Thanks everyone here on this list who helped track down this! We just published a (hopefully more or less final) "Diary" on this topic at http://isc.sans.org/diary.html (see below for text). As it turns out, at least one particular version of the software distributed by PopAdStop.com did include a Trojan component sending out popup spam. ------------- For over a week, we had been tracking an increase in port 1026-1031 UDP traffic. More detailed investigation revealed a component in this traffic with the following characteristics: (*) The payload consisted of two zero bytes (*) A large number of sources participated in these scans (*) the scans came from valid IPs, and the source port did not appear to be crafted. This is different from most popup spam sent to this port. Most popup spam is sent by only a small number of sources. And usually uses a fixed source port. While popup spam in itself is not any more dangerous then e-mail spam, and more of an annoyance, the large number of sources hinted to the fact that it is likely sent from unsuspecting exploited systems ("Zombies"). The connection with popup spam was made later, by allowing a honeypot to respond to the two byte probe. The result was an ad sent by the probing host. PACKET DUMP (IP Addresses are obfuscated) 11:57:11.361783 IP w.x.y.z.1974 > a.b.c.d.1030: udp 2 0x0000 4500 001e c33d 0000 6a11 8094 wwxx yyzz E....=..j...R#@3 0x0010 aabb ccdd 07b6 0406 000a e720 0000 0000 ................ 0x0020 0000 0000 0000 0000 0000 0000 0000 .............. 11:57:11.363913 IP 129.170.248.252.1030 > w.x.y.z.1974: udp 84 0x0000 4500 0070 0169 0000 8011 2c17 aabb ccdd E..p.i....,..... 0x0010 wwxx yyzz 0406 07b6 005c aa23 0406 0000 R#@3.....\.#.... 0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0040 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0050 0000 0000 52f7 c93f 0000 0000 0000 0000 ....R..?........ 0x0060 0000 0000 0000 0400 0000 0000 0800 001c ................ 11:57:11.477413 IP w.x.y.z.1975 > 129.170.248.252.1026: udp 519 0x0000 4500 0223 c350 0000 6a11 7e7c wwxx yyzz E..#.P..j.~|R#@3 0x0010 aabb ccdd 07b7 0402 020f 43b2 0400 0800 ..........C..... 0x0020 1000 0000 0000 0000 0000 0000 0000 0000 ................ 0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........ 0x0040 4fb6 e6fc 82f5 b0ec e32c 41ec 173c 5a07 O........,A..<Z. 0x0050 dee7 8629 0000 0000 0100 0000 0000 0000 ...)............ 0x0060 0000 ffff ffff b701 0000 0000 1400 0000 ................ 0x0070 0000 0000 1400 0000 5757 572e 504f 5041 ........WWW.POPA 0x0080 4453 544f 502e 434f 4d00 0000 1400 0000 DSTOP.COM....... 0x0090 0000 0000 1400 0000 554e 5345 4355 5245 ........UNSECURE 0x00a0 4420 434f 4d50 5554 4552 0000 6b01 0000 D.COMPUTER..k... 0x00b0 0000 0000 6b01 0000 5055 424c 4943 2053 ....k...PUBLIC.S 0x00c0 4552 5649 4345 2041 4e4e 4f55 4e43 454d ERVICE.ANNOUNCEM 0x00d0 454e 543a 0d0a 0d0a 0d0a 594f 5552 2043 ENT:......YOUR.C 0x00e0 4f4d 5055 5445 5220 4953 204e 4f54 2053 OMPUTER.IS.NOT.S 0x00f0 4543 5552 4544 2041 4741 494e 5354 2050 ECURED.AGAINST.P 0x0100 4f50 2d55 5053 2121 210d 0a0d 0a0d 0a44 OP-UPS!!!......D 0x0110 4f4e 2754 2053 5045 4e44 2041 4e59 204d ON'T.SPEND.ANY.M 0x0120 4f4e 4559 2046 4f52 2041 4e59 2050 4f50 ONEY.FOR.ANY.POP 0x0130 2d55 5020 424c 4f43 4b45 5221 0d0a 0d0a -UP.BLOCKER!.... 0x0140 4765 7420 6f75 7273 2066 6f72 2046 5245 Get.ours.for.FRE 0x0150 4521 2121 0d0a 0d0a 5965 7320 7468 6174 E!!!....Yes.that 0x0160 2773 2072 6967 6874 2c20 5354 4f50 2050 's.right,.STOP.P 0x0170 6f70 2d55 7020 6164 7320 666f 7220 4652 op-Up.ads.for.FR 0x0180 4545 2121 210d 0a0d 0a0d 0a0d 0a20 2020 EE!!!........... 0x0190 2020 2020 2020 2020 2020 2a20 2a20 2a20 ..........*.*.*. 0x01a0 2020 2020 444f 204e 4f54 2043 4c49 434b ....DO.NOT.CLICK 0x01b0 2022 4f4b 2220 4245 464f 5245 2047 4f49 ."OK".BEFORE.GOI 0x01c0 4e47 2054 4f20 4f55 5220 5745 4253 4954 NG.TO.OUR.WEBSIT 0x01d0 4520 2020 2020 2a20 2a20 2a0d 0a0d 0a4f E.....*.*.*....O 0x01e0 6e20 796f 7572 2077 6562 2062 726f 7773 n.your.web.brows 0x01f0 6572 2773 2061 6464 7265 7373 2062 6172 er's.address.bar 0x0200 2c20 5459 5045 2049 4e3a 2020 2020 2077 ,.TYPE.IN:.....w 0x0210 7777 2e50 6f70 4164 5374 6f70 2e63 6f6d ww.PopAdStop.com 0x0220 0d0a 00 ... The advertised site, "www.popadstop.com", does offer a program for download, which promises to stop future popup spam. We downloaded the application, and installed it in an isolated lab network. During install, the application checks for updates by requesting: http://www.neweststuff.com/versinfo.dat . Recent version of the application do not show any further outbound traffic. However, earlier version of the application did start to send the typical two zero bytes and popup spam. We have been made available the following trace from an infected system: 1. connection to popadstop.com, port 80 (http) e.f.g.h 066.225.219.162 6 1485 80 88472 4249 17:27:21.5791 e.f.g.h 066.225.219.162 6 1486 80 15401 1203 17:27:27.9025 e.f.g.h 066.225.219.162 6 1489 80 4802 1159 17:28:16.9154 e.f.g.h 066.225.219.162 6 1490 80 1331056 25025 17:28:41.2205 e.f.g.h 066.225.219.162 6 1491 80 824 408 17:29:20.3522 2. connection to neweststuff.com, port 80 (http) e.f.g.h 216.058.174.211 6 1492 80 746 410 17:29:20.4347 (snip one min) 3. scanning for port 1026-1030 e.f.g.h x.x.x.x 17 1528 1026 0 44 17:30:20.0967 e.f.g.h x.x.x.x 17 1529 1030 0 44 17:30:20.0979 e.f.g.h y.y.y.y 17 1528 1026 0 44 17:30:20.1787 e.f.g.h y.y.y.y 17 1529 1030 0 44 17:30:20.1790 Summary ------- An earlier version of the software distributed by PopAdStuff did actively scan and send popup spam from unsuspecting user's system. -- CTO SANS Internet Storm Center http://isc.sans.org phone: (617) 786 1563 fax: (617) 786 1550 jullrich@sans.org