lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200306251339.46805.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Re: Windows Messenger Popup Spam - advisory amended

On Monday 23 June 2003 05:19 pm, jh wrote:
> 1026 is ephemeral, it may not always be this port. 

I'd say it's dependent on the the startup order of other listeners. Ephemeral
implies it is short-lived. If you don't install other services that use port
1026 it will probably continue to be bound to port 1026 indefinately. I've
been told that some Windows 2000 server platforms may have messenger
listening on port 1027 due to other services starting first, but popup
spammers are typically targeting the home user running WinXP.

> Duno if that all makes sense, readers may find the following paper
> helpful (it is more indepth than the brief, condensed version above):
> http://www.giac.org/practical/GCIH/Jeremy_Hewlett_GCIH.pdf

This is an excellent paper; is it yours? Well researched and written. 
I have found however, a few points of difference between what the paper
describes of the protocol and what I've observed in practice. The paper
describes a much more elaborate exchange of packets than the spammers 
are actually using. The paper says that the conv_who_are_you packet
must be answered by the client before the popup will occur. This doesn't
seem to be necessary, as I have been able to merely replay the same
UDP packet payload again and again, on either port. The paper says that
these packets should be dropped as duplicates, but I have observed that
you only need to wait for a given timeout to occur before you can send the
packet  and get a popup again;  somewhere on the order of 10 minutes or 
so. This is ok with the spammers, since they seem to cycle through the same
netblock only every hour or so.

So, the higher port is usually, but not guaranteed to be, port 1026. So 
far, the spammers have only been observed sending packets to port 135
and 1026, suggesting they have observed the same behavior. And only
one packet is necessary, no matter which port you send it to. I've been
successful at spoofing a bogus source IP address in the packets generating 
the popups as well.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ