{"id":1962,"date":"2013-06-17T11:08:46","date_gmt":"2013-06-17T11:08:46","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1962"},"modified":"2013-06-17T11:08:46","modified_gmt":"2013-06-17T11:08:46","slug":"dialers-under-a-magnifying-err-prism","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/06\/17\/dialers-under-a-magnifying-err-prism\/","title":{"rendered":"Dialers &#8211; Under a Magnifying err&#8230; Prism"},"content":{"rendered":"<p>Last weekend I err.. prismed a small collection of dialer samples to test if I can automatically extract RAS dialup connection properties from this old school malware. The results were not mind blowing, but dropping it here in case someone finds it useful.<\/p>\n<p>What I found interesting was that the passwords often seemed to be supertrivial and countries I have identified using prefixes listed on <a href=\"https:\/\/en.wikipedia.org\/wiki\/Country_calling_code\">wikipedia<\/a> appear to include quite a few exotic places:<\/p>\n<ul>\n<li>+239 &#8211; S\u00e3o_Tom\u00e9_and_Pr\u00edncipe<\/li>\n<li>+246 &#8211; British Indian Ocean Territory<\/li>\n<li>+31 &#8211; The Netherlands<\/li>\n<li>+372 &#8211; Estonia<\/li>\n<li>+423 &#8211; Liechtenstein<\/li>\n<li>+453 &#8211; Denmark<\/li>\n<li>+56 &#8211; Chile<\/li>\n<li>+675 &#8211; Papua New Guinea<\/li>\n<li>+677 &#8211; Solomon Islands<\/li>\n<li>+678 &#8211; Vanuatu<\/li>\n<li>+681 &#8211; Wallis and Futuna<\/li>\n<li>+682 &#8211; Cook Islands<\/li>\n<li>+683 &#8211; Niue<\/li>\n<li>+850 &#8211; North Korea<\/li>\n<\/ul>\n<p>Two prefixes seem to be country-independent:<\/p>\n<ul>\n<li>+881-9 &#8211; Globalstar<\/li>\n<li>+882-13 &#8211; Telespazio<\/li>\n<\/ul>\n<p>and a few numbers which I can&#8217;t attribute &#8211; they seem to be either mobile phones, or some country-specific premium lines&#8230; I guess the best way to check is to just&#8230; dial them \ud83d\ude09<\/p>\n<p><strong>List of Unique Passwords used in RAS dialup connections:<\/strong><\/p>\n<ul>\n<li>p033052172<\/li>\n<li>premium<\/li>\n<li>password<\/li>\n<li>7309<\/li>\n<li>SE899<\/li>\n<li>sh095z3ma<\/li>\n<li>oxt145uks2ma<\/li>\n<li>fpdz5s1ma<\/li>\n<li>import<\/li>\n<li>welcomein<\/li>\n<li>color<\/li>\n<li>ah12M<\/li>\n<li>4592<\/li>\n<li>x<\/li>\n<li>radius<\/li>\n<li>pass<\/li>\n<li>guest<\/li>\n<li>nocard<\/li>\n<li>tronyx<\/li>\n<li>tyra<\/li>\n<li>smart<\/li>\n<li>1234<\/li>\n<li>xxx<\/li>\n<li>newDialer<\/li>\n<li>all4world<\/li>\n<li>ConnInt1<\/li>\n<\/ul>\n<p><strong>List of Unique Phone Numbers used in RAS dialup connections:<\/strong><\/p>\n<ul>\n<li>0,00881939110003<\/li>\n<li>0,00881939110004<\/li>\n<li>0,00881939110005<\/li>\n<li>0,899015708<\/li>\n<li>0,899015716<\/li>\n<li>00239203533<\/li>\n<li>002463535445<\/li>\n<li>002467323<\/li>\n<li>0031620101356<\/li>\n<li>0037254111251<\/li>\n<li>0037254111455<\/li>\n<li>003727032150<\/li>\n<li>00423663098495<\/li>\n<li>004535293061<\/li>\n<li>0056111488<\/li>\n<li>0056113680<\/li>\n<li>0056113681<\/li>\n<li>005688800000<\/li>\n<li>006753039093<\/li>\n<li>0067746160<\/li>\n<li>0067867861<\/li>\n<li>00681507747<\/li>\n<li>00681729173<\/li>\n<li>0068246802<\/li>\n<li>006831423<\/li>\n<li>0085099721002<\/li>\n<li>00881939100020<\/li>\n<li>00881939100038<\/li>\n<li>00881939100039<\/li>\n<li>00881939110003<\/li>\n<li>00881939110004<\/li>\n<li>00881939110005<\/li>\n<li>0088213881692<\/li>\n<li>01367867861<\/li>\n<li>019008496713<\/li>\n<li>08718731247<\/li>\n<li>09062001830<\/li>\n<li>09062658623<\/li>\n<li>09065170091<\/li>\n<li>09065170092<\/li>\n<li>09090272201<\/li>\n<li>09090272203<\/li>\n<li>09099629050<\/li>\n<li>10330016646641055<\/li>\n<li>1661 43309<\/li>\n<li>1782072027<\/li>\n<li>1782072028<\/li>\n<li>1782072030<\/li>\n<li>1782072035<\/li>\n<li>1782072039<\/li>\n<li>199317770<\/li>\n<li>199317771<\/li>\n<li>199317772<\/li>\n<li>199317773<\/li>\n<li>7090101101<\/li>\n<li>7090101121<\/li>\n<li>7090101603<\/li>\n<li>89230362<\/li>\n<li>899001594<\/li>\n<li>899015339<\/li>\n<li>899015708<\/li>\n<li>899015716<\/li>\n<li>899020117<\/li>\n<li>899020120<\/li>\n<li>899020335<\/li>\n<li>899111301<\/li>\n<li>899111302<\/li>\n<li>899151401<\/li>\n<li>899151602,,02014812497309<\/li>\n<li>899151602,,02014860614592<\/li>\n<li>899161006,,,0881171482733<\/li>\n<li>899191028<\/li>\n<li>899191420<\/li>\n<li>899550532<\/li>\n<li>899550533<\/li>\n<li>899554573<\/li>\n<li>899999583<\/li>\n<li>899999594<\/li>\n<li>976702233<\/li>\n<li>976702236<\/li>\n<li>T0031620101409<\/li>\n<li>T087847249<\/li>\n<li>T899161336<\/li>\n<\/ul>\n<p><strong>List of Unique Connection Names used in RAS dialup connections:<\/strong><\/p>\n<ul>\n<li>amstercam italia<\/li>\n<li>AXIS<\/li>\n<li>Best Porn Network<\/li>\n<li>connection<\/li>\n<li>connessione Predefinita<\/li>\n<li>Csex1<\/li>\n<li>default<\/li>\n<li>desktop-celebrita<\/li>\n<li>desktop01<\/li>\n<li>DIDI<\/li>\n<li>dMi_77_Connection<\/li>\n<li>ENTER<\/li>\n<li>gsa1002_Connection<\/li>\n<li>gsa_01746_Connection<\/li>\n<li>Help and Internet<\/li>\n<li>Internet Connectio<\/li>\n<li>Internet Connection<\/li>\n<li>Internet&#8230;<\/li>\n<li>karaokex31_Connection<\/li>\n<li>karaokex_4_Connection<\/li>\n<li>Launch DerBiz.com<\/li>\n<li>nd02191_Connection<\/li>\n<li>nocard210<\/li>\n<li>nocard2101<\/li>\n<li>nocard21012<\/li>\n<li>nocard210123<\/li>\n<li>nocard260<\/li>\n<li>nocard2601<\/li>\n<li>nocard26012<\/li>\n<li>nocard260123<\/li>\n<li>Porn Access Connection<\/li>\n<li>SIXA<\/li>\n<li>test<\/li>\n<li>tyra210<\/li>\n<li>tyra2101<\/li>\n<li>tyra21012<\/li>\n<li>tyra210123<\/li>\n<li>UnNet<\/li>\n<li>Video<\/li>\n<li>westat1x_Connection<\/li>\n<li>wladesk74x_Connection<\/li>\n<li>wmdtips24x_Connection<\/li>\n<li>www_bau<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Last weekend I err.. prismed a small collection of dialer samples to test if I can automatically extract RAS dialup connection properties from this old school malware. The results were not mind blowing, but dropping it here in case someone &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/06\/17\/dialers-under-a-magnifying-err-prism\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1962"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1962"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1962\/revisions"}],"predecessor-version":[{"id":1966,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1962\/revisions\/1966"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1962"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1962"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1962"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}