Re: smsx.exe?
eden.akhavi_at_ltt.com
Date: 05/12/03
- Previous message: Michael Sierchio: "Re: Folllow-up to the Hotmail/MSN password reset problems"
- Maybe in reply to: Steve Bromwich: "smsx.exe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 May 2003 14:56:28 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is) In-Reply-To: <5.2.0.9.0.20030505174924.035bfa88@mail.webcoach.com>
>smsx.exe is not the Microsoft SMS product, it is probably this:
>http://www.superbank.ru/sms/
>
>If you look at the bottom of the features page of this product, it is
>designed to send lots of SMS messages to hand help devices.
>http://www.superbank.ru/sms/SMSexpress.htm
>
>Your would be attacker is trying to get your machine to download software
>to send short messages to hand held devices. I have received a couple
>pieces of spam on my cell phone lately, so I am sensitive to this. Your
>would-be attacker's motives may be different.
We had some complaints from our customers who complained about saturated
connections. We tracked it down to being a trojan (smsx.exe) that was
sitting in their system32 directory.
I stripped some of the ASCII from the file:
PUSH <target> <port> <secs> = A push flooder
t& NOTICE %s :TCP <target> <port> <secs> = A syn flooder
Ά NOTICE %s :UDP <target> <port> <secs> = A udp flooder
Ά NOTICE %s :MCON <target> <port> <num> <secs> <holdtime> = A
connectbomb flooder
Ά Ό' NOTICE %s :DUMP <target> <port> <num> <secs> <holdtime> =
dumps the evilbufs to a port
΄& NOTICE %s :MCLONE <target> <port> <num> <secs> <holdtime> =
connects to irc and dumps the evilbufs
NOTICE %s :NICK <nick> =
Changes the nick of the client
NOTICE %s :DISABLE <pass> = Disables
all packeting from this client
The program connects to sd.ubersource.net (218.145.53.103) port 6667 (IRC)
joins a channel called #REDARMY password :kalashnikov. And there it seems
to wait for comments like PUSH TCP UDP as above.
I am not sure of the delivery mechanism to get it onto the customers PC
but it is certainly an issue. We have blocked access to sd.ubersource.net
for now to see if the problems disappear.
Regards
Eden
----------------------------------------------------------------------------
DROP NETWORK ATTACKS BEFORE THEY BEGIN FREE WHITE PAPER: Learn about a uniqueintrusion prevention solution that identifies and drops malicious
traffic before it hits the network. Download, "Intrusion Detection and
Prevention" at:
http://www.securityfocus.com/NetScreen-focus-ids
----------------------------------------------------------------------------
- Previous message: Michael Sierchio: "Re: Folllow-up to the Hotmail/MSN password reset problems"
- Maybe in reply to: Steve Bromwich: "smsx.exe?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
