On Monday 23 June 2003 05:19 pm, jh wrote: > 1026 is ephemeral, it may not always be this port.
I'd say it's dependent on the the startup order of other listeners. Ephemeral implies it is short-lived. If you don't install other services that use port 1026 it will probably continue to be bound to port 1026 indefinately. I've been told that some Windows 2000 server platforms may have messenger listening on port 1027 due to other services starting first, but popup spammers are typically targeting the home user running WinXP. > Duno if that all makes sense, readers may find the following paper > helpful (it is more indepth than the brief, condensed version above): > http://www.giac.org/practical/GCIH/Jeremy_Hewlett_GCIH.pdf This is an excellent paper; is it yours? Well researched and written. I have found however, a few points of difference between what the paper describes of the protocol and what I've observed in practice. The paper describes a much more elaborate exchange of packets than the spammers are actually using. The paper says that the conv_who_are_you packet must be answered by the client before the popup will occur. This doesn't seem to be necessary, as I have been able to merely replay the same UDP packet payload again and again, on either port. The paper says that these packets should be dropped as duplicates, but I have observed that you only need to wait for a given timeout to occur before you can send the packet and get a popup again; somewhere on the order of 10 minutes or so. This is ok with the spammers, since they seem to cycle through the same netblock only every hour or so. So, the higher port is usually, but not guaranteed to be, port 1026. So far, the spammers have only been observed sending packets to port 135 and 1026, suggesting they have observed the same behavior. And only one packet is necessary, no matter which port you send it to. I've been successful at spoofing a bogus source IP address in the packets generating the popups as well. -Joe -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html