Answering my own question [was Re: NetBIOS Messenger spam - how did it get in?]

From: Damon McMahon (inst_karma@hotmail.com)
Date: 10/28/02 

Date: 28 Oct 2002 22:54:54 -0000
From: Damon McMahon <inst_karma@hotmail.com>
To: security-basics@securityfocus.com
('binary' encoding is not supported, stored as-is) In-Reply-To: <20021025093609.29660.qmail@mail.securityfocus.com>

Thank you to those who took the time to provide some
advice. On some further research I have discovered an
answer to my question which I believe many on this list
may find of interest [below].

>
>The gateway host of my small workgroup has just become
>a 'victim' of the recent spate of SPAM using the
>NetBIOS Messenger Service. However, I'm seeking advice
>on how it managed to get through what I thought was a
>reasonably secure gateway.
>

[snip]

>
>I have ZoneAlarm Pro installed on the gateway, which
>allows NetBIOS traffic over the 192.168.0.0/24 subnet
>but rejects NetBIOS traffic from any other IP. This
>rule is explicitly defined in the ZA Pro configuration,
>and appears to be working as the ZA Pro logs are full
>of rejected packets from internet IPs attempting to
>access NetBIOS ports on the host.
>

As it turns out, the SPAM was not using NetBIOS at all
but rather coming through a RPC endpoint on udp/135
which is mapped by the Windows 2000 Services and
Controller app (SERVICES.EXE). A detailed comparison of
the two methods used by the Messenger Service is given
at
http://mynetwatchman.com/kb/security/articles/popupspam/netsend.htm
.

So as it turns out, this was a misconfiguration of ZA
Pro on my behalf, and in a way I'm happy this has
happened as it has alerted me to the fact that I had
some services installed on my gateway which were wide
open to accepting traffic from the internet. Given that
I'm sure I'm not the only one in this boat, I will
repeat the advice given at the above resource:

"Users with personal firewalls need to exercise extreme
care when granting permissions to RPC-related
executables (e.g. svchost.exe or services.exe ). If you
mistakenly give these applications full 'server'
rights, then you may be susceptable to Messenger SPAM."

Relevant Pages

  • msnmsgr.exe is hogging CPU
    ... but thanks for any advice! ... A friend's laptop, running Win ... 2000 Pro, is virtually at a standstill, CPU stuck at 100%. ...
    (microsoft.public.win2000.general)
  • Re: Cant see one system on network
    ... >>>only difference is that the invisible system is running xp pro and the others ... >>>are running either xp home or the media center operating system. ... With NETBIOS enabled over TCP/IP I ...
    (microsoft.public.windowsxp.network_web)
  • Re: Questions about Ciaffone/Brier - Middle Limit Holdem
    ... continuation bet, his advice to not bet if you miss the flop, etc. ... Does the recommended style of play seem conducive to proftiable play ... I am more of a low limit player as I tend to play 10-20 live and up to ... Two middle players, the button, and the small blind (a top pro) all ...
    (rec.gambling.poker)
  • Re: Difference and Installing?
    ... So what would be the word for you, a fascist worthless troll who sh*ts on ... >> youre ready to install pro, as microsoft puts it "Thier is no upgrade ... > clue that, until you learn, you deserve a wall all to yourself. ... > I wonder how many systems you've destroyed with your 'advice'? ...
    (microsoft.public.windowsxp.newusers)
  • Re: Difference and Installing?
    ... > In xp home,before installing xp pro,run the file transfer wizard,set ... > youre ready to install pro, as microsoft puts it "Thier is no upgrade ... > is installed,run the file transfer wizard from home. ... I wonder how many systems you've destroyed with your 'advice'? ...
    (microsoft.public.windowsxp.newusers)