abuse.htm

At the website select the
"Date: 12/23/03 Subject: Visa Security Update (report it)"
link where CitiBank has posted solid security recommendations and screenshots
of the phony e-mail and it's pop-up's.



Defeat Phishing E-mail URL spoofing - ISS's Internet Explorer URL Spoofing
patch
Although there is not a Microsoft patch yet for the severe
vulnerability being actively exploited using Internet Explorer URL
obfuscation and html based "phishing" e-mails. But thanks to the super work
by Internet Security Systems I'll be giving family and acquaintences a
Holiday patch for the Microsoft Internet Explorer domain URL spoofing
vulnerability. And don't we all have family and acquaintances that need it.
The free Internet Security Systems tool is available at the following address:

http://www.iss.net/support/product_utilities

"Microsoft Internet Explorer domain URL spoofing filter.

ISS has developed a tool that will plug-in to Internet Explorer and filter
hostile URLs that exploit this vulnerability. This tool is designed to strip
hostile redirection from URLs and send users to the legitimate URL, instead
of a rogue Web server."

http://www.iss.net/support/product_utilities/domainspooffilter/
Dameware - Port 6129 scanning

The number of "Sources" detected scanning Port 6129 is steadily increasing.
Since December 19th, the reported number of "sources" scanning Port 6129
has risen by one thousand systems. URL:
http://isc.incidents.org/port_details.html?port=6129
Apple Security Updates

http://docs.info.apple.com/article.html?artnum=61798

Last Updated: 2003-12-22

Apple Security Updates

Article ID:61798

Created: 11/15/02

Modified: 12/22/03

Security Update 2003-12-19 for Mac OS X 10.2.8 "Jaguar" and Mac OS X 10.2.8
Server

Security Update 2003-12-19 for Mac OS X 10.3.2 "Panther" and Mac OS X 10.3.2
Server


Patrick Nolan

IE URL Bug

On the recent released of IE URL Bug [1], Microsoft has not yet released an official patch for this vulnerability. However, Microsoft has published an article on steps that you can take to help identify and to help protect yourself from spoofed websites and malicious hyperlinks.
http://support.microsoft.com/?id=833786

It discusses steps you can take to help protect yourself from spoofed Web sites and malicious hyperlinks, including how to identify the URL of the current web page.

Phishing Attacks

There is an increasing trend in phishing attacks where a malicious attack will set up a website with malicious hyperlinks (exploiting the IE URL bug) and lure people to the malicious website (commonly technique is via email from a trusted source) and trick you to reveal your personal information such as credit card number, PIN and password. A recent one is the Earthlink case (http://isc.sans.org/diary.html?date=2003-12-21).

There is a good website that archive some of the known phishing attacks:
http://www.antiphishing.org/phishing_archive.htm

Port 6129 Remains High

Since 20 Dec 03, we see a spike in port 6129 (http://isc.sans.org/diary.html?date=2003-12-21). The scan on port 6129 remains to be high. This could be due to the recent dameware exploit.

http://isc.incidents.org/port_details.html?port=6129

Proper Incident Response

During this festive seasons, it is common that hackers will take this opportunity to break into systems. Should your systems unfortunately be compromised, proper incident response should be followed.

The following links will provide useful tips on proper incident handling/response.

http://www.fedcirc.gov/incidentResponse/index.html

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://www.sans.org/rr/catindex.php?cat_id=27

http://www.cert.org/tech_tips/

https://store.sans.org/store_item.php?item=62


[References]:

1. http://www.zapthedingbat.com/security/ex01/vun1.htm

2. http://support.microsoft.com/?id=833786

3. http://www.microsoft.com/security/incident/spoof.asp

4. http://www.antiphishing.org/phishing_archive.htm

5. http://xforce.iss.net/xforce/alerts/id/159

6. http://isc.sans.org/diary.html?date=2003-12-21

7. http://www.fedcirc.gov/incidentResponse/index.html

8. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

9. http://www.sans.org/rr/catindex.php?cat_id=27

10. http://www.cert.org/tech_tips/

11. https://store.sans.org/store_item.php?item=62

New Mass-Mailing Virus - Sober.C

A new variant of the mass-mailing virus, Sober, has started spreading on the Internet over the weekend. As it sends email in German and English based on domain name of the infected computer, this poses a bit smarter social engineering tactics that we may see in the future. The links below are references to the virus from the major Antivirus vendors. More details can be be gathered from these reports.

References:

http://www.sarc.com/avcenter/venc/data/w32.sober.c@mm.html

http://www3.ca.com/virusinfo/virus.aspx?ID=37823

http://www.datafellows.com/v-descs/sober_c.shtml

http://www.kaspersky.com/news.html?id=2861377

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100912

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=42896&sind=0

http://www.sophos.com/virusinfo/analyses/w32soberc.html

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.C

______________________________________________________________________________

Limiting Exposure During Holiday Breaks

As a last minute recommendation, please consider turning off non-critical computers during the holiday break. This limits the amount of exposure you may have while network and security personnel are away from the office.

Those in Academia are especially prone for having intrusions during this time of year due to their traditionally open environments. But corporate environments should also consider this as a prime time for internal threats.

Consider working on an appropriate policy concerning office computers (and other non critical systems) during extended breaks when you return from the holidays.

______________________________________________________________________________

Upcoming Repeat Virus Outbreaks

In the next week, many families will add a new computer to their households. These computers may be fairly up to date with patches from OEMs, or may be horribly outdated. In the next few weeks, expect more virus activity originating from broadband connections. In January, much of this virus activity will move into SOHO and corporate environments via mobile users. Academic environments will be close behind as students return to campus with their new computers as well. So expect that Welchia(Nachi), Blaster, Sobig, Mimail, and many of the virii from 2003 to return to the limelight in the next few weeks.

Computing staff in the academic world should spend the first few days after the holiday finding an appropriate plan to allow these computers access to the network securely. If you have a method of deploying patches to your users without violating EULA of the common products on your campus, then start preparing for the moment when the ResNet users return to school.

In the Microsoft Windows world, It is recommended that in addition to the major service patch release for the Operating System available from

http://www.microsoft.com/technet/security/bulletin/tpsrvpck.asp

that you push for the following patches be installed before allowing on the campus network.

http://www.microsoft.com/technet/security/Bulletin/MS03-039.asp

http://www.microsoft.com/technet/security/Bulletin/MS03-049.asp

This would also be a good opportunity for educational opportunities concerning strong passwords, anti-virus software, and automated patching.
--- Scott Fendley

DHS raises security level

The Department of Homeland Security raised the alert level to Orange (High)
today[1]. No CyberSecurity threats were mentioned, but, it's worth mentioning on here as a heads-up.

Scans for DameWare exploit

There's been an increase in DameWare (port 6129)[6] scans due to semi-recent vulnerabilities discovered in DameWare Mini-RC[7]. There's also an exploit floating around that was released the 16th that could be a factor[8]. If you are running DameWare, be sure to get patched up to current.

MSFT retiring olders Software

Microsoft is retiring[2] (and removing support for) quite a few items:

- Office XP Developer

- Visio 2000

- BackOffice Server 2000

- Office 2000 Developer, Tools, Multilingual, Premium SR-1, and Service Pack 2

- Outlook 2000

- Project 2000

- SQL Server 7, and Service Pack 3

- Embedded Visual Tools 3.0

- Visual Studio 6 MSDE

- IE 5.5

- MapPoint 2002

- Visual Studio 6.0 SP3 and SP5

- Windows 98, 98 Y2K, 98 Resource Kit, 98 SP1 (all win98 except SE)

- Windows NT 4.0

- ISA Server 2000

- Visual Basic for (Alpha Systems)[3]

This came into affect Dec 15th, 2003. Windows 98 and Windows NT 4.0 were already retired from OEM shipping in June 2002[4]

Unluckily, according to a survey by eWeek, 80% of the companies they surveyed still were making use of Windows 98 and Windows 95[5]. Microsoft will be considering these products obsolete after January 16th, 2004 and no longer continue support for the entire Windows 98 line (including SE). Windows NT was already removed from support in 2002.

From a security standpoint, it's time to move away from the product versions listed above. Without support, these are a security threat that continues to increase over time - the longer they are on your network, the more exploits that
will be found for these products that will never have a Service Pack, Patch, Or Hot Fix to cure the vulnerabilities. Putting a firewall between your existing Windows 98 / NT 4.0 machine pool and the Internet is also not enough in many cases.

While as the Handler On Duty I will not make recommendation as to what products to upgrade to, I can recommend upgrading as soon as possible. Examine the existing alternatives (Windows 2000 Pro, XP Pro, Mac OSX, the various Linux desktop oriented distributions, *BSD's), and find which one best fits your security and end user requirements best.

Earthlink users targeted by phishing e-mail

In the last two days, two separate messages have been forwarded to the Handlers to look at. These show that there is a current scam running against Earthlink customers using the new %01 bug in Internet Explorer[9]. The message states that the user's credit card was unabled to be billed, and that new information needs to be entered. By using the %01 exploit, it looks fairly legitimate to Internet Explorer users.

Handler On Duty, Davis Ray Sickmon, Jr - Midnight Ryder Technologies (http://www.midnightryder.com)

[1] http://www.cnn.com/2003/US/12/21/threat.level/index.html

[2] http://msnbc.msn.com/id/3660516/

[3] Taken from: http://communities.microsoft.com/newsgroups/previewFrame.asp? -
ICP=msdn&;sLCID=us&;sgroupURL=microsoft.public.msdn.general&;s -
MessageID=%253C%2523G%2524kYOpuDHA.2464@TK2MSFTNGP12.phx.gbl%253E
(Note: Link broken into parts. Sorry, word wrap messes up badly here!)

[4] http://h18001.www1.hp.com/partners/microsoft/98-n-nt-retire.html

[5] http://www.eweek.com/article2/0,4149,1410084,00.asp

[6] http://isc.sans.org/port_details.html?port=6129

[7] http://www.securiteam.com/windowsntfocus/6N00B1P95I.html

[8] http://seclists.org/lists/fulldisclosure/2003/Dec/0617.html

[9] http://www.secunia.com/advisories/10395/

An email recently sent to the handlers[at]sans[dot]org group has possibly described a first instance of where an attempt is made to overwrite the address bar in Internet Explorer with an image file that hides the true URL (or web page address) that an individual is visiting with a false URL.

The exact mechanism by which this happens is still under investigation.

-----

As we are well into the biggest gift-giving season of the year, it is important to consider the effects of all those shiny, brand new computers that are soon to be unwrapped and connected to the Internet.

It is likely that many if not all of these computers will be running the Microsoft XP operating system, and that these will come out of the box with only minimal security and hardening enabled, at best.

If you know of someone who is about to receive a new computer, or if you have received one yourself, please, please read our new Windows XP survival guide,
"Windows XP: Surviving the First Day. (PDF)"

A link to this paper can be found at the bottom right of the Internet Storm Center home page (http://isc.sans.org) under the heading "ISC Analysis".

The specific link: http://isc.sans.org/presentations/xpsurvivalguide.pdf

A patch was released at the OpenSoft website (security.openwares.org)
related to the recently discovered IE URL Spoofing Vulnerability bug [1].

This patch IS NOT an official patch released by Microsoft, and although it
may fix the URL bug, it may also add some additional flaws to Internet
Explorer.

According to a FD poster:

------------------------------------------

Openware.org IE fix introduces new flaws :
- The buffer to copy URL's is limited to 256 bytes

- Larger strings produce a buffer overflow, with possibility to
overwrite the stack.

-------------------------------------------

This patch should be handled with extreme care to avoid future problems.

Please note that Microsoft has not yet released an official patch for this
vulnerability.

Another patch for the IE vulnerability was released by Abracadabra Solutions [2], called UrlFilter.
No vulnerability this patch has been publically disclosed, users should be warned that this is not an official Microsoft patch.

Some info about this Microsoft IE vulnerability can be found at [3].

References:

1- http://www.secunia.com/advisories/10395/

2- http://www.abracadabrasolutions.com/UrlFilter.htm

3- http://www.securityfocus.com/archive/1/346948
----------------------------------------------------

Handler on duty: Pedro Bueno (bueno@ieee.org)

Users have been reporting a rise in bounced email messages with virus attachments. This may indicate a rise in machines infected with a MiMail.* style worm.

I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.

Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.

A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:

http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.e@mm.html
http://www.sophos.com/virusinfo/analyses/w32mimaile.html

We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?

Port 53/UDP traffic:
http://isc.sans.org/port_details.html?port=53

Port 2234/TCP traffic:
http://isc.sans.org/port_details.html?port=2234

For more on Sinit/Calypso, see the recent Handlers diary: http://isc.sans.org/diary.html?date=2003-12-16

---------

Handler on Duty: Mike Poor http://www.digitalguardian.net

mirc based irc bot "h00d.exe"

A user reported an mirc based irc bot. McAfee identified the trojan as 'IRC/Flood.cd.dr'. The filename
of the listener was 'h00d.exe' and the trojan was found in C:\winnt\system32\have\h00d.exe .

A number of other files where found in the same directory.

As typical for this class of malware, the trojan connected to an IRC channel for remote control. The IRC server involved does no longer appear to be active.
'localhost' Port 80 Traffic

Brian Coyle suggested on our 'Intrusions' list, that the port 80 traffic from 'localhost' is a side effect of the Blaster worm and counter measures.

Some ISPs still resolve 'windowsupdate.com' to '127.0.0.1'. Blaster infected systems will attempt to participate in the DDOS against this side. This DDOS uses spoofed packets. The host will send a spoofed packet to 127.0.0.1 (=itself). This packet will generate a RST/ACK packet to the spoofed address.

The host whose address was spoofed will receive this packet if it is not dropped by egress/ingress filters.

It is recommended to remove the windowsupdate.com domain, and in addition, respective egress/ingress filters should be applied to avoid traffic from 'localhost' to leave or enter your network.

Although there has been a steady increase in activity on port 53 activity over the past several months, the ISC monitored an enormous spike in activity on 12/15/2003.

See:

http://isc.sans.org/port_details.html?port=53

Earlier investigations into the source of strange port 53 traffic lead to a trojan known as W32/Calypso (AKA: BackDoor-BAM, BackDoor.Calypso, Backdoor.Sinit, Bck/Initsvc.B, BKDR_CALYPS.A, Trojan.Apolyps, Trojan.FakeSvc.A, Win-Trojan/Calypso.58880).

In controlled infections, the Calypso trojan has been seen to connect to seemingly random IP addresses using a UDP datagram sent to port 53. This activity is believed to be an attempt to connect in a peer-to-peer fashion with other Calypso trojans. The packet itself simply appears to contain a malformed DNS query. When the trojan randomly hits a real DNS server, the server may reply with an error message. When it contacts another infected host, however, an information exchange takes place, including a sharing of IP addresses of other infected hosts. This appears to be a network map synchronization to maintain complete awareness of the network amongst all hosts.

While the ISC data indicates a large spike in records submitted to DShield, there is not an equally large spike in sources or targets, indicating that the malware responsible for this scanning may have changed tactics. One possible explanation is that the p2p component of the Calypso trojan may be seeing increased usage.

See http://www.lurhq.com/sinit.html for an excellent analysis of the Calypso
trojan and p2p network.

Please monitor your networks for any outgoing port 53 packets that match the following BPF:

dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000 or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))

and report any traffic that matches to the ISC Handlers immediately
( http://isc.sans.org/contact.html ). Also, be aware that if you find a compromised host on your network, the ISC recommends a complete "bare metal" re-install due to the fact that the trojan has a back-door component.

George Bakos of Dartmouth’s Institute for Security Technology Studies contributed a great deal of information to this diary. George has a page that details the study of Calypso traffic during the month of October:

http://people.ists.dartmouth.edu/~gbakos/bindsweep/

----------------

Handler on Duty: Tom Liston LaBrea Technologies ( http://www.labreatechnologies.com )

A new version of "The Beast" a Remote Administration Tool (aka backdoor) is believed to be in use on the net.

According to the help document the author offers a "private" version of Beast 2.05. It is not released to public, but instead is compiled specifically for the person who pays the author 120 euro. It is different from public version and this private version should not be picked up by antivirus signature based software.

The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.
New functions: It can do dll injection of itself into Internet Explorer, Explorer or Notepad. This allows it to hide itself from a show process type
application.

A good writeup on the new version can be viewed here
http://www.nsclean.com/psc-bst.html

Increase in udp/24585

In the past 24 hours we've seen increased activity on udp/24585 ( http://isc.sans.org/port_details.html?port=24585 ). This is under observation, more to follow if anything develops. If you are seeing this activity and can grab a full packet, please forward it to http://isc.sans.org/contact.html .
Handler on Duty: Marcus H. Sachs

Port 10 Traffic

We do see a steep increase in number of hosts probed on port 10. While only a few sources participate, the number of hosts probes is very large.

At this point, we do not know what these probes try to accomplish.
http://www.dshield.org/port_report.php?port=10

139 and 1433

ISS raised its AlertCON to '2' (from 1) due to reports of an increase in port 139 and 1433 scans. We do not see a significant global increase. In our opinion, a scan for weak MSSQL passwords with file sharing component could be a possible reason. (e.g. like 'SQLSnake' ).

DCE RPC Vectors

Core Security technologies published a paper, outlining various ways to exploit DCE RPC DCOM via different vectors. This paper is another reminder that just blocking port 135 is not enough to protect your systems. Patching is the only real solutions, and firewall rules should be applied to all unsolicited inbound traffic if possible.
http://www.coresecurity.com/common/showdoc.php?idx=393&;;;idxseccion=10

Port 53 update

Earlier this week, Lurhq posted an analysis of a particular Trojan, which uses malformated 'DNS' queries to communicate:
http://www.lurhq.com/sinit.html

(our mail server was removed from spamcops blocklist as of this afternoon. Mail should be flowing again. Thanks for everyone's patience. If you have any issues, please notify noc_at_sans.org )

Port 20168 Traffic

Given a recent discussion on our Intrusions list, spikes in traffic to this port can be attributed to a worm which uses this port for tftp file transfers of the worm code. If you see excessive traffic on this port, you may have an infected system on your network.

Windows Update Virus

We received several reports about a new version of a Windows update virus. Like previous similar viruses, this one claims to come from Microsoft and includes a zip file users are asked to execute. In particular as many filters do not strip zip files, you may remind users that Microsoft will never distribute patches via e-mail.

Internet Explorer URL obfuscation

A somewhat more advanced version of URL obfuscation in Internet Explorer is actively used in 'phishing' e-mails. See yesterdays webcast slides for details.
http://www.sans.org/webcasts/show.php?webcastid=90481 . The vulnerability
uses non-printable characters to hide the real URL. Instead, the user will only see the username/password part, which may look like a valid URL. E.g.:
http://somefakebankingsite.com%01@www.sans.org/index.php

A sample can be found at http://www.zapthedingbat.com

While this exploit will not execute any code, it is easily used to aid in cognitive hacking. These prefixes can be used with secure sites as well
(e.g. like in
https://somefakebankingsite.com%01@store.sans.org/index.php )
Ports of Interest

* Small spike in 554 (RealServer). Looks like a small number of sources performing widespread scans for vulnerable Real Servers. We are seeing this ever since the release of a related exploit.

* Port 53 shows the onset of another widespread scanning cycle from multiple sources. This is expected to resemble the traffic from 2 weeks ago.

* Port 25 shows an increase in number of sources scanning for it. Maybe a trojaned botherd looking for open relays
Please use your contact form at http://isc.sans.org/contact.html for feedback.

Microsoft announced today, that there will be no security bulletins for December.

Microsoft announcement:

http://www.microsoft.com//technet/security/default.asp

Microsoft policy announcement:

http://www.microsoft.com/technet/security/bulletin/revsbwp.asp

The number of sources which scan for port 80 have been increasing. Please take
a look at your web logs to check for any unusual activity.

http://isc.sans.org/port_details.html?port=80

The number of sources scanning a specific port is usually a very sensitive indicator for new self propagating attacks. Given the significant background
noise from older worms (Code Red, Nimda, Nachia), it is not easy to spot a new
attack.

For over a week, we had been tracking an increase in port 1026-1031 UDP traffic. More detailed investigation revealed a component in this traffic with the following characteristics:
(*) The payload consisted of two zero bytes

(*) A large number of sources participated in these scans

(*) the scans came from valid IPs, and the source port did not appear

to be crafted.
This is different from most popup spam sent to this port. Most popup spam is sent by only a small number of sources. And usually uses a fixed source port.
While popup spam in itself is not any more dangerous then e-mail spam, and more of an annoyance, the large number of sources hinted to

the fact that it is likely sent from unsuspecting exploited systems ("Zombies")
The connection with popup spam was made later, by allowing a honeypot to respond to the two byte probe. The result was an ad sent by the probing host.
PACKET DUMP (IP Addresses are obfuscated)

11:57:11.361783 IP w.x.y.z.1974 &;;;;;;;;;;gt; a.b.c.d.1030: udp 2

0x0000   4500 001e c33d 0000 6a11 8094 wwxx yyzz        E....=..j..

0x0010   aabb ccdd 07b6 0406 000a e720 0000 0000        ................

0x0020   0000 0000 0000 0000 0000 0000 0000             ..............

11:57:11.363913 IP 129.170.248.252.1030 &;;;;;;;;;;gt; w.x.y.z.1974: udp 84

0x0000   4500 0070 0169 0000 8011 2c17 aabb ccdd        E..p.i....,.....

0x0010   wwxx yyzz 0406 07b6 005c aa23 0406 0000        

0x0020   1000 0000 0000 0000 0000 0000 0000 0000        ................

0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................

0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................

0x0050   0000 0000 52f7 c93f 0000 0000 0000 0000        ....R..?........

0x0060   0000 0000 0000 0400 0000 0000 0800 001c        ................

11:57:11.477413 IP w.x.y.z.1975 &;;;;;;;;;;gt; 129.170.248.252.1026: udp 519

0x0000   4500 0223 c350 0000 6a11 7e7c wwxx yyzz        E..#.P..j.

0x0010   aabb ccdd 07b7 0402 020f 43b2 0400 0800        ..........C.....

0x0020   1000 0000 0000 0000 0000 0000 0000 0000        ................

0x0030   0000 0000 f891 7b5a 00ff d011 a9b2 00c0        ......{Z........

0x0040   4fb6 e6fc 82f5 b0ec e32c 41ec 173c 5a07        O........,A..Z

0x0050   dee7 8629 0000 0000 0100 0000 0000 0000        ...)............

0x0060   0000 ffff ffff b701 0000 0000 1400 0000        ................

0x0070   0000 0000 1400 0000 5757 572e 504f 5041        ........WWW.POPA

0x0080   4453 544f 502e 434f 4d00 0000 1400 0000        DSTOP.COM.......

0x0090   0000 0000 1400 0000 554e 5345 4355 5245        ........UNSECURE

0x00a0   4420 434f 4d50 5554 4552 0000 6b01 0000        D.COMPUTER..k...

0x00b0   0000 0000 6b01 0000 5055 424c 4943 2053        ....k...PUBLIC.S

0x00c0   4552 5649 4345 2041 4e4e 4f55 4e43 454d        ERVICE.ANNOUNCEM

0x00d0   454e 543a 0d0a 0d0a 0d0a 594f 5552 2043        ENT:......YOUR.C

0x00e0   4f4d 5055 5445 5220 4953 204e 4f54 2053        OMPUTER.IS.NOT.S

0x00f0   4543 5552 4544 2041 4741 494e 5354 2050        ECURED.AGAINST.P

0x0100   4f50 2d55 5053 2121 210d 0a0d 0a0d 0a44        OP-UPS!!!......D

0x0110   4f4e 2754 2053 5045 4e44 2041 4e59 204d        ON'T.SPEND.ANY.M

0x0120   4f4e 4559 2046 4f52 2041 4e59 2050 4f50        ONEY.FOR.ANY.POP

0x0130   2d55 5020 424c 4f43 4b45 5221 0d0a 0d0a        -UP.BLOCKER!....

0x0140   4765 7420 6f75 7273 2066 6f72 2046 5245        Get.ours.for.FRE

0x0150   4521 2121 0d0a 0d0a 5965 7320 7468 6174        E!!!....Yes.that

0x0160   2773 2072 6967 6874 2c20 5354 4f50 2050        's.right,.STOP.P

0x0170   6f70 2d55 7020 6164 7320 666f 7220 4652        op-Up.ads.for.FR

0x0180   4545 2121 210d 0a0d 0a0d 0a0d 0a20 2020        EE!!!...........

0x0190   2020 2020 2020 2020 2020 2a20 2a20 2a20        ..........*.*.*.

0x01a0   2020 2020 444f 204e 4f54 2043 4c49 434b        ....DO.NOT.CLICK

0x01b0   2022 4f4b 2220 4245 464f 5245 2047 4f49        .

0x01c0   4e47 2054 4f20 4f55 5220 5745 4253 4954        NG.TO.OUR.WEBSIT

0x01d0   4520 2020 2020 2a20 2a20 2a0d 0a0d 0a4f        E.....*.*.*....O

0x01e0   6e20 796f 7572 2077 6562 2062 726f 7773        n.your.web.brows

0x01f0   6572 2773 2061 6464 7265 7373 2062 6172        er's.address.bar

0x0200   2c20 5459 5045 2049 4e3a 2020 2020 2077        ,.TYPE.IN:.....w

0x0210   7777 2e50 6f70 4164 5374 6f70 2e63 6f6d        ww.PopAdStop.com

0x0220   0d0a 00                                        ...

The advertised site, "www.popadstop.com" does offer a program for

download, which promises to stop future popup spam.
We downloaded the application, and installed it in an isolated lab network. During install, the application checks for updates by

requesting: www.neweststuff.com/versinfo.dat

Recent version of the application do not show any further outbound

traffic.
However, earlier version of the application did start to send the

typical two zero bytes and popup spam. We have been made available

the following trace from an infected system:
1. connection to popadstop.com, port 80 (http)

e.f.g.h 066.225.219.162 6 1485 80 88472 4249 17:27:21.5791

e.f.g.h 066.225.219.162 6 1486 80 15401 1203 17:27:27.9025

e.f.g.h 066.225.219.162 6 1489 80 4802 1159 17:28:16.9154

e.f.g.h 066.225.219.162 6 1490 80 1331056 25025 17:28:41.2205

e.f.g.h 066.225.219.162 6 1491 80 824 408 17:29:20.3522

2. connection to neweststuff.com, port 80 (http)

e.f.g.h 216.058.174.211 6 1492 80 746 410 17:29:20.4347

(snip one min)
3. scanning for port 1026-1030

e.f.g.h x.x.x.x 17 1528 1026 0 44 17:30:20.0967

e.f.g.h x.x.x.x 17 1529 1030 0 44 17:30:20.0979

e.f.g.h y.y.y.y 17 1528 1026 0 44 17:30:20.1787

e.f.g.h y.y.y.y 17 1529 1030 0 44 17:30:20.1790

Summary

An earlier version of the software distributed by
PopAdStuff did actively scan and send popup spam
from unsuspecting user's system.

This is an update for our prior diary ( http://isc.sans.org/diary.html?date=2003-11-25 ) .

We observed strong fluctuations in this traffic, indicating a central control mechanism. Based on feedback from sources of this traffic, we suspect that the
traffic may be related to a popup-spam blocking application. Several users reported seeing the udp traffic to port 1026-1031 after installing this software.

In our own testing, this software has not yet exhibited this behaviour.

This particular popup spam blocker is advertised via popup spam. So it would make sense for the application to use hosts on which it is installed to 'spread the message'.