[lug] using tcpdump to emulate effects of packet dump

Hugh Brown hugh at math.byu.edu
Thu Jul 17 18:55:08 MDT 2003 

Extortion (which I believe is still mostly illegal) comes to mind as you
describe what is happening.  You might consider contacting the state
attorney general or law enforcement.

Hugh


On Thu, 2003-07-17 at 19:58, D. Stimits wrote:
> I'm slowly gathering more information to destroy what I consider to be 
> an illegal exploit of a MS vulnerability (they are not using a web 
> service or email service port, but directly entering the machine using a 
> known *vulnerability* of windows, and threatening to not stop causing 
> crashes of applications that can't handle this, unless I pay them 
> money...the rest is argument up for debate), the dreaded message service 
> popup spam (not the messenger service of ICQ or intended communications, 
> but instead the popups used to run system management warnings, e.g., the 
> non-web popup you might expect to see when an UPS goes to battery power 
> and is telling you that system failure is occuring). To that end, I have 
> snort logs, tcp packet dumps, and firewall logs. At the moment, they 
> (www.byebyeads.com) switched from their Broomfield, CO. IP address, and 
> are now using one registered in China, 210.5.22.20.
> 
> I am interested in taking my packet dumps, and sending them to one of my 
> machines when booted to windows, in order to test a few ideas (I'd like 
> to see www.byebyeads.com out of business by publishing a cure for 
> free...I might even brush off my VC C++ compiler just for this 
> occasion). To aid understanding for reverse engineering ways to defeat 
> them, how would I take a full tcpdump and send it to one of my windows 
> machines? Here is a sample, with my IP removed:
> 
> 03:15:35.050646 210.5.22.20.32771 > x.x.x.x.1026:  [udp sum ok] udp 663 
> (ttl 238, id 34612, len 691)
> 0x0000	 4500 02b3 8734 0000 ee11 04c1 d205 1614	E....4..........
> 0x0010	 XXXX XXXX 8003 0402 029f 96a1 0400 2800	..I...........(.
> 0x0020	 1000 0000 0000 0000 0000 0000 0000 0000	................
> 0x0030	 0000 0000 f891 7b5a 00ff d011 a9b2 00c0	......{Z........
> 0x0040	 4fb6 e6fc e80e 4ea9 a9a9 31f2 ea31 9a4a	O.....N...1..1.J
> 0x0050	 616b 0140 0000 0000 0100 0000 0000 0000	ak. at ............
> 0x0060	 0000 ffff ffff 4702 0000 0000 0f00 0000	......G.........
> 0x0070	 0000 0000 0f00 0000 436f 6d70 7574 6572	........Computer
> 0x0080	 2041 6c65 7274 0000 0e00 0000 0000 0000	.Alert..........
> 0x0090	 0e00 0000 436f 6d70 7574 6572 2055 7365	....Computer.Use
> 0x00a0	 7200 0000 0302 0000 0000 0000 0302 0000	r...............
> 0x00b0	 2020 2020 2020 5354 4f50 2054 4845 5345	......STOP.THESE
> 0x00c0	 204d 4553 5345 4e47 4552 2050 4f50 5550	.MESSENGER.POPUP
> 0x00d0	 2041 4453 2054 4f44 4159 210a 0a23 2323	.ADS.TODAY!..###
> 0x00e0	 2323 2323 2323 2323 2323 2323 2323 2323	################
> 0x00f0	 2323 2323 2323 2323 2323 2323 2323 2323	################
> 0x0100	 2323 2323 2323 2323 2323 2323 2323 2323	################
> 0x0110	 2323 2323 2323 2323 230a 0a47 6f20 746f	#########..Go.to
> 0x0120	 2077 7777 2e45 4e44 4144 532e 636f 6d20	.www.ENDADS.com.
> 0x0130	 6e6f 7720 746f 2073 746f 7020 6164 7665	now.to.stop.adve
> 0x0140	 7274 6973 656d 656e 7473 2069 6e20 6d69	rtisements.in.mi
> 0x0150	 6e75 7465 732e 0a0a 7777 772e 454e 4441	nutes...www.ENDA
> 0x0160	 4453 2e63 6f6d 2068 6173 2068 6967 686c	DS.com.has.highl
> 0x0170	 7920 6566 6665 6374 6976 6520 6d65 7373	y.effective.mess
> 0x0180	 656e 6765 7220 706f 7075 7020 626c 6f63	enger.popup.bloc
> 0x0190	 6b69 6e67 0a73 6f66 7477 6172 6520 7468	king.software.th
> 0x01a0	 6174 2077 696c 6c20 656c 696d 696e 6174	at.will.eliminat
> 0x01b0	 6520 7468 6573 6520 7479 7065 7320 6f66	e.these.types.of
> 0x01c0	 2061 6473 2066 6f72 6576 6572 2e0a 0a4e	.ads.forever...N
> 0x01d0	 6576 6572 2062 6520 626f 7468 6572 6564	ever.be.bothered
> 0x01e0	 2062 7920 6d65 7373 656e 6765 7220 706f	.by.messenger.po
> 0x01f0	 7075 7020 6164 7320 7768 696c 6520 796f	pup.ads.while.yo
> 0x0200	 7572 2077 6f72 6b69 6e67 210a 5669 7369	ur.working!.Visi
> 0x0210	 7420 7777 772e 454e 4441 4453 2e63 6f6d	t.www.ENDADS.com
> 0x0220	 2074 6f20 7374 6f70 2074 6865 7365 2070	.to.stop.these.p
> 0x0230	 6f70 7570 7320 696d 6d65 6469 6174 656c	opups.immediatel
> 0x0240	 792e 0a0a 5072 6573 7369 6e67 204f 4b20	y...Pressing.OK.
> 0x0250	 7769 6c6c 206e 6f74 2074 616b 6520 796f	will.not.take.yo
> 0x0260	 7520 746f 2077 7777 2e45 4e44 4144 532e	u.to.www.ENDADS.
> 0x0270	 636f 6d20 736f 200a 7772 6974 6520 646f	com.so..write.do
> 0x0280	 776e 2074 6865 2077 6562 7369 7465 2062	wn.the.website.b
> 0x0290	 6566 6f72 6520 7072 6573 7369 6e67 204f	efore.pressing.O
> 0x02a0	 4b2e 0a0a 7777 772e 454e 4441 4453 2e63	K...www.ENDADS.c
> 0x02b0	 6f6d 00                                	om.
> 
> What I'd like to do is first create a simple app that will generate 
> these spams on my local network, and then write a windows app to defeat 
> it (lots of learning curve there, I'm a linux guy!). Any recommendations?
> 
> D. Stimits, stimits AT comcast DOT net
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

More information about the LUG mailing list