Published: 2003-12-31

New Fraudulent email from MS; e-voting software co. compromised

Making the rounds today is another hoax, this time it is in the form of an HTML message being sent to "Commercial Customer" with the subject "last network security pack". Another reminder to all, Microsoft does not send updates in email form to users.
To verify the latest security news from Microsoft, information can be found at the following link.

Several news sources today are reporting the e-voting software company VoteHere, Inc. had been compromised in October, and is being investigated by the FBI. Reports are stating that the breach occurred during a period when an announced security patch had been delayed in being applied at VoteHere.




Published: 2003-12-30

Spammers attempt to defeat Bayesian filters; Malaysia terrorism warning; MSN Messenger worm

Over past weeks, Internet users have reported receiving high volumes of spam e-mail with random words at the bottom (in the text and/or HTML). This appears to be aimed at defeating Bayesian spam filters which are trained by users to detect spam mail and automatically classify it. The technique uses common dictionary words to increase the rate of false positives and cause Bayesian filters to start classifying legitimate mail as spam.


Malaysia CERT (Computer Emergency Response Team) has identified circulating e-mail that contains fraudulent terrorism warnings for people in Malaysia. The e-mail provides a link to learn more about the warning, but this link actually downloads and installs a trojan horse program. The trojan horse is similar to the recently discovered key logging trojan named "Backdoor.Tofger".

Given the nature of terrorism fears across the world, it is likely that this type of e-mail will surface again in the future.

More information on this incident, including the full text of the malicious e-mail, can be found at Malaysia CERT: http://www.mycert.mimos.my/advisory/MA-061.122003.html.

The story is also reported at ZDNet UK: http://news.zdnet.co.uk/internet/security/0,39020375,39118800,00.htm

Information on Backdoor.Tofger:


A new worm has been identified spreading through MSN Messenger clients. The worm propagates by sending a message to everyone in the contact list every 5 minutes. The message has a link to download itself. No destructive activity has been observed with the worm, however analysis is still underway. Widespread penetration of this virus could render a denial of service against MSN Messenger users. Further information can be at the Panda Software web site under "Jitux.A":


Published: 2003-12-28

quiet holiday weekend

No major new issues where brought to our attention over the last 24 hrs. Overall, it appears that due to holiday shutdowns, slightly less background activity of exciting infections was seen then usual.

The coming week may be your last chance to easily spot Welchia/Nachia infected systems. If an infected system is restarted after January 1st 2004, it will not activate the worm. This may provide an opening for Blaster to re-surface.


Published: 2003-12-26

Perl/Exploit SQLinject; Increased Activity on Port 1039

Perl/Exploit SQLinject
A fake exploit for phpBB is circulating on security related mailing lists. This exploit claims to take advantage of a SQL Injection vulnerability in phpBB. However, intsead of sending the exploit, the script will try and find a local phpBB user database and send it to a web site as part of the query string. Exploit code should always be treated with care. Fake exploits like this, which include backdoors and other hidden functions are quite common.

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818 http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100915 http://vil.nai.com/vil/content/v_100915.htm

Increased Activity on Port 1039

Starting on December 24th the activity on Port 1039 increased drastically. The normal daily traffic records for that port was consistantly under 1000. However on the 24th traffic jumped to the hundreds of thousands and the to millions on the 25th and 26th. As far as I can tell the port is used by Dell OMI service.
service also listens on Port 1037 and 1038. Traffic rose for port 1037 on the 22nd and 23rd and for port 1038 on the 24th before dropping back to normal. It maybe that hackers are looking for all the new Christmas presents. Just keep your eyes open and if you see anything, let us know.


System Lockdowns
As a reminder, don't forget to lock your systems down before putting them on the Internet. Family members and friends will be getting computers and many of them will have little to no experience using them. If you have time, give them a hand or at least point them in the right direction. The free Survival Guide found at http://www.sans.org/rr/papers/index.php?id=1298 is a great place to start. There is also a good guide found at http://www.cert.org/tech_tips/before_you_plug_in.html

Here's wishing you a safe Holiday Season
Lorna Hutcheson


Published: 2003-12-25

Merry Christmas

It's a quiet day. Is it the calm before the storm?

It seems to have been a quiet day on the Internet. Everyone must be setting up the new computers that they got under the Christmas tree.

I hope that all of you that did receive a new computer, have checked out "How to Survive the First Day" on the Sans web site at


I hope all of you have had a Merry Christmas.


Published: 2003-12-24

12/23/03 CitiBank/Visa Account Phishing, ISS IE URL Spoofing filter, Dameware scanning, Apple patch links

"Good will towards everyone"

A current Visa/CitiBank account phishing e-mail has been posted by CitiBank at


At the website select the
"Date: 12/23/03 Subject: Visa Security Update (report it)"
link where CitiBank has posted solid security recommendations and screenshots
of the phony e-mail and it's pop-up's.

Defeat Phishing E-mail URL spoofing - ISS's Internet Explorer URL Spoofing

Although there is not a Microsoft patch yet for the severe
vulnerability being actively exploited using Internet Explorer URL
obfuscation and html based "phishing" e-mails. But thanks to the super work
by Internet Security Systems I'll be giving family and acquaintences a
Holiday patch for the Microsoft Internet Explorer domain URL spoofing
vulnerability. And don't we all have family and acquaintances that need it.
The free Internet Security Systems tool is available at the following address:


"Microsoft Internet Explorer domain URL spoofing filter.

ISS has developed a tool that will plug-in to Internet Explorer and filter
hostile URLs that exploit this vulnerability. This tool is designed to strip
hostile redirection from URLs and send users to the legitimate URL, instead
of a rogue Web server."

Dameware - Port 6129 scanning

The number of "Sources" detected scanning Port 6129 is steadily increasing.
Since December 19th, the reported number of "sources" scanning Port 6129
has risen by one thousand systems. URL:
Apple Security Updates


Last Updated: 2003-12-22

Apple Security Updates

Article ID:61798

Created: 11/15/02

Modified: 12/22/03

Security Update 2003-12-19 for Mac OS X 10.2.8 "Jaguar" and Mac OS X 10.2.8

Security Update 2003-12-19 for Mac OS X 10.3.2 "Panther" and Mac OS X 10.3.2

Patrick Nolan


Published: 2003-12-23

IE URL Bug; Phishing Attacks; Port 6129 Remains High; Proper Incident Response


On the recent released of IE URL Bug [1], Microsoft has not yet released an official patch for this vulnerability. However, Microsoft has published an article on steps that you can take to help identify and to help protect yourself from spoofed websites and malicious hyperlinks.

It discusses steps you can take to help protect yourself from spoofed Web sites and malicious hyperlinks, including how to identify the URL of the current web page.

Phishing Attacks

There is an increasing trend in phishing attacks where a malicious attack will set up a website with malicious hyperlinks (exploiting the IE URL bug) and lure people to the malicious website (commonly technique is via email from a trusted source) and trick you to reveal your personal information such as credit card number, PIN and password. A recent one is the Earthlink case (http://isc.sans.org/diary.html?date=2003-12-21).

There is a good website that archive some of the known phishing attacks:

Port 6129 Remains High

Since 20 Dec 03, we see a spike in port 6129 (http://isc.sans.org/diary.html?date=2003-12-21). The scan on port 6129 remains to be high. This could be due to the recent dameware exploit.


Proper Incident Response

During this festive seasons, it is common that hackers will take this opportunity to break into systems. Should your systems unfortunately be compromised, proper incident response should be followed.

The following links will provide useful tips on proper incident handling/response.







1. http://www.zapthedingbat.com/security/ex01/vun1.htm

2. http://support.microsoft.com/?id=833786

3. http://www.microsoft.com/security/incident/spoof.asp

4. http://www.antiphishing.org/phishing_archive.htm

5. http://xforce.iss.net/xforce/alerts/id/159

6. http://isc.sans.org/diary.html?date=2003-12-21

7. http://www.fedcirc.gov/incidentResponse/index.html

8. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

9. http://www.sans.org/rr/catindex.php?cat_id=27

10. http://www.cert.org/tech_tips/

11. https://store.sans.org/store_item.php?item=62


Published: 2003-12-22

New MassMailing Virus - Sober.C; Limit Exposure During Breaks; Upcoming Repeat Virus Outbreaks

New Mass-Mailing Virus - Sober.C

A new variant of the mass-mailing virus, Sober, has started spreading on the Internet over the weekend. As it sends email in German and English based on domain name of the infected computer, this poses a bit smarter social engineering tactics that we may see in the future. The links below are references to the virus from the major Antivirus vendors. More details can be be gathered from these reports.











Limiting Exposure During Holiday Breaks

As a last minute recommendation, please consider turning off non-critical computers during the holiday break. This limits the amount of exposure you may have while network and security personnel are away from the office.

Those in Academia are especially prone for having intrusions during this time of year due to their traditionally open environments. But corporate environments should also consider this as a prime time for internal threats.

Consider working on an appropriate policy concerning office computers (and other non critical systems) during extended breaks when you return from the holidays.


Upcoming Repeat Virus Outbreaks

In the next week, many families will add a new computer to their households. These computers may be fairly up to date with patches from OEMs, or may be horribly outdated. In the next few weeks, expect more virus activity originating from broadband connections. In January, much of this virus activity will move into SOHO and corporate environments via mobile users. Academic environments will be close behind as students return to campus with their new computers as well. So expect that Welchia(Nachi), Blaster, Sobig, Mimail, and many of the virii from 2003 to return to the limelight in the next few weeks.

Computing staff in the academic world should spend the first few days after the holiday finding an appropriate plan to allow these computers access to the network securely. If you have a method of deploying patches to your users without violating EULA of the common products on your campus, then start preparing for the moment when the ResNet users return to school.

In the Microsoft Windows world, It is recommended that in addition to the major service patch release for the Operating System available from


that you push for the following patches be installed before allowing on the campus network.



This would also be a good opportunity for educational opportunities concerning strong passwords, anti-virus software, and automated patching.
--- Scott Fendley


Published: 2003-12-21

Homeland Security Level Raised to Orange, increase in DameWare (port 6129) scans and exploit, Microsoft Retires Products (Including Windows 98), And Earthlink Users Being Targeted by Scam Using IE bug

DHS raises security level

The Department of Homeland Security raised the alert level to Orange (High)
today[1]. No CyberSecurity threats were mentioned, but, it's worth mentioning on here as a heads-up.

Scans for DameWare exploit

There's been an increase in DameWare (port 6129)[6] scans due to semi-recent vulnerabilities discovered in DameWare Mini-RC[7]. There's also an exploit floating around that was released the 16th that could be a factor[8]. If you are running DameWare, be sure to get patched up to current.

MSFT retiring olders Software

Microsoft is retiring[2] (and removing support for) quite a few items:

- Office XP Developer

- Visio 2000

- BackOffice Server 2000

- Office 2000 Developer, Tools, Multilingual, Premium SR-1, and Service Pack 2

- Outlook 2000

- Project 2000

- SQL Server 7, and Service Pack 3

- Embedded Visual Tools 3.0

- Visual Studio 6 MSDE

- IE 5.5

- MapPoint 2002

- Visual Studio 6.0 SP3 and SP5

- Windows 98, 98 Y2K, 98 Resource Kit, 98 SP1 (all win98 except SE)

- Windows NT 4.0

- ISA Server 2000

- Visual Basic for (Alpha Systems)[3]

This came into affect Dec 15th, 2003. Windows 98 and Windows NT 4.0 were already retired from OEM shipping in June 2002[4]

Unluckily, according to a survey by eWeek, 80% of the companies they surveyed still were making use of Windows 98 and Windows 95[5]. Microsoft will be considering these products obsolete after January 16th, 2004 and no longer continue support for the entire Windows 98 line (including SE). Windows NT was already removed from support in 2002.

From a security standpoint, it's time to move away from the product versions listed above. Without support, these are a security threat that continues to increase over time - the longer they are on your network, the more exploits that
will be found for these products that will never have a Service Pack, Patch, Or Hot Fix to cure the vulnerabilities. Putting a firewall between your existing Windows 98 / NT 4.0 machine pool and the Internet is also not enough in many cases.

While as the Handler On Duty I will not make recommendation as to what products to upgrade to, I can recommend upgrading as soon as possible. Examine the existing alternatives (Windows 2000 Pro, XP Pro, Mac OSX, the various Linux desktop oriented distributions, *BSD's), and find which one best fits your security and end user requirements best.

Earthlink users targeted by phishing e-mail

In the last two days, two separate messages have been forwarded to the Handlers to look at. These show that there is a current scam running against Earthlink customers using the new %01 bug in Internet Explorer[9]. The message states that the user's credit card was unabled to be billed, and that new information needs to be entered. By using the %01 exploit, it looks fairly legitimate to Internet Explorer users.

Handler On Duty, Davis Ray Sickmon, Jr - Midnight Ryder Technologies (http://www.midnightryder.com)

[1] http://www.cnn.com/2003/US/12/21/threat.level/index.html

[2] http://msnbc.msn.com/id/3660516/

[3] Taken from: http://communities.microsoft.com/newsgroups/previewFrame.asp? -
ICP=msdn&;sLCID=us&;sgroupURL=microsoft.public.msdn.general&;s -
(Note: Link broken into parts. Sorry, word wrap messes up badly here!)

[4] http://h18001.www1.hp.com/partners/microsoft/98-n-nt-retire.html

[5] http://www.eweek.com/article2/0,4149,1410084,00.asp

[6] http://isc.sans.org/port_details.html?port=6129

[7] http://www.securiteam.com/windowsntfocus/6N00B1P95I.html

[8] http://seclists.org/lists/fulldisclosure/2003/Dec/0617.html

[9] http://www.secunia.com/advisories/10395/


Published: 2003-12-20

A possible first example of user interface exploits in Internet Explorer; Holiday gift-giving

An email recently sent to the handlers[at]sans[dot]org group has possibly described a first instance of where an attempt is made to overwrite the address bar in Internet Explorer with an image file that hides the true URL (or web page address) that an individual is visiting with a false URL.

The exact mechanism by which this happens is still under investigation.


As we are well into the biggest gift-giving season of the year, it is important to consider the effects of all those shiny, brand new computers that are soon to be unwrapped and connected to the Internet.

It is likely that many if not all of these computers will be running the Microsoft XP operating system, and that these will come out of the box with only minimal security and hardening enabled, at best.

If you know of someone who is about to receive a new computer, or if you have received one yourself, please, please read our new Windows XP survival guide,
"Windows XP: Surviving the First Day. (PDF)"

A link to this paper can be found at the bottom right of the Internet Storm Center home page (http://isc.sans.org) under the heading "ISC Analysis".

The specific link: http://isc.sans.org/presentations/xpsurvivalguide.pdf


Published: 2003-12-19

Non-Microsoft Patch available for IE bug

A patch was released at the OpenSoft website (security.openwares.org)
related to the recently discovered IE URL Spoofing Vulnerability bug [1].

This patch IS NOT an official patch released by Microsoft, and although it
may fix the URL bug, it may also add some additional flaws to Internet

According to a FD poster:


Openware.org IE fix introduces new flaws :
- The buffer to copy URL's is limited to 256 bytes

- Larger strings produce a buffer overflow, with possibility to
overwrite the stack.


This patch should be handled with extreme care to avoid future problems.

Please note that Microsoft has not yet released an official patch for this

Another patch for the IE vulnerability was released by Abracadabra Solutions [2], called UrlFilter.
No vulnerability this patch has been publically disclosed, users should be warned that this is not an official Microsoft patch.

Some info about this Microsoft IE vulnerability can be found at [3].


1- http://www.secunia.com/advisories/10395/

2- http://www.abracadabrasolutions.com/UrlFilter.htm

3- http://www.securityfocus.com/archive/1/346948

Handler on duty: Pedro Bueno (bueno@ieee.org)


Published: 2003-12-18

Bounced emails with viral attachments

Users have been reporting a rise in bounced email messages with virus attachments. This may indicate a rise in machines infected with a MiMail.* style worm.

I should stress the importance of properly configuring your Anti-Virus Gateway to strip attachments on bounced mail messages.

Your users should be informed (yet again :-) not to click on an attachment in a bounced email message, especially if they did not send it out to begin with.

A couple of messages that were reported matched the file names associated with Mimail.E. For more on Mimail, see the references below:


We have also noticed an upswing in both 53/UDP (possibly a gradual increase in Sinit/Calpso traffic) as well as 2234/TCP (Directplay). Are all the gamers fragging tonight, or is something else lurking?

Port 53/UDP traffic:

Port 2234/TCP traffic:

For more on Sinit/Calypso, see the recent Handlers diary: http://isc.sans.org/diary.html?date=2003-12-16


Handler on Duty: Mike Poor http://www.digitalguardian.net


Published: 2003-12-17

h00d IRC bot, localhost port 80 traffic

mirc based irc bot "h00d.exe"

A user reported an mirc based irc bot. McAfee identified the trojan as 'IRC/Flood.cd.dr'. The filename
of the listener was 'h00d.exe' and the trojan was found in C:\winnt\system32\have\h00d.exe .

A number of other files where found in the same directory.

As typical for this class of malware, the trojan connected to an IRC channel for remote control. The IRC server involved does no longer appear to be active.
'localhost' Port 80 Traffic

Brian Coyle suggested on our 'Intrusions' list, that the port 80 traffic from 'localhost' is a side effect of the Blaster worm and counter measures.

Some ISPs still resolve 'windowsupdate.com' to ''. Blaster infected systems will attempt to participate in the DDOS against this side. This DDOS uses spoofed packets. The host will send a spoofed packet to (=itself). This packet will generate a RST/ACK packet to the spoofed address.

The host whose address was spoofed will receive this packet if it is not dropped by egress/ingress filters.

It is recommended to remove the windowsupdate.com domain, and in addition, respective egress/ingress filters should be applied to avoid traffic from 'localhost' to leave or enter your network.


Published: 2003-12-16

Recent spike in port 53 activity

Although there has been a steady increase in activity on port 53 activity over the past several months, the ISC monitored an enormous spike in activity on 12/15/2003.



Earlier investigations into the source of strange port 53 traffic lead to a trojan known as W32/Calypso (AKA: BackDoor-BAM, BackDoor.Calypso, Backdoor.Sinit, Bck/Initsvc.B, BKDR_CALYPS.A, Trojan.Apolyps, Trojan.FakeSvc.A, Win-Trojan/Calypso.58880).

In controlled infections, the Calypso trojan has been seen to connect to seemingly random IP addresses using a UDP datagram sent to port 53. This activity is believed to be an attempt to connect in a peer-to-peer fashion with other Calypso trojans. The packet itself simply appears to contain a malformed DNS query. When the trojan randomly hits a real DNS server, the server may reply with an error message. When it contacts another infected host, however, an information exchange takes place, including a sharing of IP addresses of other infected hosts. This appears to be a network map synchronization to maintain complete awareness of the network amongst all hosts.

While the ISC data indicates a large spike in records submitted to DShield, there is not an equally large spike in sources or targets, indicating that the malware responsible for this scanning may have changed tactics. One possible explanation is that the p2p component of the Calypso trojan may be seeing increased usage.

See http://www.lurhq.com/sinit.html for an excellent analysis of the Calypso
trojan and p2p network.

Please monitor your networks for any outgoing port 53 packets that match the following BPF:

dst port 53 and (udp[8] = 1 and (udp[12:2] > 1000 or udp[14:2] > 1000 or udp[16:2] > 1000 or udp[18:2] > 1000 or udp[10:4] = 0))

and report any traffic that matches to the ISC Handlers immediately
( http://isc.sans.org/contact.html ). Also, be aware that if you find a compromised host on your network, the ISC recommends a complete "bare metal" re-install due to the fact that the trojan has a back-door component.

George Bakos of Dartmouth’s Institute for Security Technology Studies contributed a great deal of information to this diary. George has a page that details the study of Calypso traffic during the month of October:



Handler on Duty: Tom Liston LaBrea Technologies ( http://www.labreatechnologies.com )


Published: 2003-12-15

The Beast

A new version of "The Beast" a Remote Administration Tool (aka backdoor) is believed to be in use on the net.

According to the help document the author offers a "private" version of Beast 2.05. It is not released to public, but instead is compiled specifically for the person who pays the author 120 euro. It is different from public version and this private version should not be picked up by antivirus signature based software.

The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.
New functions: It can do dll injection of itself into Internet Explorer, Explorer or Notepad. This allows it to hide itself from a show process type

A good writeup on the new version can be viewed here


Published: 2003-12-14

Increase in udp/24585 Activity

Increase in udp/24585

In the past 24 hours we've seen increased activity on udp/24585 ( http://isc.sans.org/port_details.html?port=24585 ). This is under observation, more to follow if anything develops. If you are seeing this activity and can grab a full packet, please forward it to http://isc.sans.org/contact.html .
Handler on Duty: Marcus H. Sachs


Published: 2003-12-12

Port 10 traffic; 139 &1433 report; DCE RPC Vectors

Port 10 Traffic

We do see a steep increase in number of hosts probed on port 10. While only a few sources participate, the number of hosts probes is very large.

At this point, we do not know what these probes try to accomplish.

139 and 1433

ISS raised its AlertCON to '2' (from 1) due to reports of an increase in port 139 and 1433 scans. We do not see a significant global increase. In our opinion, a scan for weak MSSQL passwords with file sharing component could be a possible reason. (e.g. like 'SQLSnake' ).

DCE RPC Vectors

Core Security technologies published a paper, outlining various ways to exploit DCE RPC DCOM via different vectors. This paper is another reminder that just blocking port 135 is not enough to protect your systems. Patching is the only real solutions, and firewall rules should be applied to all unsolicited inbound traffic if possible.

Port 53 update

Earlier this week, Lurhq posted an analysis of a particular Trojan, which uses malformated 'DNS' queries to communicate:


Published: 2003-12-11

Port 20168, Windows Update Virus.

(our mail server was removed from spamcops blocklist as of this afternoon. Mail should be flowing again. Thanks for everyone's patience. If you have any issues, please notify noc_at_sans.org )

Port 20168 Traffic

Given a recent discussion on our Intrusions list, spikes in traffic to this port can be attributed to a worm which uses this port for tftp file transfers of the worm code. If you see excessive traffic on this port, you may have an infected system on your network.

Windows Update Virus

We received several reports about a new version of a Windows update virus. Like previous similar viruses, this one claims to come from Microsoft and includes a zip file users are asked to execute. In particular as many filters do not strip zip files, you may remind users that Microsoft will never distribute patches via e-mail.

Internet Explorer URL obfuscation

A somewhat more advanced version of URL obfuscation in Internet Explorer is actively used in 'phishing' e-mails. See yesterdays webcast slides for details.
http://www.sans.org/webcasts/show.php?webcastid=90481 . The vulnerability
uses non-printable characters to hide the real URL. Instead, the user will only see the username/password part, which may look like a valid URL. E.g.:

A sample can be found at http://www.zapthedingbat.com

While this exploit will not execute any code, it is easily used to aid in cognitive hacking. These prefixes can be used with secure sites as well
(e.g. like in
https://somefakebankingsite.com%01@store.sans.org/index.php )
Ports of Interest

* Small spike in 554 (RealServer). Looks like a small number of sources performing widespread scans for vulnerable Real Servers. We are seeing this ever since the release of a related exploit.

* Port 53 shows the onset of another widespread scanning cycle from multiple sources. This is expected to resemble the traffic from 2 weeks ago.

* Port 25 shows an increase in number of sources scanning for it. Maybe a trojaned botherd looking for open relays
Please use your contact form at http://isc.sans.org/contact.html for feedback.


Published: 2003-12-09

No Microsoft patches for December

Microsoft announced today, that there will be no security bulletins for December.

Microsoft announcement:


Microsoft policy announcement:



Published: 2003-12-07

Port 80 traffic: Sources Increase

The number of sources which scan for port 80 have been increasing. Please take
a look at your web logs to check for any unusual activity.


The number of sources scanning a specific port is usually a very sensitive indicator for new self propagating attacks. Given the significant background
noise from older worms (Code Red, Nimda, Nachia), it is not easy to spot a new


Published: 2003-12-04

PopAdStop.com Scanning Component

For over a week, we had been tracking an increase in port 1026-1031 UDP traffic. More detailed investigation revealed a component in this traffic with the following characteristics:
(*) The payload consisted of two zero bytes

(*) A large number of sources participated in these scans

(*) the scans came from valid IPs, and the source port did not appear

to be crafted.
This is different from most popup spam sent to this port. Most popup spam is sent by only a small number of sources. And usually uses a fixed source port.
While popup spam in itself is not any more dangerous then e-mail spam, and more of an annoyance, the large number of sources hinted to

the fact that it is likely sent from unsuspecting exploited systems ("Zombies")
The connection with popup spam was made later, by allowing a honeypot to respond to the two byte probe. The result was an ad sent by the probing host.
PACKET DUMP (IP Addresses are obfuscated)

11:57:11.361783 IP w.x.y.z.1974 &;;;;;;;;;;gt; a.b.c.d.1030: udp 2
0x0000 4500 001e c33d 0000 6a11 8094 wwxx yyzz E....=..j..
0x0010 aabb ccdd 07b6 0406 000a e720 0000 0000 ................
0x0020 0000 0000 0000 0000 0000 0000 0000 ..............
11:57:11.363913 IP &;;;;;;;;;;gt; w.x.y.z.1974: udp 84
0x0000 4500 0070 0169 0000 8011 2c17 aabb ccdd E..p.i....,.....
0x0010 wwxx yyzz 0406 07b6 005c aa23 0406 0000
0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050 0000 0000 52f7 c93f 0000 0000 0000 0000 ....R..?........
0x0060 0000 0000 0000 0400 0000 0000 0800 001c ................
11:57:11.477413 IP w.x.y.z.1975 &;;;;;;;;;;gt; udp 519
0x0000 4500 0223 c350 0000 6a11 7e7c wwxx yyzz E..#.P..j.
0x0010 aabb ccdd 07b7 0402 020f 43b2 0400 0800 ..........C.....
0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
0x0040 4fb6 e6fc 82f5 b0ec e32c 41ec 173c 5a07 O........,A..Z
0x0050 dee7 8629 0000 0000 0100 0000 0000 0000 ...)............
0x0060 0000 ffff ffff b701 0000 0000 1400 0000 ................
0x0070 0000 0000 1400 0000 5757 572e 504f 5041 ........WWW.POPA
0x0080 4453 544f 502e 434f 4d00 0000 1400 0000 DSTOP.COM.......
0x0090 0000 0000 1400 0000 554e 5345 4355 5245 ........UNSECURE
0x00a0 4420 434f 4d50 5554 4552 0000 6b01 0000 D.COMPUTER..k...
0x00b0 0000 0000 6b01 0000 5055 424c 4943 2053 ....k...PUBLIC.S
0x00c0 4552 5649 4345 2041 4e4e 4f55 4e43 454d ERVICE.ANNOUNCEM
0x00d0 454e 543a 0d0a 0d0a 0d0a 594f 5552 2043 ENT:......YOUR.C
0x00e0 4f4d 5055 5445 5220 4953 204e 4f54 2053 OMPUTER.IS.NOT.S
0x00f0 4543 5552 4544 2041 4741 494e 5354 2050 ECURED.AGAINST.P
0x0100 4f50 2d55 5053 2121 210d 0a0d 0a0d 0a44 OP-UPS!!!......D
0x0110 4f4e 2754 2053 5045 4e44 2041 4e59 204d ON'T.SPEND.ANY.M
0x0120 4f4e 4559 2046 4f52 2041 4e59 2050 4f50 ONEY.FOR.ANY.POP
0x0130 2d55 5020 424c 4f43 4b45 5221 0d0a 0d0a -UP.BLOCKER!....
0x0140 4765 7420 6f75 7273 2066 6f72 2046 5245 Get.ours.for.FRE
0x0150 4521 2121 0d0a 0d0a 5965 7320 7468 6174 E!!!....Yes.that
0x0160 2773 2072 6967 6874 2c20 5354 4f50 2050 's.right,.STOP.P
0x0170 6f70 2d55 7020 6164 7320 666f 7220 4652 op-Up.ads.for.FR
0x0180 4545 2121 210d 0a0d 0a0d 0a0d 0a20 2020 EE!!!...........
0x0190 2020 2020 2020 2020 2020 2a20 2a20 2a20 ..........*.*.*.
0x01a0 2020 2020 444f 204e 4f54 2043 4c49 434b ....DO.NOT.CLICK
0x01b0 2022 4f4b 2220 4245 464f 5245 2047 4f49 .
0x01c0 4e47 2054 4f20 4f55 5220 5745 4253 4954 NG.TO.OUR.WEBSIT
0x01d0 4520 2020 2020 2a20 2a20 2a0d 0a0d 0a4f E.....*.*.*....O
0x01e0 6e20 796f 7572 2077 6562 2062 726f 7773 n.your.web.brows
0x01f0 6572 2773 2061 6464 7265 7373 2062 6172 er's.address.bar
0x0200 2c20 5459 5045 2049 4e3a 2020 2020 2077 ,.TYPE.IN:.....w
0x0210 7777 2e50 6f70 4164 5374 6f70 2e63 6f6d ww.PopAdStop.com
0x0220 0d0a 00 ...

The advertised site, "www.popadstop.com" does offer a program for

download, which promises to stop future popup spam.
We downloaded the application, and installed it in an isolated lab network. During install, the application checks for updates by

requesting: www.neweststuff.com/versinfo.dat

Recent version of the application do not show any further outbound

However, earlier version of the application did start to send the

typical two zero bytes and popup spam. We have been made available

the following trace from an infected system:
1. connection to popadstop.com, port 80 (http)

e.f.g.h 6 1485 80 88472 4249 17:27:21.5791
e.f.g.h 6 1486 80 15401 1203 17:27:27.9025
e.f.g.h 6 1489 80 4802 1159 17:28:16.9154
e.f.g.h 6 1490 80 1331056 25025 17:28:41.2205
e.f.g.h 6 1491 80 824 408 17:29:20.3522

2. connection to neweststuff.com, port 80 (http)

e.f.g.h 6 1492 80 746 410 17:29:20.4347

(snip one min)
3. scanning for port 1026-1030

e.f.g.h x.x.x.x 17 1528 1026 0 44 17:30:20.0967
e.f.g.h x.x.x.x 17 1529 1030 0 44 17:30:20.0979
e.f.g.h y.y.y.y 17 1528 1026 0 44 17:30:20.1787
e.f.g.h y.y.y.y 17 1529 1030 0 44 17:30:20.1790


An earlier version of the software distributed by
PopAdStuff did actively scan and send popup spam
from unsuspecting user's system.


Published: 2003-12-02

Port 1026-1031 update

This is an update for our prior diary ( http://isc.sans.org/diary.html?date=2003-11-25 ) .

We observed strong fluctuations in this traffic, indicating a central control mechanism. Based on feedback from sources of this traffic, we suspect that the
traffic may be related to a popup-spam blocking application. Several users reported seeing the udp traffic to port 1026-1031 after installing this software.

In our own testing, this software has not yet exhibited this behaviour.

This particular popup spam blocker is advertised via popup spam. So it would make sense for the application to use hosts on which it is installed to 'spread the message'.