[lug] using tcpdump to emulate effects of packet dump

D. Stimits stimits at comcast.net
Thu Jul 17 19:21:58 MDT 2003 

Hugh Brown wrote:

> Extortion (which I believe is still mostly illegal) comes to mind as you
> describe what is happening.  You might consider contacting the state
> attorney general or law enforcement.


Well, this is on my mind, and I am gathering nails for the coffin. In 
the past I already asked one Senator about something similar to this, 
and he was definitely on the same mind track about this sort of thing. 
I'm thinking about presenting this particular company to the Senator.

What makes this especially nice is that the IP address belongs to Level 
3 Communications in Broomfield, CO, and every imaginable law there is 
applies to these people. (63.215.251.5, the spammer that wants money to 
stop causing system crashes based on popup spam and windows bugs, is a 
local company).

However, I hope to guarantee their demise by writing free software to 
kill their spam business. Writing network code on win32 is not my area, 
but I can probably interest others into helping on such a project.

D. Stimits, stimits AT comcast DOT net

>
> Hugh
>
>
> On Thu, 2003-07-17 at 19:58, D. Stimits wrote:
>
> >I'm slowly gathering more information to destroy what I consider to be
> >an illegal exploit of a MS vulnerability (they are not using a web
> >service or email service port, but directly entering the machine using a
> >known *vulnerability* of windows, and threatening to not stop causing
> >crashes of applications that can't handle this, unless I pay them
> >money...the rest is argument up for debate), the dreaded message service
> >popup spam (not the messenger service of ICQ or intended communications,
> >but instead the popups used to run system management warnings, e.g., the
> >non-web popup you might expect to see when an UPS goes to battery power
> >and is telling you that system failure is occuring). To that end, I have
> >snort logs, tcp packet dumps, and firewall logs. At the moment, they
> >(www.byebyeads.com) switched from their Broomfield, CO. IP address, and
> >are now using one registered in China, 210.5.22.20.
> >
> >I am interested in taking my packet dumps, and sending them to one of my
> >machines when booted to windows, in order to test a few ideas (I'd like
> >to see www.byebyeads.com out of business by publishing a cure for
> >free...I might even brush off my VC C++ compiler just for this
> >occasion). To aid understanding for reverse engineering ways to defeat
> >them, how would I take a full tcpdump and send it to one of my windows
> >machines? Here is a sample, with my IP removed:
> >
> >03:15:35.050646 210.5.22.20.32771 > x.x.x.x.1026:  [udp sum ok] udp 663
> >(ttl 238, id 34612, len 691)
> >0x0000	 4500 02b3 8734 0000 ee11 04c1 d205 1614	E....4..........
> >0x0010	 XXXX XXXX 8003 0402 029f 96a1 0400 2800	..I...........(.
> >0x0020	 1000 0000 0000 0000 0000 0000 0000 0000	................
> >0x0030	 0000 0000 f891 7b5a 00ff d011 a9b2 00c0	......{Z........
> >0x0040	 4fb6 e6fc e80e 4ea9 a9a9 31f2 ea31 9a4a	O.....N...1..1.J
> >0x0050	 616b 0140 0000 0000 0100 0000 0000 0000	ak. at ............
> >0x0060	 0000 ffff ffff 4702 0000 0000 0f00 0000	......G.........
> >0x0070	 0000 0000 0f00 0000 436f 6d70 7574 6572	........Computer
> >0x0080	 2041 6c65 7274 0000 0e00 0000 0000 0000	.Alert..........
> >0x0090	 0e00 0000 436f 6d70 7574 6572 2055 7365	....Computer.Use
> >0x00a0	 7200 0000 0302 0000 0000 0000 0302 0000	r...............
> >0x00b0	 2020 2020 2020 5354 4f50 2054 4845 5345	......STOP.THESE
> >0x00c0	 204d 4553 5345 4e47 4552 2050 4f50 5550	.MESSENGER.POPUP
> >0x00d0	 2041 4453 2054 4f44 4159 210a 0a23 2323	.ADS.TODAY!..###
> >0x00e0	 2323 2323 2323 2323 2323 2323 2323 2323	################
> >0x00f0	 2323 2323 2323 2323 2323 2323 2323 2323	################
> >0x0100	 2323 2323 2323 2323 2323 2323 2323 2323	################
> >0x0110	 2323 2323 2323 2323 230a 0a47 6f20 746f	#########..Go.to
> >0x0120	 2077 7777 2e45 4e44 4144 532e 636f 6d20	.www.ENDADS.com.
> >0x0130	 6e6f 7720 746f 2073 746f 7020 6164 7665	now.to.stop.adve
> >0x0140	 7274 6973 656d 656e 7473 2069 6e20 6d69	rtisements.in.mi
> >0x0150	 6e75 7465 732e 0a0a 7777 772e 454e 4441	nutes...www.ENDA
> >0x0160	 4453 2e63 6f6d 2068 6173 2068 6967 686c	DS.com.has.highl
> >0x0170	 7920 6566 6665 6374 6976 6520 6d65 7373	y.effective.mess
> >0x0180	 656e 6765 7220 706f 7075 7020 626c 6f63	enger.popup.bloc
> >0x0190	 6b69 6e67 0a73 6f66 7477 6172 6520 7468	king.software.th
> >0x01a0	 6174 2077 696c 6c20 656c 696d 696e 6174	at.will.eliminat
> >0x01b0	 6520 7468 6573 6520 7479 7065 7320 6f66	e.these.types.of
> >0x01c0	 2061 6473 2066 6f72 6576 6572 2e0a 0a4e	.ads.forever...N
> >0x01d0	 6576 6572 2062 6520 626f 7468 6572 6564	ever.be.bothered
> >0x01e0	 2062 7920 6d65 7373 656e 6765 7220 706f	.by.messenger.po
> >0x01f0	 7075 7020 6164 7320 7768 696c 6520 796f	pup.ads.while.yo
> >0x0200	 7572 2077 6f72 6b69 6e67 210a 5669 7369	ur.working!.Visi
> >0x0210	 7420 7777 772e 454e 4441 4453 2e63 6f6d	t.www.ENDADS.com
> >0x0220	 2074 6f20 7374 6f70 2074 6865 7365 2070	.to.stop.these.p
> >0x0230	 6f70 7570 7320 696d 6d65 6469 6174 656c	opups.immediatel
> >0x0240	 792e 0a0a 5072 6573 7369 6e67 204f 4b20	y...Pressing.OK.
> >0x0250	 7769 6c6c 206e 6f74 2074 616b 6520 796f	will.not.take.yo
> >0x0260	 7520 746f 2077 7777 2e45 4e44 4144 532e	u.to.www.ENDADS.
> >0x0270	 636f 6d20 736f 200a 7772 6974 6520 646f	com.so..write.do
> >0x0280	 776e 2074 6865 2077 6562 7369 7465 2062	wn.the.website.b
> >0x0290	 6566 6f72 6520 7072 6573 7369 6e67 204f	efore.pressing.O
> >0x02a0	 4b2e 0a0a 7777 772e 454e 4441 4453 2e63	K...www.ENDADS.c
> >0x02b0	 6f6d 00                                	om.
> >
> >What I'd like to do is first create a simple app that will generate
> >these spams on my local network, and then write a windows app to defeat
> >it (lots of learning curve there, I'm a linux guy!). Any recommendations?
> >
> >D. Stimits, stimits AT comcast DOT net
> >
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list