Re: WIN2000NT False prophets(!).
From: Bruce Chambers (bchambers_at_cable0ne.n3t)
Date: 11/19/05
- Next message: David H. Lipman: "Re: WIN2000NT False prophets(!)."
- Previous message: Robert Moir: "Re: WIN2000NT False prophets(!)."
- In reply to: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Next in thread: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Reply: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Nov 2005 11:47:59 -0700
Martin Spencer-Ford wrote:
>
>
> Sorry, i didn't know that Blaster or Sasser were more threatening to a
> system where the messenger service has been disabled.
>
The only thing turning off the messenger services does, beyond freeing
an insignificantly minuscule amount of system resources, is disable a
crude sort of security warning that your firewall has failed. All
disabling the messenger service actually accomplishes is stop the
messenger service (obviously) and the display of the messenger spams.
Do so doesn't close the IP ports by which those messages arrived from
the Internet. Those ports used by the messenger service are also used
by the "black hats" to broadcast malware, such as Blaster, Welchia, and
Sasser.
>
>
> Agreed, May be i have the wrong impression here, but does not disabling
> a service make it dead, what your statement suggests here is that ok the
> warning signs are gone, but the underlying problem of the service is
> still there as its not really disabled?
>
The *messenger* service may be "dead," but that doesn't close the IP
ports exploited by other malware. The "warning" provided by the
messenger service is that those ports are wide-open and exploitable.
>
>
> The OP in *my* opinion was just asking how to stop the damned adverts,
> not how to install and maintain a firewall, Mike stated that he had ran
> software that is normally good at stopping most scum ware, so I didn't
> feel the need to go into the needs of a security policy, as he is
> obviously to me, on the right approach to the runway. Your linking to a
> medical condition, is amusing in comparison, but i wouldn't have needed
> the doc to tell me "well don't do that" I would have figured that
> myself, which is like i say - i assumed that Mikes approach was.
>
But would you have accepted such medical advice as the sole solution to
your problem? ;-} Wouldn't you, at some point in the future, want to
be able to reach that top shelf again? And, if you don't like the
medical analogy, how about this one: pulling the battery out of a noisy
smoke detector, rather than looking for - and eliminating - the source
of the smoke that set it off?
>
>>
> Agreed, but still suggests that disabling the service still leaves it
> active ?
No, but it still leaves the true vulnerability in place. The problem
is that turning off the Messenger Service does *not* block the wide open
TCP and UDP ports that the spammers used to deliver the spam to the
Messenger Service for display. With the Messenger Service disabled,
those spam deliveries to the PC are still continuing, but they're simply
not being displayed.
The danger of this "treat the symptoms" approach has been more than
aptly demonstrated by the advent of the W32.Blaster.Worm, the
W32.Welchia.Worm, the W32.Sasser.Worm, and their variants. These worms
attack PCs via some of the very same open ports that the Messenger
Service uses. Need I mention how many hundreds of thousands of PCs have
been infected by these worms since August of 2003? To date, according
to my records, I have personally responded to over 1000 Usenet posts
concerning Blaster/Welchia/Sasser infections since then, and I can't
possibly have seen and replied to every one that there's been posted in
this period.
Now, how many of those infected with Blaster/Welchia had turned off
the Messenger Service to hide spam? I can't say, and I don't think
anyone can. What I can say with absolutely certainty is that if they'd
all had a properly configured firewall in place, they would have blocked
the annoying spam _and_ been safe from a great many other dangers,
particularly Blaster/Welchia/Sasser.
Of course, like the Messenger Service Buffer Overrun threat, there
is also a patch available to fix a PC's vulnerability to
Blaster/Welchia, which was available to the general public a full
month before the first instances of Blaster/Welchia "in the wild." If
people learned to stay aware of computer security issues and updated
their systems as needed, a whole lot of grief could have been avoided.
The problem with relying upon patches, however, is that they're
sometimes not available until _after_ the exploit has become
wide-spread. Antivirus software suffers from this same weakness; it's
simply not always possible to provide protection from threats that
have not yet been developed and/or discovered. Both approaches, while
important, are re-active in nature.
> I noted the tools that Mike was using, and yes i noticed there
> was not a mention of a firewall, ok maybe i should have asked if there
> was one installed, but for all i know, that may well have been his next
> plan of action, and like i said in the other reply to Steve, Mike might
> be doing things in the *wrong* order,but he is showing signs of going in
> the right direction.
>
> I don't claim to be an "expert" and as much as i like to be corrected if
> the information i have provided is wrong, and i certainly don't wish to
> get involved in a shaming flame war as seen on other groups, but the
> advice i have given in this case to *me* is accurate. The fact that I
> offered the quick solution for someone who appeared to be desperate to
> stop the ads, as valid as your point is about revealing underlying
> problems, i felt no need to flood the poor chap with what he should and
> should not do, which is another reason why I liked your post, you did
> not show any bias with any tools for securing up his remaining issues
>
Your subsequent posts in this thread (the ones I should have read
before I "scolded" you - for which I apologize) do indicate that you do
indeed know better and meant well. Your intent and reasoning is noted.
I tend to be over-sensitive on this issue of offering a "quick
solution", primarily because I've had to spend more hours that i care to
think about cleaning up behind others who used this and other "quick
solutions" to make problems seem to go away. I prefer to fix things
completely the first time. As my grandfather once told me, "If you can
find the time to do it over, you had time to do it right in the first
place."
Now, as for the Messenger Service itself, it generally doesn't
hurt any thing to turn it off, although I never recommend doing so.
Granted, the service is of little or no use to most home PC users
(Although I've had uses it on my home LAN.), and turning off
unnecessary services is part of any standard computer security
protocol. However, I feel that the potential benefits of leaving the
Messenger Service enabled out-weigh any as-yet-theoretical risks that
it presents. It will indirectly let the computer user know that
his/her firewall has failed by displaying the Messenger Service spam.
Think of it as the canary that miners used to take down into the
mine shafts with them. There are others, of course, who disagree with
me on this point and advise turning off the service because it isn't
needed; you'll have to make up your own mind here.
-- Bruce Chambers Help us help you: http://dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html You can have peace. Or you can have freedom. Don't ever count on having both at once. - RAH
- Next message: David H. Lipman: "Re: WIN2000NT False prophets(!)."
- Previous message: Robert Moir: "Re: WIN2000NT False prophets(!)."
- In reply to: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Next in thread: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Reply: Martin Spencer-Ford: "Re: WIN2000NT False prophets(!)."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
