hit counter for blogger

黑暗執行緒

 黑暗執行緒搬新家囉!! http://www.darkthread.net

7/12/2006

KB-Windows Live Messenger可疑連線解密


無意發現Windows Live Messenger開了多條HTTP連線到一台Seednet撥接IP的主機
MSNWeirdHttp
理論上Live Messenger連線的對象應是世界性的Server才對,怎麼會是台來自Seednet撥接網路的機器呢?
試著telnet連上這台機器的80 Port、21 Port及25 Port,都是螢幕全黑後輸入任何字元後被斷線,看來需要特殊規格的Client端才能連。

由以上這些線索,讓我不禁懷疑,該不會是中了木馬吧? 莫非這台是後門程式通訊用的閘道想到這裡,神經都繃了起來!
用Ethereal眼睜睜看著它建連線卻抓不到封包,又更讓人冒冷汗。難道這木馬還有特殊的匿蹤功能,Hook了API後為自己作隱身
又找了個免費軟體VisualSniffer,並重新啟動Live Messenger(或許Ethereal就是卡在Live Messenger沒重啟才沒抓到),總算看到傳輸的Request了,是一堆menu_*.xml。不過該台主機一直傳回HTTP 304 Not Modified,所以也看不出XML內容是什麼。將IE Cache清空後,再試一次,menu*.xml的內容終於現形了。
MSNHttpContent
由XML中的圖檔追下來,才發現這是所謂動畫快遞(Winks)下載目錄的選項資料。


最後證實,原來是虛驚一場。只是為什麼跟Messenger相關的服務卻用的是Seednet撥接上網的Server,真不知其中有什麼祕辛
 

2 Comments:

  • I think the mysterious seednet servers are akamai server serving static content. Akamai's edge computing service allows users worldwide to get the content from a server that's closet to them. Edge computing addresses the latency users experience between msn and a web server while downloading contents over the internet. By having web servers located in distributed geographically location this network latency can be reduced significantly.

    I wrote a simle brutal force script to find out all the static images hosted on these akamai servers.

    #!/bin/bash


    LIMIT=20000

    for ((a=1; a <= LIMIT ; a++)) # Double parentheses, and "LIMIT" with no "$".
    do
    curl -I -s http://akamai.meegos.com/images/$a.gif|grep "200 OK"
    if [ "$?" -eq "0" ]
    then
    echo $a
    fi
    done

    echo; echo

    and found a few other images related to msn

    10003
    10004
    10005
    10009
    10067
    10069
    10073
    10074
    10096
    10097
    10103
    10107
    10109
    10119
    10144
    10350
    10398
    10444
    10507
    10609
    10615
    10619
    10696
    10904
    10936
    10938
    10939
    10941
    10944
    10953
    10955
    10971
    11022
    11024
    11025
    11031
    11036
    11128

    By Anonymous Anonymous, at 7/14/2006 9:37 pm  

  • Awesome! thanks for your information and I just wrote another post about Akamai.
    Your script is cool and remind me of the power of shell script.

    By Blogger Darkthread, at 7/16/2006 7:50 am  

Post a Comment

<< Home