myNetWatchman Alert - Windows PopUP SPAM
Release Date: 2002-10-13
Updated: 2003-09-11
What is it?
Windows PopUP Spam, aka Messenger Spam, Broadcast Spam is a spamming technique which delivers
simple text messages via the Windows Messenger service. This is unrelated to the MSN
Instant Messenger application.
Windows Messenger is meant to provide a mechanism for system administrators to broadcast
simple messages to one or more users on a local area network (LAN). For example, "main server is being
shutdown in 10 minutes, please save your files and logout ASAP.". Unfortunately (like many other
Microsoft services), although the Messenger service is intended to be used only on the local LAN,
if you connect a system to the Internet, without any firewall protections, anyone on the Internet
can transmit a Messenger popup to your system.
2003-09-11: Instantly test if your PC is vulnerable using our WinPopUP Tester *NEW* Now tests udp/135 AND udp/1026-1029
2003-01-01(?): - Spammers discover technique to send WinPopUPs using forged addresses
The initial products which deliver Messenger Spam weren't very smart. Some used the equivalent of
'net send' which utilized a TCP connection. Others were RPC based, but their RPC calls were
transported using connectionless UDP that still required an RPC-level acknowledgement
before the message would be actually displayed to the user.
In either case, two way communication was required, making address spoofing nearly impossible.
Sometime in Q1 of 2003, Messenger Spam products began enabling the 'broadcast' and 'Idempotent' flags
in their RPC calls (the myNetWatchman PopUP tester utilized this approach from day one). Setting
these flags enables delivery of Messenger Spam with a single, uni-directional packet.
This is significant because this enables the spammer to send a message without needing to receive
any communication from the target making for much faster delivery, and more importantly, enabling
message delivery using a forged source address!
I often leave my network analyzer running so that I can capture the source address of the Messenger
spam that sent to my test systems. I have seen several cases where the source IP address is my
IP address...an obvious case of spoofing.
In September 2003, I identified capture a source IP that was apparently sending over 1500 messages/second
or over 4.5Mbps traffic from what appeared to be a dialup IP of a major US provider. After speaking with
with a security contact at the ISP he confirmed that he was receiving about 400 complaints a month
regarding that IP, but had verified that the IP definitely was not actually sending such traffic...yet another
case of spoofed SPAM.
So what we have here is Spammers nirvana, a spam technique which requires almost no startup costs,
no mailing lists, an ability to reach millions of eyeballs, and (if sent correctly) virtually untraceable.
I used to receive 3-4 Messenger Spams per week, now I get 10-12 per day. I'm sorry to say I only see
it getting worse as more and more learn about this approach.
2003-09-11: WinPopup Spammers employ new strategies to defeat MSBlaster/Nachi worm filters
With last month's release of the MSBlast worm which propagates via Microsoft's Remote Procedure
Call (RPC) service using port tcp/135, many ISP's have added network filters to block all port 135
traffic. At least temporarily, this has also helped block the increasingly annoying Messenger
spam which is usually delivered via RPC on udp/135.
WinPopUP spammers apparently noticed this so in the last few weeks they have begun sending
PopUPs directly to the Messenger service rather then indirectly through the standard RPC
port (135). The problem is the direct port that the Messenger service uses can vary...it binds
to the first available ephemeral port (e.g. ports > 1025). So it will usually be assigned to
port 1026, 1027, 1028, or 1029. For example, here's a case where it's running on udp/1026:
D:\Research>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
Pid Process Port Proto Path
400 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
8 System -> 139 TCP
8 System -> 445 TCP
572 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe
8 System -> 1027 TCP
1100 FTP -> 4488 TCP C:\WINNT\system32\FTP.EXE
400 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 137 UDP
8 System -> 138 UDP
8 System -> 445 UDP
236 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
224 services -> 1026 UDP C:\WINNT\system32\services.exe <---***Messenger Service***
496 spoolsv -> 1028 UDP C:\WINNT\system32\spoolsv.exe
224 services -> 4402 UDP C:\WINNT\system32\services.exe
456 IEXPLORE -> 4425 UDP C:\Program Files\Internet Explorer\IEXPLORE.EXE
2002-09-15
On or about September 15, 2002 Windows users around the world began reporting Windows
popup messages appearing on their computers, for example:
See Also:
Wired: Spam Masquerades as Admin Alerts
CNN Article/Photo
Using data collected from myNetWatchman sensors, we were able to identify the hosts that appear to have sent this SPAM:
| Incident Id |
Source IP |
Resp. Party |
Min/Max
EventDate |
Target
Count |
Total
Event Count |
Incident
Score |
| 8360619 | 216.127.74.158 | ev1.net | 16-Sep-02 18:17:15 | 67 | 3692 | 2557 | | 11-Oct-02 0:38:30 |
| 9860599 | 207.44.137.241 | ev1.net | 09-Oct-02 21:25:32 | 53 | 3236 | 2234 | | 12-Oct-02 7:30:33 |
| 9851091 | 207.44.130.229 | ev1.net | 09-Oct-02 19:25:34 | 39 | 2870 | 1117 | | 12-Oct-02 14:54:05 |
| 9850604 | 207.44.136.243 | ev1.net | 09-Oct-02 21:11:26 | 28 | 2541 | 1055 | | 11-Oct-02 18:46:04 |
| 9852230 | 207.44.137.8 | ev1.net | 09-Oct-02 21:34:08 | 28 | 2109 | 1022 | | 11-Oct-02 7:16:05 |
By querying the above IP addresses, we can see that their Netbios machine names 'WEBPOPUPxx' matches the machine name format on the popup messages
D:\>nbtstat -A 216.127.74.158
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP <00> UNIQUE Registered
WEBPOPUP <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WEBPOPUP <03> UNIQUE Registered
MAC Address = 00-50-56-52-8E-2D
D:\>nbtstat -A 207.44.137.241
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP05 <00> UNIQUE Registered
WEBPOPUP05 <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WEBPOPUP05 <03> UNIQUE Registered
WEBPOPUP05 <01> UNIQUE Registered
MAC Address = 00-50-56-62-21-32
D:\>nbtstat -A 207.44.130.229
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP02 <00> UNIQUE Registered
WEBPOPUP02 <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WEBPOPUP02 <03> UNIQUE Registered
ADMINISTRATOR <03> UNIQUE Registered
WEBPOPUP02 <01> UNIQUE Registered
WORKGROUP <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
MAC Address = 00-50-56-60-9F-B2
D:\>nbtstat -A 207.44.136.243
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP04 <00> UNIQUE Registered
WEBPOPUP04 <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WEBPOPUP04 <03> UNIQUE Registered
MAC Address = 00-50-56-62-11-32
D:\>nbtstat -A 207.44.137.8
Local Area Connection:
Node IpAddress: [172.16.1.169] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
WEBPOPUP07 <00> UNIQUE Registered
WEBPOPUP07 <20> UNIQUE Registered
WORKGROUP <00> GROUP Registered
WORKGROUP <1E> GROUP Registered
WEBPOPUP07 <03> UNIQUE Registered
MAC Address = 00-50-56-62-21-72
Representatives from EV1.net indicate that the above hosts are Redhat Linux systems and
are operated by independent customers.
Update 2002-10-21:
We now believe these PopUp messages were generated using a new commercially available
product called DirectAdvertiser.
Update: 2002-11-15:
Additional Messenger SPAM products released:
WonderPopUp
It's interesting that the developer provides instructions to prevent "NetBios" PopUP messages
(as would be delivered by the 'NET SEND' command). Our analysis shows that this product
doesn't even use NetBios, but rather uses Microsoft RPC (Remote Procedure Call). A detailed
comparison of these two techniques is available here.
I tracked down and contacted one user who admitted using the product. He indicated that
he had two PCs running the application on a T1 and was able to make about 100,000 message
send attempts/hour.
First let me say that there are several companies selling tools for up to $25 which claim to block
WinPOPup ads. Please don't waste your money on these tools...all they do is disable the Messenger service
which is NOT the best way to address the issue....anyone can disable Messenger for free anyhow.
Step 1: Install a personal firewall
If you received one of these messages that means your system is likely connected the Internet with no
firewall protection. Many use anti-virus products and believe that all the protection they need...understand
that anti-virus tools primarily protect you against infection from email and provide little to no protection
against attacks launched through other services: e.g. Messenger, Microsoft Networking, etc.
There are several companies that offer FREE basic personal firewalls...the free versions are often more
than adequeate for most users. One popular one is Zone Alarm
If you have several computers that you want to share a single Internet connections (e.g. cable/DSL), then consider
purchasing a router that include the firewalling capabilties. Linksys is one
of the more popular ones which are often available for less then $50 USD.
Step 2: Disable Microsoft Messenger Service
If you choose to install a firewall, that will prevent remote users from sending you WinPopUPs.
However, the main rule of security is, if you don't need it, disable it so you should still disable it.
If you decide NOT to install a firewall, then you can prevent WinPopUPs by disabling the Messenger service, however,
this may leave you exposed to other security issues so this approach by itself is not recommended.
Note: Some applications: Anti-virus, SQL Job Scheduler, UPS systems, etc.. use Messenger alerts to
notify you are critical system events. If you use such products, then you should leave Messenger enabled and
use a firewall/router to block the PopUPs.
Here are the procedures for disabling the Messenger service on Windows 2000 and XP systems:
Windows 2000:
- Click: Start/Settings/Control Panel
- Open: Administrative Tools
- Open: Services
- Open: 'Messenger' Service
- Click: Stop button
- Change 'Startup Type' to DISABLE
- Click OK to close everything
Windows XP:
- Right-click: 'My Computer' icon and select 'Manager'
- Open: Services and Applications
- Open: Services
- Open: 'Messenger' Service
- Click: Stop button
- Change 'Startup Type' to DISABLE
- Click OK to close everything
Advanced Issues
Here is an excellent article which describes how to disable
many unneeded Microsoft services: Minimization
of network services on Windows systems. (See: 'RPC services'
section for a discussion of disabling Windows Messenger.)
Detecting and Reporting PopUP SPAMMERS
DirectAdvertiser makes the following claim on their website:
"These messages are completely anonymous and virtually untraceable.
Bulk email will cause you trouble with your ISP if you are
not using special software to hide your IP address. With this
program your IP address never shows up anywhere".
Their statement is partially true, unlike e-mail SPAM, PopUP
SPAM does not contain any information (e.g. mail headers)
that allows you to identify the source of the SPAM thus making
it impossible to complain to the appropriate ISP.
However, as PopUP SPAMMERS attempt to deliver messages to
users who are running a firewall, the firewall logs the attempt
and captures the source IP address of the SPAMMER.
myNetWatchman is an Internet "Neighborhood Watch" system
which uses collaborative security (sharing of firewall logs
on a global basis) to detect systems on the Internet that
have been compromised or that are generating hostile activity
and automatically notifies the responsible party (ISP abuse
department of system administrator).
Though myNetWatchman was not designed with PopUP SPAM detection
in mind, it already detects and reports this activity just
like any other hostile activity...something SPAMMERS should
think about before plunking down the $699.99 for DirectAdvertiser.
So, if you want protect against PopUP SPAM and to report
the SPAMMER to their ISP, install a firewall and setup your
system to relay your firewall logs to myNetWatchman. For more
information on this process see mNW
Vision.
Larger Issues
Though PopUP SPAM is more of an annoyance than anything
else, if your machine receives and displays them, that is
a sign that your system is not secure and thus is likely vulnerable
to more serious attacks.
To test the whether your system may be exposed to more serious
issues, run the Shields
Up test at the popular GRC security web site.
|
