dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8736
share rss forum feed


NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA

Source of Win PopUP SPAM - prevention steps

I've believe I have figured out the hosts that were used to send the recent
rash of PopUP SPAM...I also found a great article that show how to disable
RPC services:

»www.mynetwatchman.com/kb/securit···pupspam/

enjoy.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch


NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA
Does no one care about this??

..thought this was pretty important stuff.

How many people actually received the 'Diploma' popups?
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch


winsyrstrife
River City Bounce
Premium
join:2002-04-30
Brooklyn, NY
I just stumbled across NetWatchMan earlier today. I appreciate this link, although I've never experienced a WinPopUp spam message yet.

Tuulilapsi
Kenosis

join:2002-07-29
Finland
reply to NetWatchMan
I never saw any of those, unsurprisingly, as I'm all firewalled up.

With that said, it's great that someone is actually looking into it. Good job.
--
Mors Principium Est.


ChrisJT
Premium
join:2001-12-20
Torrance, CA
reply to NetWatchMan
My wife have been getting that diploma popup on her computer.

I'm reading the article now...

I'm not too network savvy, so maybe someone could write up a How-To post on disabling this annoying popup. Maybe it's as easy as adding the url to the HOSTS file?
--
You get what you pay for.


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

reply to NetWatchMan
Totally disable Messenger. You find it in control panel >
services > Messenger.
If you are on a windows 2000 network, remove NWLink from all computers' network properties.

Make sure you have a good firewall.
»www.techtv.com/screensavers/answ···,00.html

»www.microsoft.com/windows2000/te···wcug.htm
[text was edited by author 2002-10-14 15:51:45]


guycad$
In Search Of Free Speech
Premium
join:2002-05-02
Pompton Lakes, NJ

reply to NetWatchMan
said by NetWatchMan:
Does no one care about this??

..thought this was pretty important stuff.

How many people actually received the 'Diploma' popups?

ROFLMAOASTC! Yes Lawrence. It is pretty important stuff. But, anyone whose switched to anything other than IE or has killed Messenger, hasn't had the problem. I suspect most of the people who post here have done one or the other.

It's like the "How to" I just posted last night in All Things Unix. It's the instructions on how to initialize iptables for the first time on a Gentoo GNU/Linux system. And nary a peep from anyone.

I even included a nice little iptables script showing how to set up for a ppp connection!



EDIT - made a small boo-boo.

--
My Pictures.
People who describe M$ software as 'mediocre' don't know the half of it.
WinDoze Free 2003

[text was edited by author 2002-10-14 17:22:36]


CalamityJane
Premium,MVM
join:2002-08-27
Eustis, FL
kudos:8
reply to NetWatchMan
I'll bet the people in the SPAM forum might be more interested in this

But I'm impressed with your work, Lawrence
--
It takes a disaster to make a woman out of a female


KAD Imaging
Just Shoot It
Premium
join:2002-09-21
Hialeah, FL
reply to NetWatchMan
I don't know if either of you guys work in the industry, but typically IT is a "thankless" existence! That's why we have to be "there" for each other support wise. And to that I say.....

GOOD JOB!!

NICE WORK!!


WAY TO GO!!

lol!
--
-The Cobra
"Heh, your broadband style is good grasshopper....but not good enough. Watch my Earthlink style..."
1222K download 218K upload (EL 1.5M/256K)


ChrisJT
Premium
join:2001-12-20
Torrance, CA
reply to Name Game
Thanks for the simple How-To!
--
You get what you pay for.


Hutch3
Premium
join:2000-10-14
australia
reply to NetWatchMan
Thanks for the information MyNetWatchMan. I have not encountered this problem yet. I think ASP has been blocking these pop-up for me. But i have taken your information on board. Just in case.
--
Regards JD


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
reply to NetWatchMan
Sure I'm interested in what you found, Lawrence. I haven't been one of those plagued with the problem, but I have followed the issue here and on other forums. While it doesn't affect me personally, the work you have put into finding what you have is of value to many, even if they haven't found it yet or knew it already. Many things seem to be ignored. They're really not. You are most appreciated.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!


dja
The 'd' is silent ... unlike the member.
Premium
join:2002-03-25
Niagara
reply to NetWatchMan

Re: MS 'YapWare'

I won't use .NET/MSN/XP or
any other Microsoft 'yapware'
until I am absolutely forced to.
--
the "d" is silent ... unlike the member


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy
In a word, agreed, but a huge number of folks do so finding these things and knowing what to do with them is great. There are too many folks who have no idea what is going on and Lawrence really laid it all out for them.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!


CalamityJane
Premium,MVM
join:2002-08-27
Eustis, FL
kudos:8
Jaykaykay...agreed. Like really "above and beyond".

Way to go Lawrence I always enjoy reading your investigations here. We appreciate your Watching (and informing) the Hood.
--
It takes a disaster to make a woman out of a female


JRBlood
Premium
join:1999-12-28
Syracuse, NY
Reviews:
·Verizon FiOS
reply to NetWatchMan

Re: Source of Win PopUP SPAM - prevention steps

I got one attempt today from ev1.net: »www.mynetwatchman.com/LID.asp?IID=9858771

It's rather interesting that it didn't hit any of the other agents I have on my subnet (see below). Makes me wonder if they're generating a "random" IP address list and then sending the packet.

Another interesting one: »www.mynetwatchman.com/LID.asp?IID=10156208

Of the 7 I have in this list, 5 of them are not pingable, but the other two are and as a result got sent the 135 packet.


culpc
Desert Rat

join:2002-04-02
Farmington, NM
reply to NetWatchMan
Thanks for the link!! Those bastards hit me this AM at work; irritates me more than just a little bit!


NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA
reply to NetWatchMan
In a further update on this...I did a IEEE OUI lookup on the MAC addresses...they come back as 'VMWARE'...that makes more sense now...these appear to be Linux boxes running VMWARE (Windows Emulation software).

Also, make sure you check the link I included in my write up:

»www.hsc.fr/ressources/breves/min···.en.html

This is one of the best, step-by-step guides I've seen to shutdown all the nonsense ports that MS opens by default.

If you're actually getting these popups, that means you exposing services that you shouldn't be...and where is your firewall?

Thanks for all the responses...

I'm curious on people's opinion as to if this kind of SPAM could be considered a violation of the law?

Does leaving Messenger enabled and dangling on the Internet give someone the right to jam a popup at it?

Please don't just rant about this (we all hate SPAM), state your case and provide precident.

I have to give them credit, I was thinking about using this technique to notify owners of hacked hosts....
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch


guycad$
In Search Of Free Speech
Premium
join:2002-05-02
Pompton Lakes, NJ

1 recommendation

I don't think there is anything illegal about this form of spam yet. It's not a fax or email. It doesn't take up space on your harddrive (unlike email) and some argument can be made that if this is spam, then popup ads in general are spam.

What this really is, is another Micro$tinker Security Blunder. ie: Lets add another feature! How secure is it? Well, it'll work every time!
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003


jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

1 recommendation

reply to NetWatchMan
said by NetWatchMan:

I'm curious on people's opinion as to if this kind of SPAM could be considered a violation of the law?

Does leaving Messenger enabled and dangling on the Internet give someone the right to jam a popup at it?

Please don't just rant about this (we all hate SPAM), state your case and provide precident.

I have to give them credit, I was thinking about using this technique to notify owners of hacked hosts....

What's your description of Spam? Mine is, as copied from »spam.abuse.net/overview/whatisspam.shtml :

Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it.

Using this technique is no different to me than any other method of delivering something to my system without my OK. If they had said that that was what was going to happen be having this tool available and allowed me to decide if I wanted to use it on my system, fine. Since they didn't, it isn't any different than anything else that someone chooses to drop on me without my knowledge.

However, if you were to use a tool of this sort to notify owners of hacked site and did so with their knowledge and permission, then you are not Spamming. You are using a tool for the good of both of you. Big difference.

Plain and simple, if there is such a thing, it is most definitely Spam and by my definition, illegal. I suppose the legal beagles can tear my feelings in shreds on the legal description, but as I am not an attorney, I will not go into the technicalities and will let someone else do so.
--
JKKAge is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!


Lurkers inc
Don't Call Me Doink

join:2001-10-13
Seattle, WA

1 recommendation

reply to NetWatchMan
Note to self, check all settings after a re-install.

Paul,


Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3


1 recommendation

reply to NetWatchMan

Just a word of caution. I personally don't think disabling the messenger service is the way to go. Messenger service in NT based systems is not just used for Net send commands. There are other implications. For example any application that uses the feature could be crippled. One example would be your virus scanners. They would still most likely work but you may never get the pop up alert when it detects a virus.

I know for a fact that on my W2K server,if the messenger service is disabled, McAfee no longer alerts you when it finds a virus. This can affect a number of applications.

The right way to go about this IMHO is having a firewall. Your well configured firewall easily protects you from those pop ups.

I can bet that those of you with a firewall who still get those pop ups must have allowed SVCHOST (Generic Host process for W32 services) to go out and accept calls.
--
You can catch the Devil, but you can't hold him long.


[text was edited by author 2002-10-15 01:57:46]


Lurkers inc
Don't Call Me Doink

join:2001-10-13
Seattle, WA

said by Wildcatboy:

I can bet that those of you with a firewall who still get those pop ups must have allowed SVCHOST (Generic Host process for W32 services) to go out and accept calls.


Thanks for the tip, what I did in my rush to get win 2K with ZAP 2.6 up and running quickly is did not pay attention when I allowed server rights for "generic host proccess" and that allows net send messages to come through. Changing it to ask and stopping and restarting ZAP appears to give you a prompt when a net send message tries to come through and I set it to dis-allow so as not to be bothered by the prompts. Am I correct to assume that "generic host services" does not require server rights for anything? As far as I can tell no harm is done by leaving "generic host process" as ok to connect or ask.

Note: Win 9x users do not need to worry about net send as I do not think it is available to them.

(blushes) Wait-Wait-Wait, thats what you just said, I think I will crawl back to lurk mode again.

Paul,

[text was edited by author 2002-10-15 04:03:58]


Wildcatboy
Invisible
Premium,Mod
join:2000-10-30
Toronto, ON
kudos:3

1 recommendation


That's how it should be. Allowing SVCHOST to go out will assure that you will be able to send out Net send commands within your Network or even to the outside world. It will also assure that programs such as AV products that use the pop up function of the messenger service can still function and send alerts to you and other users on your Network.

Disallowing SVCHOST to accept connections (In ZA terms denying it server access) will assure that Net Send commands from outside your Network will never get to you.

To me that's far better than disabling the service all together.
--
You can catch the Devil, but you can't hold him long.


KhaineBOT

@uu.net
reply to NetWatchMan
This is only really an issue, if you or your admin has not configured the services properly, or the firewall, in either case you can use IP Sec to block it from external address, although I would fix up the firewall settings also, its always good to add extra layers of protection


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to NetWatchMan

"I know for a fact that on my W2K server,if the messenger service is disabled, McAfee no longer alerts you when it finds a virus. This can affect a number of applications."

_______
I have never heard of that but will take you word for it..do you know why they are using this feature of the OS?
Do you know of any other programs in the security area that do?

Thanks

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Wildcatboy
Well, all I can say to this is (1) thank God I don't have XP as I would never stand for Messenger on my system period and (2) thank God I don't have McAfee. I don't use a firewall and won't be bullied into using one. Guess I better hope my W98SE computer lasts a long time. The more crap I hear about XP, the happier I am that I cannot upgrade this computer to that junk.


NetWatchMan
Premium
join:2001-03-13
Alpharetta, GA


2 recommendations

reply to Wildcatboy
said by Wildcatboy:

Just a word of caution. I personally don't think disabling the messenger service is the way to go.

Good point. There may also be other alerting systems that use Messenger (e.g. SQL server can be setup to send job failure alerts as popups).

I was hoping that the technique described in that document would enable Messenger to be bound to localhost (127.0.0.1) ONLY instead of 0.0.0.0 (all IPs):

-------------
The value to add is:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpc\Linkage
Value: Bind
Type: REG_MULTISZ
Content: "0"

Before Windows XP, only regedt32 allows creation of value of type REG_MULTISZ.

After a reboot, listening of TCP ports immediately higher than 1023 will be
restricted to IP address 127.0.0.1.

Precision:

This technique applies only to RPC services that do not pass the
RPC_C_BIND_TO_ALL_NICS value to the RpcServerUseProtseqEx() function. These
services can not be restricted and will always listen on all interfaces.
----------

I tried this on Win2K and it restarted Messenger...still listenting on all IPs...I haven't tried a full reboot, but looks like Messager must use the RPC_C_BIND_TO_ALL_NICS parameter as described above and can't be limited.

Thanks again Microsoft!
--
Lawrence Baldwin

myNetWatchman

The Internet Neighborhood Watch

[text was edited by author 2002-10-15 09:33:33]

rakerman

join:2002-09-28
Ottawa, ON
reply to NetWatchMan
Nice work!

I have put up some information as well on my ports pages

Dangerous Ports - NET SEND

»www.akerman.ca/trojan-port-table···#netsend

and

Windows TCP/IP Ports
»www.akerman.ca/port-table.html#A···-Windows

A friend also mentioned this interesting information about DCOM which I will be investigating further.

»www.uksecurityonline.com/husdg/w···e135.htm


poiwv

join:2002-06-07
Belington, WV

1 recommendation

reply to NetWatchMan
I still think the main problem lies in the fact that Microsoft has the attitude that every conceivable service/protocol/possible feature needs to turned on by default.

Why are anti-virus programs using this as the method of generating the warning pop-ups?

Because it is easy...a ready made way of doing it that they know is on by default....

Really, would it be that difficult to have the AV app check to see if it is on and if not ask for it to be turned on? or to have everything off by default and then as something is needed (really how many people need NetBIOS turned on?) turn on only the items absolutely needed to perform what the software you are installing needs on?

This type of spamming is now a problem because, for the first time, a "home" version of the operating system now has the capability, not just the "corporate" version, which often does have some sort of protection from messages originating outside the network (a firewall). Most home users happily lived without it for years, because the 9x versions did not have the capability.

KhaineBot said:

This is only really an issue, if you or your admin has not configured the services properly, or the firewall, in either case you can use IP Sec to block it from external address, although I would fix up the firewall settings also, its always good to add extra layers of protection
I disagree, mainly because most of the systems most likely to be affected are those of JoeAverage user, who has no idea that this is on or even how to configure a firewall, or even why one that can be configured is even needed, because XP includes one, doesn't it?

I don't think spam will be the only exploit to use this method, but as of now it seems to be the only one (other than the annoying stuff office workers do to each other when they figure out how to use it on a system properly isolated from the outside).
--
Advertising may be described as the science of arresting the human intelligence long enough to get money from it.