Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026
From: Johannes Ullrich (jullrich_at_euclidian.com)
Date: 06/21/03
- Previous message: dong-h0un U: "[Full-Disclosure] GNATS (The GNU bug-tracking system) multiple buffer overflow vulnerabilities."
- In reply to: morning_wood: "Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Next in thread: morning_wood: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP Port 1026"
- Reply: morning_wood: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP Port 1026"
- Reply: Dietmar Goldbeck: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Reply: Rick Updegrove: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "General DShield Discussion List" <list@dshield.org> Date: 21 Jun 2003 13:14:25 -0400
Well, blocking port 1026 is probably not such a great idea. But
why would a non-windows user suffer if port 135-139 & 445 is blocked?
On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> so all users should suffer an ISP blocking ports just because some
> people run windows???? excuse me? Better would be to just disable
> windows mesaging service. or issue a patch for it, as opposed to
> blocking port traffic.
>
> wood
>
> ----- Original Message -----
> From: "Joe Stewart" <jstewart@lurhq.com>
> To: <list@dshield.org>
> Cc: <full-disclosure@lists.netsys.com>; <intrusions@incidents.org>;
> <isc@sans.org>
> Sent: Friday, June 20, 2003 7:37 PM
> Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port
> 1026
>
>
> > Windows Messenger Popup Spam on UDP Port 1026
> >
> > URL: http://www.lurhq.com/popup_spam.html
> > Release Date: June 20, 2003
> > Author: Joe Stewart
> >
> > LURHQ Corporation has observed traffic to large blocks of IP
> addresses
> > on UDP port 1026. This traffic started around June 18, 2003 and has
> > been constant since that time. LURHQ analysts have determined that
> the
> > source of the traffic is spammers who have discovered that the
> Windows
> > Messenger service listens for connections on port 1026 as well as
> the
> > more widely-known port 135. Windows Messenger has been a target for
> > spammers since late last year, because it allows anonymous pop-up
> > messages to be displayed on any Windows system running the messenger
> > service. Due to widespread abuse, many ISPs have moved to block
> > inbound traffic on UDP port 135. It appears the spammers have
> adapted,
> > so ISPs are urged to block UDP port 1026 inbound as well.
> >
> > It is possible to disable the messenger service on some platforms
> > following the instructions below. However, the fact that you can
> > receive these messages points to the fact that your computer is
> > unsecured and vulnerable to other possible attacks in the future.
> > Disabling the messenger service will stop the pop-up spam, but will
> > not protect you in any other way. Home users are encouraged to
> install
> > personal firewall software to block unauthorized connections to
> their
> > computers. Users are discourged from purchasing specialized Windows
> > Messenger popup blocking software as it is often sold by the same
> > company that is sending the popups.
> >
> > To disable the Messenger Service, follow the instructions for your
> > Windows version:
> >
> > Windows XP Home
> > * Click Start, then click Control Panel.
> > * Double-click Performance and Maintenance.
> > * Double-click Administrative Tools.
> > * Double-click Services.
> > * Scroll down, highlight and right-click on Messenger and choose
> > Properties
> > * In the "Startup type" list, choose Disabled.
> > * Click Stop, and then click OK.
> >
> > Windows XP Professional
> > * Click Start, then click Control Panel.
> > * Double-click Administrative Tools
> > * Double-click Services
> > * Scroll down, highlight and right-click on Messenger and choose
> > Properties
> > * In the "Startup type" list, choose Disabled.
> > * Click Stop, and then click OK.
> >
> > Windows 2000/NT
> > * Click Start, go to Settings, then click Control Panel.
> > * Double-click Administrative Tools.
> > * Double-click Service.
> > * Double-click Messenger.
> > * In the "Startup type" list, choose Disabled.
> > * Click Stop, and then click OK.
> >
> > Windows 98/ME
> > The Windows Messenger Service cannot be disabled
> >
> > --
> >
> > About LURHQ Corporation
> > LURHQ Corporation is the trusted provider of Managed Security
> > Services. Founded in 1996, LURHQ has built a strong business
> > protecting the critical information assets of more than 400
> customers
> > by offering managed intrusion prevention and protection services.
> > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > enhance their security posture while reducing the costs of managing
> > their security environments. LURHQ's OPEN Service Delivery(TM)
> > methodology facilitates a true partnership with customers by
> providing
> > a real time view of the organization's security status via the
> > Sherlock Enterprise Security Portal. For more information visit
> > http://www.lurhq.com/
> >
> > Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted
> for
> > the redistribution of this document electronically. It is not to be
> > altered or edited in any way without the express written consent of
> > LURHQ Corporation. If you wish to reprint the whole or any part of
> > this document in any other medium excluding electronic media, please
> > e-mail advisories@lurhq.com for permission.
> >
> > Disclaimer
> > The information within this paper may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS
> condition.
> > There are NO warranties implied or otherwise with regard to this
> > information. In no event shall the author be liable for any damages
> > whatsoever arising out of or in connection with the use or spread of
> > this information.
> >
> > Feedback
> > Updates and/or comments to:
> > LURHQ Corporation
> > http://www.lurhq.com/
> > advisories@lurhq.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> _______________________________________________
> list mailing list
> list@dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: dong-h0un U: "[Full-Disclosure] GNATS (The GNU bug-tracking system) multiple buffer overflow vulnerabilities."
- In reply to: morning_wood: "Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Next in thread: morning_wood: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP Port 1026"
- Reply: morning_wood: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spamon UDP Port 1026"
- Reply: Dietmar Goldbeck: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Reply: Rick Updegrove: "Re: [Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
