[unisog] windows networking and udp 1026

Brian Eckman eckman at umn.edu
Wed Dec 3 22:06:56 GMT 2003

Peter Moody wrote:
>>The traffic seems to have been related to a malware species that sends 
>>pop-up spam inviting folks to download a free pop-up spam blocker. The 
>>blocker is likely a Trojan horse that causes the victim's computer to begin 
>>sending pop-up spam.
> I'm aware of what *this* popup scam did, but what I'm wondering about is
> future attacks.  Is udp/1026 another vector for blaster like viruses? 
> Is this another proto/port pair that needs to be blocked like tcp/135 or
> tcp/445?
> -Peter

 From what I understand, yes, it is. I *think* that it is possible for a 
worm to be crafted that sends itself over UDP like SQL Slammer. If not, 
it certainly is possible for something to spread itself via this 
vulnerability in a fashion similar to Blaster, where other components 
such as tftp are used to help spread it.

If you don't want to take my word for it, Microsoft themselves have 
called it "wormable" (Google: microsoft wormable messenger). If such a 
worm made it in to the wild and were to try a range of UDP ports such as 
1026-1050, we will probably all notice, even if none of our hosts are 
vulnerable or if all UDP Ports selected are firewalled.

Even if a worm is never made, we still have to worry about the kiddies 
using already publicly accessible exploit code, or even more advanced 
attacks from those who have (possibly created their own) exploit code.


Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list