Dialers – Under a Magnifying err… Prism

Posted on by

Last weekend I err.. prismed a small collection of dialer samples to test if I can automatically extract RAS dialup connection properties from this old school malware. The results were not mind blowing, but dropping it here in case someone finds it useful.

What I found interesting was that the passwords often seemed to be supertrivial and countries I have identified using prefixes listed on wikipedia appear to include quite a few exotic places:

  • +239 – São_Tomé_and_Príncipe
  • +246 – British Indian Ocean Territory
  • +31 – The Netherlands
  • +372 – Estonia
  • +423 – Liechtenstein
  • +453 – Denmark
  • +56 – Chile
  • +675 – Papua New Guinea
  • +677 – Solomon Islands
  • +678 – Vanuatu
  • +681 – Wallis and Futuna
  • +682 – Cook Islands
  • +683 – Niue
  • +850 – North Korea

Two prefixes seem to be country-independent:

  • +881-9 – Globalstar
  • +882-13 – Telespazio

and a few numbers which I can’t attribute – they seem to be either mobile phones, or some country-specific premium lines… I guess the best way to check is to just… dial them 😉

List of Unique Passwords used in RAS dialup connections:

  • p033052172
  • premium
  • password
  • 7309
  • SE899
  • sh095z3ma
  • oxt145uks2ma
  • fpdz5s1ma
  • import
  • welcomein
  • color
  • ah12M
  • 4592
  • x
  • radius
  • pass
  • guest
  • nocard
  • tronyx
  • tyra
  • smart
  • 1234
  • xxx
  • newDialer
  • all4world
  • ConnInt1

List of Unique Phone Numbers used in RAS dialup connections:

  • 0,00881939110003
  • 0,00881939110004
  • 0,00881939110005
  • 0,899015708
  • 0,899015716
  • 00239203533
  • 002463535445
  • 002467323
  • 0031620101356
  • 0037254111251
  • 0037254111455
  • 003727032150
  • 00423663098495
  • 004535293061
  • 0056111488
  • 0056113680
  • 0056113681
  • 005688800000
  • 006753039093
  • 0067746160
  • 0067867861
  • 00681507747
  • 00681729173
  • 0068246802
  • 006831423
  • 0085099721002
  • 00881939100020
  • 00881939100038
  • 00881939100039
  • 00881939110003
  • 00881939110004
  • 00881939110005
  • 0088213881692
  • 01367867861
  • 019008496713
  • 08718731247
  • 09062001830
  • 09062658623
  • 09065170091
  • 09065170092
  • 09090272201
  • 09090272203
  • 09099629050
  • 10330016646641055
  • 1661 43309
  • 1782072027
  • 1782072028
  • 1782072030
  • 1782072035
  • 1782072039
  • 199317770
  • 199317771
  • 199317772
  • 199317773
  • 7090101101
  • 7090101121
  • 7090101603
  • 89230362
  • 899001594
  • 899015339
  • 899015708
  • 899015716
  • 899020117
  • 899020120
  • 899020335
  • 899111301
  • 899111302
  • 899151401
  • 899151602,,02014812497309
  • 899151602,,02014860614592
  • 899161006,,,0881171482733
  • 899191028
  • 899191420
  • 899550532
  • 899550533
  • 899554573
  • 899999583
  • 899999594
  • 976702233
  • 976702236
  • T0031620101409
  • T087847249
  • T899161336

List of Unique Connection Names used in RAS dialup connections:

  • amstercam italia
  • AXIS
  • Best Porn Network
  • connection
  • connessione Predefinita
  • Csex1
  • default
  • desktop-celebrita
  • desktop01
  • DIDI
  • dMi_77_Connection
  • ENTER
  • gsa1002_Connection
  • gsa_01746_Connection
  • Help and Internet
  • Internet Connectio
  • Internet Connection
  • Internet…
  • karaokex31_Connection
  • karaokex_4_Connection
  • Launch DerBiz.com
  • nd02191_Connection
  • nocard210
  • nocard2101
  • nocard21012
  • nocard210123
  • nocard260
  • nocard2601
  • nocard26012
  • nocard260123
  • Porn Access Connection
  • SIXA
  • test
  • tyra210
  • tyra2101
  • tyra21012
  • tyra210123
  • UnNet
  • Video
  • westat1x_Connection
  • wladesk74x_Connection
  • wmdtips24x_Connection
  • www_bau