[Dshield] Re: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port 1026

Johannes Ullrich jullrich at euclidian.com
Sat Jun 21 17:14:45 GMT 2003


Well, blocking port 1026 is probably not such a great idea. But
why would a non-windows user suffer if port 135-139 & 445 is blocked?



On Sat, 2003-06-21 at 00:40, morning_wood wrote:
> so all users should suffer an ISP blocking ports just because some
> people run windows???? excuse me? Better would be to just disable
> windows mesaging service. or issue a patch for it, as opposed to
> blocking port traffic.
> 
> wood
> 
> ----- Original Message ----- 
> From: "Joe Stewart" <jstewart at lurhq.com>
> To: <list at dshield.org>
> Cc: <full-disclosure at lists.netsys.com>; <intrusions at incidents.org>;
> <isc at sans.org>
> Sent: Friday, June 20, 2003 7:37 PM
> Subject: [Full-Disclosure] Windows Messenger Popup Spam on UDP Port
> 1026
> 
> 
> > Windows Messenger Popup Spam on UDP Port 1026
> >
> > URL: http://www.lurhq.com/popup_spam.html
> > Release Date: June 20, 2003
> > Author: Joe Stewart
> >
> > LURHQ Corporation has observed traffic to large blocks of IP
> addresses
> > on UDP port 1026. This traffic started around June 18, 2003 and has
> > been constant since that time. LURHQ analysts have determined that
> the
> > source of the traffic is spammers who have discovered that the
> Windows
> > Messenger service listens for connections on port 1026 as well as
> the
> > more widely-known port 135. Windows Messenger has been a target for
> > spammers since late last year, because it allows anonymous pop-up
> > messages to be displayed on any Windows system running the messenger
> > service. Due to widespread abuse, many ISPs have moved to block
> > inbound traffic on UDP port 135. It appears the spammers have
> adapted,
> > so ISPs are urged to block UDP port 1026 inbound as well.
> >
> > It is possible to disable the messenger service on some platforms
> > following the instructions below. However, the fact that you can
> > receive these messages points to the fact that your computer is
> > unsecured and vulnerable to other possible attacks in the future.
> > Disabling the messenger service will stop the pop-up spam, but will
> > not protect you in any other way. Home users are encouraged to
> install
> > personal firewall software to block unauthorized connections to
> their
> > computers. Users are discourged from purchasing specialized Windows
> > Messenger popup blocking software as it is often sold by the same
> > company that is sending the popups.
> >
> > To disable the Messenger Service, follow the instructions for your
> > Windows version:
> >
> > Windows XP Home
> >   * Click Start, then click Control Panel.
> >   * Double-click Performance and Maintenance.
> >   * Double-click Administrative Tools.
> >   * Double-click Services.
> >   * Scroll down, highlight and right-click on Messenger and choose
> >     Properties
> >   * In the "Startup type" list, choose Disabled.
> >   * Click Stop, and then click OK.
> >
> > Windows XP Professional
> >   * Click Start, then click Control Panel.
> >   * Double-click Administrative Tools
> >   * Double-click Services
> >   * Scroll down, highlight and right-click on Messenger and choose
> >     Properties
> >   * In the "Startup type" list, choose Disabled.
> >   * Click Stop, and then click OK.
> >
> > Windows 2000/NT
> >   * Click Start, go to Settings, then click Control Panel.
> >   * Double-click Administrative Tools.
> >   * Double-click Service.
> >   * Double-click Messenger.
> >   * In the "Startup type" list, choose Disabled.
> >   * Click Stop, and then click OK.
> >
> > Windows 98/ME
> > The Windows Messenger Service cannot be disabled
> >
> > --
> >
> > About LURHQ Corporation
> > LURHQ Corporation is the trusted provider of Managed Security
> > Services. Founded in 1996, LURHQ has built a strong business
> > protecting the critical information assets of more than 400
> customers
> > by offering managed intrusion prevention and protection services.
> > LURHQ's 24X7 Incident Handling capabilities enable customers to
> > enhance their security posture while reducing the costs of managing
> > their security environments. LURHQ's OPEN Service Delivery(TM)
> > methodology facilitates a true partnership with customers by
> providing
> > a real time view of the organization's security status via the
> > Sherlock Enterprise Security Portal. For more information visit
> > http://www.lurhq.com/
> >
> > Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted
> for
> > the redistribution of this document electronically. It is not to be
> > altered or edited in any way without the express written consent of
> > LURHQ Corporation. If you wish to reprint the whole or any part of
> > this document in any other medium excluding electronic media, please
> > e-mail advisories at lurhq.com for permission.
> >
> > Disclaimer
> > The information within this paper may change without notice. Use of
> > this information constitutes acceptance for use in an AS IS
> condition.
> > There are NO warranties implied or otherwise with regard to this
> > information. In no event shall the author be liable for any damages
> > whatsoever arising out of or in connection with the use or spread of
> > this information.
> >
> > Feedback
> > Updates and/or comments to:
> > LURHQ Corporation
> > http://www.lurhq.com/
> > advisories at lurhq.com
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list