[unisog] windows networking and udp 1026

Gary Flynn flynngn at jmu.edu
Wed Dec 3 21:58:00 GMT 2003


Peter Moody wrote:

>>The traffic seems to have been related to a malware species that sends 
>>pop-up spam inviting folks to download a free pop-up spam blocker. The 
>>blocker is likely a Trojan horse that causes the victim's computer to begin 
>>sending pop-up spam.
>>    
>>
>
>I'm aware of what *this* popup scam did, but what I'm wondering about is
>future attacks.  Is udp/1026 another vector for blaster like viruses? 
>Is this another proto/port pair that needs to be blocked like tcp/135 or
>tcp/445?
>
I'd hazard a guess it would be more similar to Slammer than Blaster. And 
blocking
won't be fun without a stateful firewall. Consider if the source port is 
53. An inline IDP
would be nice to have right now...or a population of completely patched 
Windows machines.
As I understand it, Messenger may be listening on any of a number of 
high ports. Statistically,
1026 may be the most common but I don't think its universal. ISS has a 
tool on their web site
that checks for the patch (MS03-043) and pops up a configurable message 
to the user on
vulnerable machines.

>  
>




More information about the unisog mailing list