Re: Windows Messenger Pop-up spam

From: Kevin Davis (kevin.davis_at_mindless.com)
Date: 12/03/04

  • Next message: H Carvey: "Re: Windows Messenger Pop-up spam"
    To: <security-basics@securityfocus.com>
    Date: Fri, 3 Dec 2004 06:06:24 -0500
    
    

    > We were talking about messenger spam only, and therefore it's pretty
    > much sufficient to disable the messenger service. No other action
    > needed, especially not blocking any ports. Period.

    The fact that Messenger traffic was getting through exposes the fact that
    there is a problem. More than the Messenger service uses that port.

    >
    > But let's assume we're talking not only about messenger spam but malware
    > in general. Why would I rather block specific ports instead of disabling
    > unneeded services? In the latter case I won't *have* anything that needs
    > to be protected at allą. Plus Personal Firewalls proved theirselves to
    > be much less reliable than one would like to think. Do I have to remind
    > you of the Witty worm?

    Disabling unneeded services is not an adequate protection from malware.
    There are tons of malware - in fact probably the majority that set up their
    own "server" once it infects the target system. That's where personal
    firewalls help. A new, unknown process is trying to get out to the net -
    the firewall will catch this and alert the user. I would agree that one
    should not put 100% confidence in personal firewalls. All software has bugs
    and many will have vulnerabilities from time to time. This fact in itself
    does not justify permanently discounting it. The first time you find out
    that your router has a bug in it's firmware do you throw it in the trash?

    The best solution is a multi layered approach (defense in depth). 1. Patch
    your systems, 2. Get your systems behind a firewall (a personal firewall if
    a home user). 3. Get your system behind a router. 4. Harden system by
    turning off uneeded services. 5. Employ the use of virus and spyware
    scanners\blockers 5. Educate the user about security 6. Whatever else
    makes sense

    >
    > Sure, you can argue that maybe the host acts as a router for some local
    > network (ICS or something). However, I would still have to ask: why does
    > he need to provide any services at all? A router is not supposed to
    > provide services. Period. If one needs Internet connectivity for a local
    > network and needs all computers as workstations, then bite the damn
    > bullet and buy a router. They're not *that* expensive. And of course one
    > would block *everything* except for the desired traffic on the network
    > *perimeter*, not only deny the undesired traffic on the host itself.

    The small, inexpensive SOHO routers only block inbound traffic. If a user
    gets some malware on their system, this helps them not.

    >If
    > there's no LAN but just a single host with Internet connection, then why
    > does the box need to provide any services at all? IMnsHO.

    You can't make a blanket statement like this for all cases. In some cases
    this would be true, in others not.

    Lets take the Messenger service, for instance. Some people should *not*
    turn off the Messenger service. Why? Maybe they are running one of the
    several virus scanning products that use the Messenger service to alert the
    user of a virus problem. Turn that service off and it is degrading the
    ability of the virus scanner to do it's job properly. I'm sure that there
    are other examples. In this particular case, I think that the virus
    scanners that depend on this service are poorly designed. One could argue
    that this dependency is from one respect is weakening the security of the
    system.


  • Next message: H Carvey: "Re: Windows Messenger Pop-up spam"

    Relevant Pages

    • Re: Virus SVChost errors?
      ... enabled a firewall, without having first installed an antivirus ... Microsoft Security Bulletin MS03-39 ... Messenger Service Window That Contains an Internet Advertisement ... >I have a PC that was infected with a welchia.b virus. ...
      (microsoft.public.security.virus)
    • Re: Messenger Service on W2K server
      ... For the home and small-office user, a router is a good ... >>> I believe some APC Ups software may use this service to ... >>down the Messenger service. ... >>important administrative alerts may be lost if the ...
      (microsoft.public.security)
    • Virus Warning Pop up for RPC Doom Virus - is this real or a fake?
      ... the Blaster Worm that recently swept cross the Internet. ... just "putting up with" the security gap represented by ... Messenger Service of Windows ... RPC Doom Virus Detected! ...
      (microsoft.public.security)
    • Re: Virus
      ... >>with a virus and suggest to download an antivirus clean ... the Messenger service in XP, but it could be you're seeing this online) ... if you have Windows XP on a home machine (not ...
      (microsoft.public.security.virus)
    • Re: i get these windows messenger pop ups
      ... > router by anything like having it the DMZ or forwarding ports to it. ... It was messenger service spam, ... Ron Lowe ...
      (microsoft.public.windowsxp.network_web)