Winmx Software making calls to Port 25

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Winmx Software making calls to Port 25
From: Retro Granny <retrogranny@xxxxxxxxxxxx>
Date: 6 Aug 2004 04:42:49 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


I have been involved as a chatroom admin within the Winmx program for quite 
awhile now and have been the one to make whatever security updates were needed 
to keep the room a pleasant place for folks who visit.  A couple of months ago, 
I installed Zone Alarm.  While running a temp room, ZA popped up and asked if I 
would allow the Winmx program to send information on Port 25.  This particular 
version of ZA allows you to specify on a program by program basis, which are 
allowed to send email.  Denying Winmx access to Port 25 resulted in the room 
dropping, although, Winmx itself continued to run.

At first I thought it was the work of a trojan that had found it's way into my 
system.  But, after running a variety of system scanners available on the 
internet as well as spyware scanners, my system still came up clean and bug 
free.  A relief there, but still not an answer to the Port 25 call.

I installed a clean multi-boot partition and downloaded the Winmx program 
(v.3.53) directly from Winmx.com. I then installed the 30 day trial version of 
the Iris Packet Sniffer software and of course Zone Alarm.  I ran ZA with "ask 
permission" set on port 25 and it once again it popped up a request.  I then 
defined a filter in Iris to capture activity on 25 (SMTP), 43 (WHOIS), 69 
(TFTP), 80 (HTTP), 110 (POP3), 119 (NNTP), 143 (IMAP) and 7940 which is a port 
I am told is used by the Winmx program for communicating with their servers.

Test 1 - Zone Alarm, Iris and Winmx using a primary connection and hosting a 
testroom.  Packets were captured on port 25.  The packets captured using port 
25 were destined for a valid ip address in Japan.  I am told Winmx does not 
have servers in Japan, and the activity I have captured from them tends to 
verify that statement.

Test 2 - No applications running except Zone Alarm and Iris.  No packets 
captured.

Test 3 - Zone Alarm, Iris and Winmx running a secondary connection.  The only 
packets captured were on Port 80 showing the setup and Keep Alive calls to 
Winmx.com

I did email Winmx on this issue, but have not received a response from them.  I 
know of other systems that have this issue, but as they received their setups 
from me, they aren't far enough at arms length to act as verifiers.  Today, I 
received verification that I was not alone with this problem when another user 
posted it to one of the support websites.  I have asked this user to confirm my 
findings to the best of his ability.

This activity clearly raises an alarm of a possible backdoor to the Winmx 
program.  I would appreciate any information on how to proceed from here.

RetroGranny

Follow-Ups:
- Re: Winmx Software making calls to Port 25
  - From: Radoslav Dejanović

Prev by Date: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by Date: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
Previous by thread: xss in moodle (post.php)
Next by thread: Re: Winmx Software making calls to Port 25
Index(es):
- Date
- Thread