[Dshield] Windows Messenger Popup Spam on UDP Port 1026

KJS_Public kjs_public at sbcglobal.net
Sat Jun 21 14:55:12 GMT 2003


Am I the only one that feels that this message in itself is spam?

----- Original Message ----- 
From: "Joe Stewart" <jstewart at lurhq.com>
To: <list at dshield.org>
Cc: <isc at sans.org>; <intrusions at incidents.org>;
<full-disclosure at lists.netsys.com>
Sent: Friday, June 20, 2003 9:37 PM
Subject: [Dshield] Windows Messenger Popup Spam on UDP Port 1026


> Windows Messenger Popup Spam on UDP Port 1026
>
> URL: http://www.lurhq.com/popup_spam.html
> Release Date: June 20, 2003
> Author: Joe Stewart
>
> LURHQ Corporation has observed traffic to large blocks of IP addresses
> on UDP port 1026. This traffic started around June 18, 2003 and has
> been constant since that time. LURHQ analysts have determined that the
> source of the traffic is spammers who have discovered that the Windows
> Messenger service listens for connections on port 1026 as well as the
> more widely-known port 135. Windows Messenger has been a target for
> spammers since late last year, because it allows anonymous pop-up
> messages to be displayed on any Windows system running the messenger
> service. Due to widespread abuse, many ISPs have moved to block
> inbound traffic on UDP port 135. It appears the spammers have adapted,
> so ISPs are urged to block UDP port 1026 inbound as well.
>
> It is possible to disable the messenger service on some platforms
> following the instructions below. However, the fact that you can
> receive these messages points to the fact that your computer is
> unsecured and vulnerable to other possible attacks in the future.
> Disabling the messenger service will stop the pop-up spam, but will
> not protect you in any other way. Home users are encouraged to install
> personal firewall software to block unauthorized connections to their
> computers. Users are discourged from purchasing specialized Windows
> Messenger popup blocking software as it is often sold by the same
> company that is sending the popups.
>
> To disable the Messenger Service, follow the instructions for your
> Windows version:
>
> Windows XP Home
>   * Click Start, then click Control Panel.
>   * Double-click Performance and Maintenance.
>   * Double-click Administrative Tools.
>   * Double-click Services.
>   * Scroll down, highlight and right-click on Messenger and choose
>     Properties
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows XP Professional
>   * Click Start, then click Control Panel.
>   * Double-click Administrative Tools
>   * Double-click Services
>   * Scroll down, highlight and right-click on Messenger and choose
>     Properties
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows 2000/NT
>   * Click Start, go to Settings, then click Control Panel.
>   * Double-click Administrative Tools.
>   * Double-click Service.
>   * Double-click Messenger.
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows 98/ME
> The Windows Messenger Service cannot be disabled
>
> --
>
> About LURHQ Corporation
> LURHQ Corporation is the trusted provider of Managed Security
> Services. Founded in 1996, LURHQ has built a strong business
> protecting the critical information assets of more than 400 customers
> by offering managed intrusion prevention and protection services.
> LURHQ's 24X7 Incident Handling capabilities enable customers to
> enhance their security posture while reducing the costs of managing
> their security environments. LURHQ's OPEN Service Delivery(TM)
> methodology facilitates a true partnership with customers by providing
> a real time view of the organization's security status via the
> Sherlock Enterprise Security Portal. For more information visit
> http://www.lurhq.com/
>
> Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted for
> the redistribution of this document electronically. It is not to be
> altered or edited in any way without the express written consent of
> LURHQ Corporation. If you wish to reprint the whole or any part of
> this document in any other medium excluding electronic media, please
> e-mail advisories at lurhq.com for permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are NO warranties implied or otherwise with regard to this
> information. In no event shall the author be liable for any damages
> whatsoever arising out of or in connection with the use or spread of
> this information.
>
> Feedback
> Updates and/or comments to:
> LURHQ Corporation
> http://www.lurhq.com/
> advisories at lurhq.com
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>





More information about the list mailing list