Results 1 to 7 of 7

Thread: attacked by hotmail??

  1. #1
    Senior Member
    Join Date
    Apr 2002

    attacked by hotmail??

    Hello: Today I started msn messenger and few seconds later I got an attack detected by Norton Internet Security. Here are some details from my log files:
    Details: Rule "Default Block Bla Trojan horse" stealthed (e450.voice.microsoft.com(,1042)
    Inbound UDP packet
    Local address,service is (jagermeister(,1042)
    Remote address,service is (e450.voice.microsoft.com(,7001)
    Process name is "C:\Program Files\MSN Messenger\msnmsgr.exe"

    Results from whois
    OrgName: MS Hotmail
    Address: One Microsoft Way
    City: Redmond
    StateProv: WA
    PostalCode: 98052
    Country: US

    NetRange: -
    NetName: HOTMAIL
    NetHandle: NET-64-4-0-0-1
    Parent: NET-64-0-0-0-0
    NetType: Direct Assignment
    NameServer: NS1.HOTMAIL.COM
    NameServer: NS3.HOTMAIL.COM
    NameServer: NS2.HOTMAIL.COM
    NameServer: NS4.HOTMAIL.COM
    RegDate: 1999-11-24
    Updated: 2003-06-27

    TechHandle: MSFTP-ARIN
    TechName: MSFT-POC
    TechPhone: +1-425-882-8080
    TechEmail: iprrms@microsoft.com

    OrgAbuseHandle: ABUSE231-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-425-882-8080
    OrgAbuseEmail: abuse@microsoft.com

    OrgTechHandle: MSFTP-ARIN
    OrgTechName: MSFT-POC
    OrgTechPhone: +1-425-882-8080
    OrgTechEmail: iprrms@microsoft.com

    # ARIN WHOIS database, last updated 2004-07-30 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    What could this be?? My guesses:

    1. Regular traffic between msn messenger and hotmail and my firewall picked it up as an attack.

    2. Real attack from someone spoofing hotmail's IP.

    What is the supposed trojan that is being used to attack me? Any guesses if this was just a port scan or something more dangerous? What can be exploited in UDP port 1042?
    I know I am asking too many questions but I am very curious to know what this is about.


  2. #2
    Senior Member
    Join Date
    Oct 2002
    My guess is either option two or someone is using an MSN trojan horse application on you and it just show's up on Microsoft. Disallow that connection and see what happens although chances are MSN messenger will shut down. Also, download and run swatit from SwatIt.org and work from there.
    Space For Rent.. =]

  3. #3
    It could be MSN Messenger sending a packet via UDP on the same port the trojan horse uses thus alarming you.

    But Google showed MSN Messenger Application uses


    Incoming voice (computer to computer) 6901 6901
    Voice (computer to phone) 6801, 6901, 2001-2120
    File transfer (receiving a file) 6891-6900
    via UDP, however, it is showing it as port 7001 UDP... were you doing file tranfers, voice?


  4. #4
    Senior Member
    Join Date
    Apr 2002
    Hi, I haven't had any subsequent attacks of this type. Thats good. It was probably just a Script Kiddie.
    FYI: I have googled for udp port 1042:


    Turns out that port is used by the BLA trojan:


    Spyder: I will run swatit and see if it finds anything.



  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Johnny: You also have to be aware that Intrusion Detection Systems are prone to false positives. The rule that appeared to have been contravened may look like this:-

    alert udp EXTERNAL_NET 7001 -> HOME_NET any (msg:"Default Block Bla Trojan horse"; flow: to_server, established; content: "1234567890"; etc........)

    Yes, I know, thats a Snort rule.....

    But if the rule doesn't specify such things as offsets within the packet then something as silly as MSN giving you a session ID of 1234567890 would trigger the rule at some point in the conversation.

    The fact that it happened only once would reinforce the potential for a false positive.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Join Date
    Apr 2004
    I have heard of swatit and I was thinking of downloading it. Is swatit compatible with other software like spybot, adaware, avast! AV, etc?

    Reading the Norton's website on that bla trojan I read this:

    Causes system instability: Blue warning screens are displayed every time the computer is restarted
    Does this happen to you? If not then it probably is a false positive IMHO.
    I am the uber duck!!1
    Proxy Tools

  7. #7
    Senior Member
    Join Date
    Apr 2002
    TS: I reckon you are right. This attack has not happened again and when it did it was when MSN started, so probably it was just regular traffic picked up by my IDS.

    thnx everybody for your input,


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts