Phishing & BotNets
Re: spyware issue Nov 02 2006 02:00PM
Nick Baronian (kvetch gmail com)
Thanks Eric. In examining some of the data it looks like one of my
mystery IP's is an IM Spam bot. Since it doesn't route within our
network it gets dropped but I don't understand why someone would do
this. I figure you would want the biggest bang for your buck so you
should utilize the system's IP and routing table.
Below is a snippet of a packet with it's ASCII payload. The whois
show's both the src and dest range's belong to a sandy.thehideout.net
which has some association with
http://www.smartmeasurement.com/en/home.asp and the payload shows a
link of http://fixpcreg.com. Not sure if the IP is a randomly used
spoofed IP or if they have some associate to it whatsoever. Either
way thehideout.net does bring up a lot of squawking in a google
search.

01:43:12.249690 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF],
proto 17, length: 585) 204.16.208.80.32770 > 206.132.232.184.1026:
[udp sum ok] UDP, length 557
0x0000: 4500 0249 0000 4000 3511 f005 cc10 d050 E..I.. (at) .5..... (dot) P [email concealed]
0x0010: ce84 e8b8 8002 0402 0235 6652 0400 2800 .........5fR..(.
0x0020: 1000 0000 0000 0000 0000 0000 0000 0000 ................
0x0030: 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........
0x0040: 4fb6 e6fc 5216 4f57 e614 f627 a125 4393 O...R.OW...'.%C.
0x0050: 9327 90f0 0000 0000 0100 0000 0000 0000 .'..............
0x0060: 0000 ffff ffff dd01 0000 0000 1000 0000 ................
0x0070: 0000 0000 1000 0000 5345 4355 5249 5459 ........SECURITY
0x0080: 0000 0000 0000 0000 1000 0000 0000 0000 ................
0x0090: 1000 0000 414c 4552 5400 0000 0000 0000 ....ALERT.......
0x00a0: 0000 0000 9901 0000 0000 0000 9901 0000 ................
0x00b0: 4d65 7373 6167 6520 6672 6f6d 2053 4543 Message.from.SEC
0x00c0: 5552 4954 595f 4d4f 4e49 544f 5220 746f URITY_MONITOR.to
0x00d0: 2055 5345 5220 6f6e 2031 302f 3233 2f32 .USER.on.10/23/2
0x00e0: 3030 3620 3135 3a35 333a 3335 0a54 6865 006.15:53:35.The
0x00f0: 7265 206d 6179 6265 2061 2043 5249 5449 re.maybe.a.CRITI
0x0100: 4341 4c20 5245 4749 5354 5259 2045 5252 CAL.REGISTRY.ERR
0x0110: 4f52 2e0a 0a54 6f20 7265 6d6f 7665 2074 OR...To.remove.t
0x0120: 6865 2043 5249 5449 4341 4c20 4552 524f he.CRITICAL.ERRO
0x0130: 5220 706c 6561 7365 2064 6f20 7468 6520 R.please.do.the.
0x0140: 666f 6c6c 6f77 696e 673a 0a31 2e20 436c following:.1..Cl
0x0150: 6963 6b20 7468 6520 7374 6172 7420 6275 ick.the.start.bu
0x0160: 7474 6f6e 0a32 2e20 436c 6963 6b20 5275 tton.2..Click.Ru
0x0170: 6e2e 0a33 2e20 5479 7065 2069 6e20 6874 n..3..Type.in.ht
0x0180: 7470 3a2f 2f66 6978 7063 7265 672e 636f tp://fixpcreg.co
0x0190: 6d0a 342e 2049 6e73 7461 6c6c 2052 6567 m.4..Install.Reg
0x01a0: 6973 7472 7920 5265 6d6f 7665 720a 352e istry.Remover.5.
0x01b0: 2052 756e 2052 6567 6973 7472 7920 5265 .Run.Registry.Re
0x01c0: 6d6f 7665 7220 446f 630a 362e 2052 6562 mover.Doc.6..Reb
0x01d0: 6f6f 7420 796f 7572 2063 6f6d 7075 7465 oot.your.compute
0x01e0: 720a 0a46 4149 4c55 5245 2054 4f20 4143 r..FAILURE.TO.AC
0x01f0: 5420 4e4f 5720 4d41 5920 4c45 4144 2054 T.NOW.MAY.LEAD.T
0x0200: 4f20 4441 5441 2043 4f52 5255 5054 494f O.DATA.CORRUPTIO
0x0210: 4e2c 2041 4e44 2053 5452 414e 4745 5253 N,.AND.STRANGERS
0x0220: 200a 4841 5649 4e47 2041 4343 4553 5320 ..HAVING.ACCESS.
0x0230: 544f 2059 4f55 5220 5045 5253 4f4e 414c TO.YOUR.PERSONAL
0x0240: 2046 494c 4553 210a 00 .FILES!..

-Nick Baronian

On 11/1/06, Eric F <eric.f.na (at) gmail (dot) com [email concealed]> wrote:
> I've heard of situations where legitmate, routable (and sometimes abandoned
> or unused) IP space is used by spammers - "address space hijacking".
>
> This may or may not be what you're seeing, but it's something to consider.
>
> Let me know if you are looking for more information.
>
> -Eric
>
> On 10/27/06, Nick Baronian <kvetch (at) gmail (dot) com [email concealed]> wrote:
> > I had a machine on my network that had was infected with some viruses
> > and malware. The machine has been wiped and rebuilt but I noticed
> > going thru my IDS logs for that day I saw a couple IP's in my lan that
> > were not mine and they were routable. Do some forms of malware/bots
> > have a static addresses? I have heard some bots have their own
> > network stack but I just wasn't clear if this was true or not because
> > I would just assume not, even though it would be harder to track down
> > the bot if they did have their own addresses but because of possible
> > routing issues I would think they would not go this way.
> >
> > Thanks,
> > Nick
> >
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus