Thanks everyone here on this list who helped track down this!
We just published a (hopefully more or less final) "Diary" on 
this topic at (see below for text).

As it turns out, at least one particular version of the software
distributed by did include a Trojan component sending
out popup spam.

  For over a week, we had been tracking an increase in port 1026-1031
UDP traffic. More detailed investigation revealed a component in this
traffic with the following characteristics:
(*) The payload consisted of two zero bytes
(*) A large number of sources participated in these scans
(*) the scans came from valid IPs, and the source port did not appear 
    to be crafted.
   This is different from most popup spam sent to this port. Most popup
spam is sent by only a small number of sources. And usually uses a fixed
source port.

   While popup spam in itself is not any more dangerous then e-mail
spam, and more of an annoyance, the large number of sources hinted to
the fact that it is likely sent from unsuspecting exploited systems

   The connection with popup spam was made later, by allowing a honeypot
to respond to the two byte probe. The result was an ad sent by the
probing host.

PACKET DUMP (IP Addresses are obfuscated)

11:57:11.361783 IP w.x.y.z.1974 > a.b.c.d.1030: udp 2
0x0000   4500 001e c33d 0000 6a11 8094 wwxx yyzz        [EMAIL PROTECTED]
0x0010   aabb ccdd 07b6 0406 000a e720 0000 0000        ................
0x0020   0000 0000 0000 0000 0000 0000 0000             ..............
11:57:11.363913 IP > w.x.y.z.1974: udp 84
0x0000   4500 0070 0169 0000 8011 2c17 aabb ccdd        E..p.i....,.....
0x0010   wwxx yyzz 0406 07b6 005c aa23 0406 0000        [EMAIL PROTECTED]
0x0020   1000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
0x0050   0000 0000 52f7 c93f 0000 0000 0000 0000        ....R..?........
0x0060   0000 0000 0000 0400 0000 0000 0800 001c        ................
11:57:11.477413 IP w.x.y.z.1975 > udp 519
0x0000   4500 0223 c350 0000 6a11 7e7c wwxx yyzz        E..#.P..j.~|[EMAIL PROTECTED]
0x0010   aabb ccdd 07b7 0402 020f 43b2 0400 0800        ..........C.....
0x0020   1000 0000 0000 0000 0000 0000 0000 0000        ................
0x0030   0000 0000 f891 7b5a 00ff d011 a9b2 00c0        ......{Z........
0x0040   4fb6 e6fc 82f5 b0ec e32c 41ec 173c 5a07        O........,A..<Z.
0x0050   dee7 8629 0000 0000 0100 0000 0000 0000        ...)............
0x0060   0000 ffff ffff b701 0000 0000 1400 0000        ................
0x0070   0000 0000 1400 0000 5757 572e 504f 5041        ........WWW.POPA
0x0080   4453 544f 502e 434f 4d00 0000 1400 0000        DSTOP.COM.......
0x0090   0000 0000 1400 0000 554e 5345 4355 5245        ........UNSECURE
0x00a0   4420 434f 4d50 5554 4552 0000 6b01 0000        D.COMPUTER..k...
0x00b0   0000 0000 6b01 0000 5055 424c 4943 2053        ....k...PUBLIC.S
0x00c0   4552 5649 4345 2041 4e4e 4f55 4e43 454d        ERVICE.ANNOUNCEM
0x00d0   454e 543a 0d0a 0d0a 0d0a 594f 5552 2043        ENT:......YOUR.C
0x00e0   4f4d 5055 5445 5220 4953 204e 4f54 2053        OMPUTER.IS.NOT.S
0x00f0   4543 5552 4544 2041 4741 494e 5354 2050        ECURED.AGAINST.P
0x0100   4f50 2d55 5053 2121 210d 0a0d 0a0d 0a44        OP-UPS!!!......D
0x0110   4f4e 2754 2053 5045 4e44 2041 4e59 204d        ON'T.SPEND.ANY.M
0x0120   4f4e 4559 2046 4f52 2041 4e59 2050 4f50        ONEY.FOR.ANY.POP
0x0130   2d55 5020 424c 4f43 4b45 5221 0d0a 0d0a        -UP.BLOCKER!....
0x0140   4765 7420 6f75 7273 2066 6f72 2046 5245        Get.ours.for.FRE
0x0150   4521 2121 0d0a 0d0a 5965 7320 7468 6174        E!!!....Yes.that
0x0160   2773 2072 6967 6874 2c20 5354 4f50 2050        's.right,.STOP.P
0x0170   6f70 2d55 7020 6164 7320 666f 7220 4652
0x0180   4545 2121 210d 0a0d 0a0d 0a0d 0a20 2020        EE!!!...........
0x0190   2020 2020 2020 2020 2020 2a20 2a20 2a20        ..........*.*.*.
0x01a0   2020 2020 444f 204e 4f54 2043 4c49 434b        ....DO.NOT.CLICK
0x01b0   2022 4f4b 2220 4245 464f 5245 2047 4f49        ."OK".BEFORE.GOI
0x01c0   4e47 2054 4f20 4f55 5220 5745 4253 4954        NG.TO.OUR.WEBSIT
0x01d0   4520 2020 2020 2a20 2a20 2a0d 0a0d 0a4f        E.....*.*.*....O
0x01e0   6e20 796f 7572 2077 6562 2062 726f 7773        n.your.web.brows
0x01f0   6572 2773 2061 6464 7265 7373 2062 6172        er'
0x0200   2c20 5459 5045 2049 4e3a 2020 2020 2077        ,.TYPE.IN:.....w
0x0210   7777 2e50 6f70 4164 5374 6f70 2e63 6f6d
0x0220   0d0a 00                                        ...

The advertised site, "", does offer a program for
download, which promises to stop future popup spam.

We downloaded the application, and installed it in an isolated lab
network. During install, the application checks for updates by
requesting: .
Recent version of the application do not show any further outbound

However, earlier version of the application did start to send the
typical two zero bytes and popup spam. We have been made available
the following trace from an infected system:

1. connection to, port 80 (http)

e.f.g.h 6 1485 80 88472 4249 17:27:21.5791
e.f.g.h 6 1486 80 15401 1203 17:27:27.9025
e.f.g.h 6 1489 80 4802 1159 17:28:16.9154
e.f.g.h 6 1490 80 1331056 25025 17:28:41.2205 
e.f.g.h 6 1491 80 824 408 17:29:20.3522

2. connection to, port 80 (http)
e.f.g.h 6 1492 80 746 410 17:29:20.4347
(snip one min)

3. scanning for port 1026-1030

e.f.g.h x.x.x.x 17 1528 1026 0 44 17:30:20.0967
e.f.g.h x.x.x.x 17 1529 1030 0 44 17:30:20.0979 
e.f.g.h y.y.y.y 17 1528 1026 0 44 17:30:20.1787 
e.f.g.h y.y.y.y 17 1529 1030 0 44 17:30:20.1790 


An earlier version of the software distributed by
PopAdStuff did actively scan and send popup spam
from unsuspecting user's system.

CTO SANS Internet Storm Center     
phone: (617) 786 1563            
  fax: (617) 786 1550                          [EMAIL PROTECTED]

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to