Re: Source of Windows PopUp SPAM

From: Gary Flynn (flynngn@jmu.edu)
Date: 10/17/02


Date: Thu, 17 Oct 2002 13:49:26 -0400
From: Gary Flynn <flynngn@jmu.edu>
To: H C <keydet89@yahoo.com>

H C wrote:
>
> Many of the posts to this list have clearly shown that
> this "messenger spam" is not, in fact, coming in over
> TCP port 139 (as works w/ 'net send'

Carv and all,

A 'net send' sent a message in my tests using UDP-135.
I suspect is varies with what protocols are bound by
the applications in questions and the machines in use.
The test systems I used did not have netbios/tcp
bound (139). The message was sent from an XP professional
machine to an XP home machine.

RPC can use many different underlying protocols as
transport. The applications decide which protocols
to use as endpoints. Details are here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/selecting_a_protocol_sequence.asp
(may wrap)

I don't know what the Messenger service and net send use
but it seems from what everybody has said that they at
least support both tcp/netbios(139) and dynamic ports provided
by the UDP-135 mapper. I suspect they also support netbeui
but don't have any evidence of that.

Tools that may provide more information can be found on the
Bindview site below. I haven't made the time yet to sort out
all the classids to figure out what is actually happening:

http://razor.bindview.com/tools/desc/rpctools1.0-readme.html

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E. http://www.jmu.edu/computing/runsafe

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com