August 18th, 2004, 02:59 AM
attacked by hotmail??
Hello: Today I started msn messenger and few seconds later I got an attack detected by Norton Internet Security. Here are some details from my log files:
Details: Rule "Default Block Bla Trojan horse" stealthed (e450.voice.microsoft.com(184.108.40.206),1042)
Inbound UDP packet
Local address,service is (jagermeister(192.168.1.8),1042)
Remote address,service is (e450.voice.microsoft.com(220.127.116.11),7001)
Process name is "C:\Program Files\MSN Messenger\msnmsgr.exe"
Results from whois 18.104.22.168:
What could this be?? My guesses:
OrgName: MS Hotmail
Address: One Microsoft Way
NetRange: 22.214.171.124 - 126.96.36.199
NetType: Direct Assignment
# ARIN WHOIS database, last updated 2004-07-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
1. Regular traffic between msn messenger and hotmail and my firewall picked it up as an attack.
2. Real attack from someone spoofing hotmail's IP.
What is the supposed trojan that is being used to attack me? Any guesses if this was just a port scan or something more dangerous? What can be exploited in UDP port 1042?
I know I am asking too many questions but I am very curious to know what this is about.
August 18th, 2004, 03:08 AM
My guess is either option two or someone is using an MSN trojan horse application on you and it just show's up on Microsoft. Disallow that connection and see what happens although chances are MSN messenger will shut down. Also, download and run swatit from SwatIt.org and work from there.
August 18th, 2004, 03:17 AM
It could be MSN Messenger sending a packet via UDP on the same port the trojan horse uses thus alarming you.
But Google showed MSN Messenger Application uses
via UDP, however, it is showing it as port 7001 UDP... were you doing file tranfers, voice?
Incoming voice (computer to computer) 6901 6901
Voice (computer to phone) 6801, 6901, 2001-2120
File transfer (receiving a file) 6891-6900
August 18th, 2004, 01:19 PM
Hi, I haven't had any subsequent attacks of this type. Thats good. It was probably just a Script Kiddie.
FYI: I have googled for udp port 1042:
Turns out that port is used by the BLA trojan:
Spyder: I will run swatit and see if it finds anything.
August 18th, 2004, 02:04 PM
Johnny: You also have to be aware that Intrusion Detection Systems are prone to false positives. The rule that appeared to have been contravened may look like this:-
alert udp EXTERNAL_NET 7001 -> HOME_NET any (msg:"Default Block Bla Trojan horse"; flow: to_server, established; content: "1234567890"; etc........)
Yes, I know, thats a Snort rule.....
But if the rule doesn't specify such things as offsets within the packet then something as silly as MSN giving you a session ID of 1234567890 would trigger the rule at some point in the conversation.
The fact that it happened only once would reinforce the potential for a false positive.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
August 18th, 2004, 05:26 PM
I have heard of swatit and I was thinking of downloading it. Is swatit compatible with other software like spybot, adaware, avast! AV, etc?
Reading the Norton's website on that bla trojan I read this:
Does this happen to you? If not then it probably is a false positive IMHO.
Causes system instability: Blue warning screens are displayed every time the computer is restarted
August 20th, 2004, 06:53 PM
TS: I reckon you are right. This attack has not happened again and when it did it was when MSN started, so probably it was just regular traffic picked up by my IDS.
thnx everybody for your input,