« Why torch your neighbor's car? | Main | Nathalie's day off »
November 04, 2005
GUIs for spammers
A couple of my accounts got spam today from somebody trying to spoof eBay.com, saying that the account is locked, I cannot use eBay until I click the link, etc.
The link they wanted me to connect to is port 680 on the host with IP address 218.236.22.164.
$ host 218.236.22.164
Host 164.22.236.218.in-addr.arpa not found: 3(NXDOMAIN)
$ nmap 218.236.22.164
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-04 21:45 CET
Interesting ports on 218.236.22.164:
(The 1650 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp filtered msrpc
139/tcp open netbios-ssn
445/tcp filtered microsoft-ds
680/tcp open unknown
780/tcp open wpgs
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1029/tcp open ms-lsa
1433/tcp open ms-sql-s
3128/tcp filtered squid-http
3389/tcp open ms-term-serv
4444/tcp filtered krb524
17300/tcp filtered kuang2
Nmap finished: 1 IP address (1 host up) scanned in 101.956 seconds
$
So other than them seemingly running Windows, what's up? I found a page that says a virus called RTB 666 uses that port. Looks like these folks can set up trojans running on other people's machines, then get the account info back through those trojans.
RTB 666 seems to have a GUI client in Polish. Here's the half-size thumbnail:
Click the image to see the MegaSecurity.org screenshots.
Posted by Mark at November 4, 2005 09:53 PM
Trackback Pings
TrackBack URL for this entry:
http://mcraig.org/movabletype/mt-tb.cgi/986
Comments
there's a load of uk banking phishing scams utilising port 680 or 780 at the moment. they stated sometime in nov with barclays scams but have now changed to lloyds and halifax ones. often scams exist on both the above ports on the same compromised machines. quite possibly someones using somesort of root kit that autoconfigures apache servers to present these scams.
Posted by: anti phishing at December 3, 2005 02:30 AM