[lug] using tcpdump to emulate effects of packet dump

George Sexton gsexton at mhsoftware.com
Thu Jul 17 19:27:14 MDT 2003 

net stop messenger

and set the service to manual start.

-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of D. Stimits
Sent: Thursday, July 17, 2003 5:59 PM
To: BLUG
Subject: [lug] using tcpdump to emulate effects of packet dump


I'm slowly gathering more information to destroy what I consider to be 
an illegal exploit of a MS vulnerability (they are not using a web 
service or email service port, but directly entering the machine using a 
known *vulnerability* of windows, and threatening to not stop causing 
crashes of applications that can't handle this, unless I pay them 
money...the rest is argument up for debate), the dreaded message service 
popup spam (not the messenger service of ICQ or intended communications, 
but instead the popups used to run system management warnings, e.g., the 
non-web popup you might expect to see when an UPS goes to battery power 
and is telling you that system failure is occuring). To that end, I have 
snort logs, tcp packet dumps, and firewall logs. At the moment, they 
(www.byebyeads.com) switched from their Broomfield, CO. IP address, and 
are now using one registered in China, 210.5.22.20.

I am interested in taking my packet dumps, and sending them to one of my 
machines when booted to windows, in order to test a few ideas (I'd like 
to see www.byebyeads.com out of business by publishing a cure for 
free...I might even brush off my VC C++ compiler just for this 
occasion). To aid understanding for reverse engineering ways to defeat 
them, how would I take a full tcpdump and send it to one of my windows 
machines? Here is a sample, with my IP removed:

03:15:35.050646 210.5.22.20.32771 > x.x.x.x.1026:  [udp sum ok] udp 663 
(ttl 238, id 34612, len 691)
0x0000	 4500 02b3 8734 0000 ee11 04c1 d205 1614	E....4..........
0x0010	 XXXX XXXX 8003 0402 029f 96a1 0400 2800	..I...........(.
0x0020	 1000 0000 0000 0000 0000 0000 0000 0000	................
0x0030	 0000 0000 f891 7b5a 00ff d011 a9b2 00c0	......{Z........
0x0040	 4fb6 e6fc e80e 4ea9 a9a9 31f2 ea31 9a4a	O.....N...1..1.J
0x0050	 616b 0140 0000 0000 0100 0000 0000 0000	ak. at ............
0x0060	 0000 ffff ffff 4702 0000 0000 0f00 0000	......G.........
0x0070	 0000 0000 0f00 0000 436f 6d70 7574 6572	........Computer
0x0080	 2041 6c65 7274 0000 0e00 0000 0000 0000	.Alert..........
0x0090	 0e00 0000 436f 6d70 7574 6572 2055 7365	....Computer.Use
0x00a0	 7200 0000 0302 0000 0000 0000 0302 0000	r...............
0x00b0	 2020 2020 2020 5354 4f50 2054 4845 5345	......STOP.THESE
0x00c0	 204d 4553 5345 4e47 4552 2050 4f50 5550	.MESSENGER.POPUP
0x00d0	 2041 4453 2054 4f44 4159 210a 0a23 2323	.ADS.TODAY!..###
0x00e0	 2323 2323 2323 2323 2323 2323 2323 2323	################
0x00f0	 2323 2323 2323 2323 2323 2323 2323 2323	################
0x0100	 2323 2323 2323 2323 2323 2323 2323 2323	################
0x0110	 2323 2323 2323 2323 230a 0a47 6f20 746f	#########..Go.to
0x0120	 2077 7777 2e45 4e44 4144 532e 636f 6d20	.www.ENDADS.com.
0x0130	 6e6f 7720 746f 2073 746f 7020 6164 7665	now.to.stop.adve
0x0140	 7274 6973 656d 656e 7473 2069 6e20 6d69	rtisements.in.mi
0x0150	 6e75 7465 732e 0a0a 7777 772e 454e 4441	nutes...www.ENDA
0x0160	 4453 2e63 6f6d 2068 6173 2068 6967 686c	DS.com.has.highl
0x0170	 7920 6566 6665 6374 6976 6520 6d65 7373	y.effective.mess
0x0180	 656e 6765 7220 706f 7075 7020 626c 6f63	enger.popup.bloc
0x0190	 6b69 6e67 0a73 6f66 7477 6172 6520 7468	king.software.th
0x01a0	 6174 2077 696c 6c20 656c 696d 696e 6174	at.will.eliminat
0x01b0	 6520 7468 6573 6520 7479 7065 7320 6f66	e.these.types.of
0x01c0	 2061 6473 2066 6f72 6576 6572 2e0a 0a4e	.ads.forever...N
0x01d0	 6576 6572 2062 6520 626f 7468 6572 6564	ever.be.bothered
0x01e0	 2062 7920 6d65 7373 656e 6765 7220 706f	.by.messenger.po
0x01f0	 7075 7020 6164 7320 7768 696c 6520 796f	pup.ads.while.yo
0x0200	 7572 2077 6f72 6b69 6e67 210a 5669 7369	ur.working!.Visi
0x0210	 7420 7777 772e 454e 4441 4453 2e63 6f6d	t.www.ENDADS.com
0x0220	 2074 6f20 7374 6f70 2074 6865 7365 2070	.to.stop.these.p
0x0230	 6f70 7570 7320 696d 6d65 6469 6174 656c	opups.immediatel
0x0240	 792e 0a0a 5072 6573 7369 6e67 204f 4b20	y...Pressing.OK.
0x0250	 7769 6c6c 206e 6f74 2074 616b 6520 796f	will.not.take.yo
0x0260	 7520 746f 2077 7777 2e45 4e44 4144 532e	u.to.www.ENDADS.
0x0270	 636f 6d20 736f 200a 7772 6974 6520 646f	com.so..write.do
0x0280	 776e 2074 6865 2077 6562 7369 7465 2062	wn.the.website.b
0x0290	 6566 6f72 6520 7072 6573 7369 6e67 204f	efore.pressing.O
0x02a0	 4b2e 0a0a 7777 772e 454e 4441 4453 2e63	K...www.ENDADS.c
0x02b0	 6f6d 00                                	om.

What I'd like to do is first create a simple app that will generate 
these spams on my local network, and then write a windows app to defeat 
it (lots of learning curve there, I'm a linux guy!). Any recommendations?

D. Stimits, stimits AT comcast DOT net

_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list