lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20031202152117.3c0e8598.dokas@cs.umn.edu>
From: dokas at cs.umn.edu (Paul Dokas)
Subject: Increase probe on UDP port 1026

On Tue, 02 Dec 2003 10:16:23 +0100 Nicob <nicob@...ob.net> wrote:
> I captured some packets and it appears to be (only) a Windows Messenger
> "spam" for a "penis enlargement" product.

I caught one last night scanning 1026/UDP and 1030/UDP and doing popups
directing people to www.PopAdStop.com.  The 1026/UDP and related traffic
is *definitely* popup spam related.  At this point, I suspect that the
malware is getting onto computers via .HTA mime or ADODB.Stream vulnerabilites
in IE.  However, I have no proof of this yet.

BTW, I did `wget http://www.PopAdStop.com` a little bit ago.  Looks like
they could win an obfuscated JavaScript contest.


Paul
-- 
Paul Dokas                                            dokas@...umn.edu
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ