Explanation on recently noticed increase of udp 1026-1031 traffic
william at elan.net
william at elan.net
Sun Dec 7 16:32:56 UTC 2003
The original notice about all this I received came through dshield announce.
I followed up the information and thereafter came upon the message on the
popadstop website, its rather interesting how they claim they did not
intend their software to send a "pop-ad" advertisement of that same software
(to random other systems) that is supposedly supposed to block such ads.
Of course this was all just a "test" before they start selling their anti-spam
software (which would probably act like a mail worm in advertising itself)...
http://isc.sans.org/diary.html?date=2003-12-04
"Handlers Diary December 4th 2003
Updated December 5th 2003 06:39 EDT
PopAdStop.com Scanning Component
For over a week, we had been tracking an increase in port 1026-1031 UDP
traffic. More detailed investigation revealed a component in this traffic
with the following characteristics:
(*) The payload consisted of two zero bytes
(*) A large number of sources participated in these scans
(*) the scans came from valid IPs, and the source port did not appear to
be crafted
This is different from most popup spam sent to this port. Most popup spam
is sent by only a small number of sources. And usually uses a fixed
source port. While popup spam in itself is not any more dangerous then
e-mail spam, and more of an annoyance, the large number of sources hinted
to the fact that it is likely sent from unsuspecting exploited systems
("Zombies"). The connection with popup spam was made later, by allowing a
honeypot to respond to the two byte probe. The result was an ad sent by
the probing host.
...
The advertised site, "www.popadstop.com" does offer a program for download,
which promises to stop future popup spam. We downloaded the application,
and installed it in an isolated lab network. During install, the application
checks for updates by requesting: www.neweststuff.com/versinfo.dat.
Recent version of the application do not show any further outbound
traffic. However, earlier version of the application did start to send
the typical two zero bytes and popup spam.
Summary
An earlier version of the software distributed by PopAdStuff did actively
scan and send popup spam from unsuspecting user's system."
http://www.popadstop.com
"NewestStuff.com LLC
Official Statement
PopAdStop has been discontinued...
PopAdStop was a free product, and better than some similar products that
others have sold for up to $40 in the past. The offering included a Messenger
popup blocker, as well as a separately downloadable free web popup blocker.
Free products or services are apparently not always appreciated...
Bug report: Multiple indepentant reports indicate that the first few versions
*MAY* have been affected by a modular advertisment component that had
been accidentally inserted into the first version, apparently. This may
possibly have caused PopAdStop to advertise itself from a few systems
(providing a new form of Internet 'word of mouth' advertising, providing
much greater distribution of PopAdStop in a much shorter time than we
intended, and *MUCH* greater cost to *US*, because so many people
downloaded PopAdStop from our website!!!), but was not part of the
design. This possible bug was fixed ON ALL AFFECTED SYSTEMS with an
automatic update, and no longer occurs. Very embarrassing indeed. Please
accept our appologies if you experienced anything like this, but please
do not slander us for it!!!
The resulting public backlash and slander caused by this suspected bug
seriously reduced our ability to use PopAdStop as a marketing tool for
our SpamBurner product, and turned PopAdStop into nothing more than a
huge waste of our time...
Valuable lesson from the PopAdStop project: Do not let the same programmer
develop two different pieces of software at the same time, and probably
giving stuff away for free is a bad idea too..."
More information about the NANOG
mailing list