Messenger service “net send” spam is still around
Even though the technique is more than four years old and everyone should have some sort of firewall in place or the windows messenger service disabled automatically during the Windows XP SP2 installation the “net send” spam seems to be still around. Some examples of these spam popups can be found on this site. If you have issues with this kind of spam you should really consider updating your system, installing some kind of (personal) firewall or follow these instructions.
I was wondering about UDP packets to port 1026 and 1027 on my firewall so I started to log them with tcpdump – that way I discovered that these were still spam messages. Inspecting the dumps there were quite a few reoccuring IP addresses that tried to deliver their “net send” popup spam crap (see below).
Note: DO NOT VISIT THESE URLS – you might infect your system!
Source IP: 204.16.210.10 (Hosted by: FAST COLOCATION SERVICES)
net send sender: SECURITY
net send recipient: ALERT
net send message:
Registry Cleaner Recommended\n\nPlease do the following:\n1. Go to http://www.regwinclean.com\n2. Download Registry Cleaner\n3. Scan Computer\n4. Remove any errors immediately.\n5. Reboot\nFAILURE TO ACT NOW MAY LEAD TO DATA CORRUPTION!
Source IP: 204.16.208.69 (Hosted by: FAST COLOCATION SERVICES)
net send sender: SECURITY
net send recipient: ALERT
net send message (truncated):
Message from SECURITY_MONITOR to USER on 11/27/2006 10:28:24\nThere maybe a CRITICAL REGISTRY ERROR.\n\nImmediate registry scan recommended:\n1. Click the start button\n2. Click Run.\n3. Type in http://fixregs.com\n4.
Source IP: 201.25.43.70 [201-25-43-70.pltce7006.dsl.brasiltelecom.net.br] (Brasil Telecom S/A)
net send sender: SYSTEM
net send recipient: ALERT
net send message (truncated):
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\nWindows has found CRITICAL SYSTEM ERRORS.\n\nTo fix the errors please do the following:\n1. Download Registry Admin from: http://www.win32fix.com\n2. Install Registry Admi
Source IP: 204.16.210.50 (Hosted by: FAST COLOCATION SERVICES)
net send sender: SECURITY
net send recipient: ALERT
net send message (truncated):
STOP! \nRegistry Cleaner Recommended\n\nTo fix the errors please do the following:\n1. Download Registry Repair from: http://www.regwinclean.com\n2. Install Registry Repair\n3. Run Registry Repair\n4. Reboot your compu
Source IP: 204.16.210.30 (Hosted by: FAST COLOCATION SERVICES)
net send sender: SECURITY
net send recipient: ALERT
net send message (truncated):
STOP! \n\nRegistry Cleaner Recommended!\n\nTo fix the errors please do the following:\n1. Download Registry Repair from: http://www.regwinclean.com\n2. Install Registry Repair\n3. Run Registry Repair\n4. Reboot your co
Source IP: 212.173.252.89 (Marine Park JMI School & Nursery)
net send sender: SYSTEM
net send recipient: ALERT
net send message:
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.\n\n Windows has found CRITICAL SYSTEM ERRORS.\n\n Run Registry Repair from: http://fixwin32.com\n\nFAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION!\n\n
Either “FAST COLOCATION SERVICES” is a nice host for spammers (spammer friendly) or the source IPs of some of the packets above have been spoofed – which is trivial, since UDP is a stateless protocol.
Anyway, interesting that this kind of spam is still around given that there should be hardly any vulnerable hosts.
Where are the advertised sites being hosted?
www.regwinclean.com – 216.52.184.240 – Internap Network Services / eNom – Registrar: ENOM, INC.
www.fixwin32.com – 89.248.163.138 – Ecatel LTD – Registrar: GO DADDY SOFTWARE, INC.
www.fixregs.com – 69.46.230.90 – Zipa, LLC – Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM