[Dshield] Re: Windows Messenger Popup Spam - advisory amended

Joe Stewart jstewart at lurhq.com
Wed Jun 25 17:39:46 GMT 2003

On Monday 23 June 2003 05:19 pm, jh wrote:
> 1026 is ephemeral, it may not always be this port. 

I'd say it's dependent on the the startup order of other listeners. Ephemeral
implies it is short-lived. If you don't install other services that use port
1026 it will probably continue to be bound to port 1026 indefinately. I've
been told that some Windows 2000 server platforms may have messenger
listening on port 1027 due to other services starting first, but popup
spammers are typically targeting the home user running WinXP.

> Duno if that all makes sense, readers may find the following paper
> helpful (it is more indepth than the brief, condensed version above):
> http://www.giac.org/practical/GCIH/Jeremy_Hewlett_GCIH.pdf

This is an excellent paper; is it yours? Well researched and written. 
I have found however, a few points of difference between what the paper
describes of the protocol and what I've observed in practice. The paper
describes a much more elaborate exchange of packets than the spammers 
are actually using. The paper says that the conv_who_are_you packet
must be answered by the client before the popup will occur. This doesn't
seem to be necessary, as I have been able to merely replay the same
UDP packet payload again and again, on either port. The paper says that
these packets should be dropped as duplicates, but I have observed that
you only need to wait for a given timeout to occur before you can send the
packet  and get a popup again;  somewhere on the order of 10 minutes or 
so. This is ok with the spammers, since they seem to cycle through the same
netblock only every hour or so.

So, the higher port is usually, but not guaranteed to be, port 1026. So 
far, the spammers have only been observed sending packets to port 135
and 1026, suggesting they have observed the same behavior. And only
one packet is necessary, no matter which port you send it to. I've been
successful at spoofing a bogus source IP address in the packets generating 
the popups as well.


Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation

More information about the list mailing list