After further investigation, it appears that the hosts sourcing this SPAM are running VMWARE. We've identified a commercial, Windows-based SPAM package which sends SPAM via popups (all for $699). I've confirmed that this particular package (which I can't name, yet..) sends popups via MS RPC. I suspect this package is running on these Linux systems under VMWARE emulated Windows sessions. What is also interesting is that some users, despite running personal firewalls, are still reporting getting these popups. This probably explains the developers choice to use MS RPC (udp/135) for delivery instead of a straight Netbios SMB call (tcp/139). MS RPC would be less overhead, but also has the potential to reach more people as even those with firewalls are often giving 'svchost.exe' server priviledges because they assume it's necessary: http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat Lawrence Baldwin myNetWatchman.com Atlanta, GA ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 15:48:07 PDT