Re: smsx.exe?

From: eden.akhaviat_private
Date: Mon May 12 2003 - 07:56:28 PDT

Next message: Joe Stewart: "IIS/WebDav Exploit List"

Previous message: Michael Sierchio: "Re: Folllow-up to the Hotmail/MSN password reset problems"
Maybe in reply to: Steve Bromwich: "smsx.exe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <5.2.0.9.0.20030505174924.035bfa88at_private> >smsx.exe is not the Microsoft SMS product, it is probably this: >http://www.superbank.ru/sms/ > >If you look at the bottom of the features page of this product, it is >designed to send lots of SMS messages to hand help devices. >http://www.superbank.ru/sms/SMSexpress.htm > >Your would be attacker is trying to get your machine to download software >to send short messages to hand held devices. I have received a couple >pieces of spam on my cell phone lately, so I am sensitive to this. Your >would-be attacker's motives may be different. We had some complaints from our customers who complained about saturated connections. We tracked it down to being a trojan (smsx.exe) that was sitting in their system32 directory. I stripped some of the ASCII from the file: PUSH <target> <port> <secs> = A push flooder 錐t& NOTICE %s :TCP <target> <port> <secs> = A syn flooder 左 NOTICE %s :UDP <target> <port> <secs> = A udp flooder 左 NOTICE %s :MCON <target> <port> <num> <secs> <holdtime> = A connectbomb flooder 左詐' NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> = dumps the evilbufs to a port 錐ｴ& NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> = connects to irc and dumps the evilbufs 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞NOTICE %s :NICK <nick> = Changes the nick of the client 瑞瑞瑞瑞瑞瑞瑞瑞瑞瑞侵OTICE %s :DISABLE <pass> = Disables all packeting from this client The program connects to sd.ubersource.net (218.145.53.103) port 6667 (IRC) joins a channel called #REDARMY password :kalashnikov. And there it seems to wait for comments like PUSH TCP UDP as above. I am not sure of the delivery mechanism to get it onto the customers PC but it is certainly an issue. We have blocked access to sd.ubersource.net for now to see if the problems disappear. Regards Eden ---------------------------------------------------------------------------- DROP NETWORK ATTACKS BEFORE THEY BEGIN FREE WHITE PAPER: Learn about a uniqueintrusion prevention solution that identifies and drops malicious traffic before it hits the network. Download, "Intrusion Detection and Prevention" at: http://www.securityfocus.com/NetScreen-focus-ids ----------------------------------------------------------------------------

Next message: Joe Stewart: "IIS/WebDav Exploit List"
Previous message: Michael Sierchio: "Re: Folllow-up to the Hotmail/MSN password reset problems"
Maybe in reply to: Steve Bromwich: "smsx.exe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 12 2003 - 20:52:41 PDT