poiwv
join:2002-06-07
Belington, WV
| reply to quickstang22$
Re: I can't explain this.
I think this is just the tip of the iceberg, part of another ill-conceived Microsoft "everything on, by default" disaster waiting to happen...
It seems that quite often MS pulls these things out as such "great ideas" because of some "future" program or piece of hardware that might utilize them, but the scum of the internet usually find it first and then everyone plays catch-up to get the stupid things locked down, only to have an update re-intialize them (like the "task scheduler"...it seems that half the updates will turn that stupid thing back on.....).
Not everyone wants or needs the messenger service right out of the box. So why is it so difficult for it to be off by default and then when something you install (like the baseline security app) that uses it give you the option of starting it up?
I know that there are many XP machines out there that the people running them have no clue as to what the OS can actually do and have something like this "on by default" is just asking for trouble.
**end of rant**
Blocking the ports...probably a good idea.
Turning off this and any other un-necessary services...great idea.
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. |
|
ZeCanard
The Cosmic Duck
join:2002-09-26
Irving, TX
 ·AT&T Southwest
 ·RoadRunner Cable
| Windows Messenger and the Messenger service are very different things. Windows Messenger is the new name for MSN Messenger. As far as Messenger being on by default, it's used in corporations to broadcast a message to all the stations (or send to a few in particular) quickly, and typically those networks are local/private. I would assume that's why it's on by default. Then more and more people use Win2k or XP, with unprotected, always on connections. My guess is that sort of spam might become rather large in the future. |
|
PapaDos
Cum Grano Salis
Premium,MVM
join:2001-02-08
Lasalle, QC | reply to quickstang22$
When is the popup appearing ?
While browsing ?
Reading emails ?
This could be a simple script opening a text box...
--
Nunc est bibendum... |
|
poiwv
join:2002-06-07
Belington, WV
| reply to quickstang22$
No they are real...Messenger Service a a networking service that is on by default in 2k and XP, IPs can easily be scanned for and then one can just use the netsend command to dump this spam on the machines found to be running this service. Heck, I suppose someone who didn't really care about delivery percentages could just netsend to an entire block of IPs and those with the service running would just get the crap.
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it. |
|
scottkeen
join:2001-06-05
Kailua Kona, HI | reply to quickstang22$
from command prompt:
NET STOP messenger |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
 ·Verizon FIOS
| reply to poiwv
said by poiwv  :
It seems that quite often MS pulls these things out as such "great ideas" because of some "future" program or piece of hardware that might utilize them, but the scum of the internet usually find it first and then everyone plays catch-up to get the stupid things locked down,
Well, the Messenger service has been on NT and enabled since 1993, so it's hardly a new thing. It's used by the print spooler, among other things, so I suppose quite a few people use it.
As far as I can tell, Messenger is just another Netbios app -- so you want to block TCP/139 from outside access. I'm not sure what the deal with port 1900 might be, I haven't seen that on my system. |
|
KAD Imaging
Just Shoot It
Premium
join:2002-09-21
Hialeah, FL
·AT&T Southeast
| Disabling/blocking NetBIOS won't stop it. All it will do is prevent them from messaging to your computername. IP will work perfectly.
In networks were NetBIOS wasn't installed I have sent admin messages to clients using the "hosts" file in combination with a batch script and it worked flawlessly.
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Earthlink style..."
1222K download 218K upload (EL 1.5M/256K) |
|
HUMINT
join:2001-03-17
Sterling, VA
| reply to quickstang22$
IF the messenger, and I don't know if it does, service is listening on NETBIOS ports, then it will stop the messages by blocking these ports, whether one uses the computername or IP address.
[text was edited by author 2002-10-11 20:32:56] |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
Do the following NBTstat command from DOS:
G:\>nbtstat -A 172.16.1.169
(substitute with YOUR IP address above)
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MYNETWATCHMAN <00> UNIQUE Registered
MYNETWATCHMAN <03> UNIQUE Registered
XXXXX <00> GROUP Registered
XXXXX <1E> GROUP Registered
MYNETWATCHMAN <20> UNIQUE Registered
MAC Address = 00-01-02-48-52-18
G:\>
If you have a name respond with a number <03> ..that means you have the Microsoft Messenger service running and can receive popups....blocking all Netbios ports at your firewall should protect you (you ARE running a firewall, right?).
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
Guys this is NOT Microsoft *MSN* messenger (ala Port 1900) ...rather this is Microsoft Messenger which is accessible via Netbios (udp/135) if you are dumb enough to leave that hanging out on the Internet.
G:\>nbtstat -A 216.127.74.158
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP UNIQUE Registered
WEBPOPUP UNIQUE Registered
WORKGROUP GROUP Registered
WORKGROUP GROUP Registered
WEBPOPUP UNIQUE Registered
MAC Address = 00-50-56-52-8E-2D
G:\>net send 216.127.74.158 "Eat Sh*t and Die...SPAMMER!!!!"
The message was successfully sent to 216.127.74.158.
Retailiation!!!
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
All of the sources of this udp/135 probes appear to be on ev1.net's network:
Let's see if we can put a stop to this nonsense:
From: Lawrence Baldwin [mailto:baldwinL@mynetwatchman.com]
Sent: Saturday, October 12, 2002 01:15
To: abuse@ev1.net
Subject: Net Send SPAM
Looks like you have been a major target of someone how has decided to generate Windows Pop-up SPAM:
»www.mynetwatchman.com/myNetWatch···5857
Interested in discussing this ... feel free to call me .
Regards,
Lawrence Baldwin
myNetWatchman.com
+1.678.624.0924
Check out the Netbios machine names of the above IPs:
'WINPOPUP'
'WINPOPUP07'
etc...
Come on guys...you thought you could get away with this cr*p.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch
[text was edited by author 2002-10-12 10:37:29] |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
And we'll hit Ev1's upstream provider TOO:
From: Lawrence Baldwin [mailto:baldwinL@mynetwatchman.com]
Sent: Saturday, October 12, 2002 01:54
To: abuse@verio.net
Subject: Net Send Popup SPAM
FYI:
I'm sure you're already aware of this but your customer (ev1.net) appears to be the primary source of SPAM being sent using Microsoft Windows Pop-up messages targetted at udp/135.
Feel free to contact me if you have any questions.
Regards,
Lawrence Baldwin
myNetWatchman.com
+1.678.624.0924
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
quickstang22$
join:2001-10-18
Loveland, CO | reply to quickstang22$
Good work NetWatchMan! I could see this form of spam getting bad until people learn about it.
--
"He who establishes his argument by noise and command shows that his reason is weak." |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
I called the above number...it asks you to leave a phone number for them to call you back.
May I suggest that we all call and leave a message leaving bogus phone numbers associated with other scams that charge you $200/minute.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
said by quickstang22$ :
Good work NetWatchMan! I could see this form of spam getting bad until people learn about it.
Thanks...I was very psyched that I was able to identify the source IPs that were generating this activity using mNW data.
You did notice that the Netbios machine names (e.g. WEBPOPUP) match the banner of popup graphic at the start of this thread, right?
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to quickstang22$
I spoke to tech support at ev1...this is getting VERY interesting...these are Redhat boxes...not Windows...here' my email to the the web hosting supervisor:
From: Lawrence Baldwin [mailto:baldwinL@mynetwatchman.com]
Sent: Saturday, October 12, 2002 11:21
To: greg@rackshack.net
Subject: Alert: Possible source Netbios Popup SPAM identified - likely
compromised hosts
Greg,
I run the myNetWatchman dIDS system (your abuse department probably gets a ton of alerts from us each month).
Recently, some joker has decided to leverage the fact that many PCs on the Internet expose the Microsoft Messaging service (accessible via udp/135) ... thus creating an opportunity to transmit SPAM via Netbios Windows popup messages (e.g. net send target_IP "message" ).
Here is an example of the popup:
»I can't explain this.
Using myNetWatchman data I believe I have traced the source of these popups to 5 IP addresses within your network:
»www.mynetwatchman.com/myNetWatch···ID=65857
All of these IPs respond to Nbtstat requests and indicate that their machine names are 'WEBPOPUPxx' ... this matches the machine name which appears on the example popup above.
For example:
D:\>nbtstat -A 216.127.74.158
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP UNIQUE Registered
WEBPOPUP UNIQUE Registered
WORKGROUP GROUP Registered
WORKGROUP GROUP Registered
WEBPOPUP UNIQUE Registered
MAC Address = 00-50-56-52-8E-2D
I spoke to Omar this morning and he indicated these 5 IPs appear to be owned by unrelated customers...thus I suspect these machines have been compromised by a common attacker and have been repurposed for popup SPAM.
I was quite suprised when Omar told me that these are all Redhat Linux boxes and not Windows boxes....thus they must have some kind of Netbios emulator running on them (in order to respond to the Nbtstat)...you'll probably find this app listening on udp/137 on said systems.
Also, if you run a netstat -an on these boxes I'm sure you'll see a *ton* of outbound udp/135 traffic...these are the popups being transmitted.
I'm very interested in doing a detailed forensic analysis of one or more of these systems...feel free to pass my contact information to your customers if they any of them are willing to do a bit of analysis before they blow these boxes away.
Regards,
Lawrence Baldwin
myNetWatchman.com
Atlanta, GA
+1.678.624.0924
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to NetWatchMan
said by NetWatchMan :
Guys this is NOT Microsoft *MSN* messenger (ala Port 1900) ...rather this is Microsoft Messenger which is accessible via Netbios (udp/135) if you are dumb enough to leave that hanging out on the Internet.
Is this a typo?
NETBIOS Name Service is UDP/137 or TCP/137.
NETBIOS Datagram Service is UDP/138.
NETBIOS Session Service is TCP/139.
I don't think UDP/135 has any direct involvement with NETBIOS - it's the RPC endpoint mapper, right? That being so, I am confused about its relationship to the Messenger service.
Ordinarily, Messenger runs over NETBIOS (hence uses name service for name resolution, and one of the other two, I'm not sure which, could be either) for actually sending the message.
Is anyone claiming that Messenger sometimes uses a non-NETBIOS method of communicating?
(Thanks for the excellent posts, btw) |
|
dawillie_99
join:2001-11-25
Vancouver, BC
| reply to quickstang22$
In my opinion when a reputable antivirus suddenly offers a firewall service, some of the quality of both products is lost.
let AV's do what they are supposed to do and let firewalls do what they are supposed.
this would have been blocked by Kerio or Zone Alarm.
luckily THEY are not offering an antivirus as a sideline.
--
David Williams |
|
NetWatchMan
Premium,VIP
join:2001-03-13
Alpharetta, GA
| reply to dave
See this AWESOME document:
»www.hsc.fr/ressources/breves/min···.en.html
It shows this example Win2K box:
C:\WINNT>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:1029 *:*
He explains that in this case Messenger is running on udp/1029 and is registered as a RPC. Attacker makes RPC call to udp/135 to identify the dynamic port that Messenger is running on...then popup sent to udp/1029!
Very cool.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
dave
Premium,MVM
join:2000-05-04
not in ohio | reply to quickstang22$
OK, I'll take a look. Anyone who understands the difference between a TDI endpoint and a TCP port is suitably well-informed  |
|
