North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Explanation on recently noticed increase of udp 1026-1031 traffic
The original notice about all this I received came through dshield announce. I followed up the information and thereafter came upon the message on the popadstop website, its rather interesting how they claim they did not intend their software to send a "pop-ad" advertisement of that same software (to random other systems) that is supposedly supposed to block such ads. Of course this was all just a "test" before they start selling their anti-spam software (which would probably act like a mail worm in advertising itself)... http://isc.sans.org/diary.html?date=2003-12-04 "Handlers Diary December 4th 2003 Updated December 5th 2003 06:39 EDT PopAdStop.com Scanning Component For over a week, we had been tracking an increase in port 1026-1031 UDP traffic. More detailed investigation revealed a component in this traffic with the following characteristics: (*) The payload consisted of two zero bytes (*) A large number of sources participated in these scans (*) the scans came from valid IPs, and the source port did not appear to be crafted This is different from most popup spam sent to this port. Most popup spam is sent by only a small number of sources. And usually uses a fixed source port. While popup spam in itself is not any more dangerous then e-mail spam, and more of an annoyance, the large number of sources hinted to the fact that it is likely sent from unsuspecting exploited systems ("Zombies"). The connection with popup spam was made later, by allowing a honeypot to respond to the two byte probe. The result was an ad sent by the probing host. ... The advertised site, "www.popadstop.com" does offer a program for download, which promises to stop future popup spam. We downloaded the application, and installed it in an isolated lab network. During install, the application checks for updates by requesting: www.neweststuff.com/versinfo.dat. Recent version of the application do not show any further outbound traffic. However, earlier version of the application did start to send the typical two zero bytes and popup spam. Summary An earlier version of the software distributed by PopAdStuff did actively scan and send popup spam from unsuspecting user's system." http://www.popadstop.com "NewestStuff.com LLC Official Statement PopAdStop has been discontinued... PopAdStop was a free product, and better than some similar products that others have sold for up to $40 in the past. The offering included a Messenger popup blocker, as well as a separately downloadable free web popup blocker. Free products or services are apparently not always appreciated... Bug report: Multiple indepentant reports indicate that the first few versions *MAY* have been affected by a modular advertisment component that had been accidentally inserted into the first version, apparently. This may possibly have caused PopAdStop to advertise itself from a few systems (providing a new form of Internet 'word of mouth' advertising, providing much greater distribution of PopAdStop in a much shorter time than we intended, and *MUCH* greater cost to *US*, because so many people downloaded PopAdStop from our website!!!), but was not part of the design. This possible bug was fixed ON ALL AFFECTED SYSTEMS with an automatic update, and no longer occurs. Very embarrassing indeed. Please accept our appologies if you experienced anything like this, but please do not slander us for it!!! The resulting public backlash and slander caused by this suspected bug seriously reduced our ability to use PopAdStop as a marketing tool for our SpamBurner product, and turned PopAdStop into nothing more than a huge waste of our time... Valuable lesson from the PopAdStop project: Do not let the same programmer develop two different pieces of software at the same time, and probably giving stuff away for free is a bad idea too..."