[Dshield] Re: Windows Messenger Popup Spam - advisory amended
jh at dok.org
Mon Jun 23 21:19:59 GMT 2003
On Mon, Jun 23, Joe Stewart wrote:
> This doesn't seem to be the case. The messenger spam on port 135 is a
> single packet. The same packet payload sent to port 1026 has the same
> result. It doesn't appear to be RPC, but instead a case of the same process
> listening to both ports, and deciding what to do with any packet received
> on either port based on content. If it is supposed to be RPC, it seems broken.
> If anyone can demonstrate the spam being able to utilize any other ports,
> please let me know.
1026 is ephemeral, it may not always be this port. When the messenger
service starts, it will register with the MS RPC mapper. Much like
UNIX RPC, each service has a specific identifier. When a request comes
in for this identifier, it will be handled by the Mapper and passed to
the appropriate service (ie Messenger). This is done over port 135.
Subsequent requests will use the same session ID (yet another ID), and
thus the client will remember what port the Messenger service is bound
and skip port 135 entirely (going directly to port 1026). This is why
one can send this spam by either 1026 or 135, it all goes to the same
Duno if that all makes sense, readers may find the following paper
helpful (it is more indepth than the brief, condensed version above):
It's long, you may want to skip the first 1/3 (it's primer).
More information about the list