Home page logo

basics logo Security Basics mailing list archives

Re: Windows Messenger Pop-up spam
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 4 Dec 2004 05:08:21 +0100

On 2004-12-03 Kevin Davis wrote:
But let's assume we're talking not only about messenger spam but
malware in general. Why would I rather block specific ports instead
of disabling unneeded services? In the latter case I won't *have*
anything that needs to be protected at allĀ¹. Plus Personal Firewalls
proved theirselves to be much less reliable than one would like to
think. Do I have to remind you of the Witty worm?

Disabling unneeded services is not an adequate protection from

It is an adequate protection from malware that tries to attack services.

There are tons of malware - in fact probably the majority that set up
their own "server" once it infects the target system.

If malware is already running on the system, the box is 0wned and
schould be rebuilt.

That's where personal firewalls help.


A new, unknown process is trying to get out to the net - the firewall
will catch this and alert the user.

The firewall may possibly catch this and alert the user. Or the malware
may simply sneak around the firewall. Or disable it. You can't rely on
PFWs to control outbound traffic.

I would agree that one should not put 100% confidence in personal
firewalls.  All software has bugs and many will have vulnerabilities
from time to time.

Bugs are an issue with inbound traffic, but not with outbound traffic.

This fact in itself does not justify permanently discounting it.  The
first time you find out that your router has a bug in it's firmware do
you throw it in the trash?

Of course not. However, if its firmware continues being buggy, I would
reconsider that decision.

The best solution is a multi layered approach (defense in depth).

Defense in depth is a good thing. *If* it gains you security.

1. Patch your systems,

Of course.

2. Get your systems behind a firewall (a personal firewall if a home

Firewall on a router: very well. Personal Firewall: most likely not.
Yes, there are some exceptions, but their number is few.

3.  Get your system behind a router.

Local networks of any kind: of course. A single home computer: maybe,
but not a must.

4.  Harden system by turning off uneeded services.

That would be my second step. No services -> nothing to exploit. I would
consider using a Personal Firewall *only* if for some reason a service
can't be disabled or bound to a specific interface.

5.  Employ the use of virus and spyware scanners\blockers

Virus scanners may be useful. However, one should be aware of their
limitations, since each virus scanner is just as good or bad as its
virus definitions. As for spyware scanners/blockers: I usually prefer to
not install spyware in the first place. Avoiding IE/OE helps. Much.

Sure, you can argue that maybe the host acts as a router for some
local network (ICS or something). However, I would still have to ask:
why does he need to provide any services at all? A router is not
supposed to provide services. Period. If one needs Internet
connectivity for a local network and needs all computers as
workstations, then bite the damn bullet and buy a router. They're not
*that* expensive. And of course one would block *everything* except
for the desired traffic on the network *perimeter*, not only deny the
undesired traffic on the host itself.

The small, inexpensive SOHO routers only block inbound traffic. If a
user gets some malware on their system, this helps them not.

Neither does a PFW. Once malware is running on your system, you're
toast. Period. Even Microsoft finally did understand that [1].

If there's no LAN but just a single host with Internet connection,
then why does the box need to provide any services at all? IMnsHO.

You can't make a blanket statement like this for all cases.  In some
cases this would be true, in others not.

Lets take the Messenger service, for instance.  Some people should
*not* turn off the Messenger service.  Why?  Maybe they are running
one of the several virus scanning products that use the Messenger
service to alert the user of a virus problem.

Any AV software that uses the messenger service for notifying the
(local) user should be trashed *immediately*, because of major
incompetence of the vendor.

Turn that service off and it is degrading the ability of the virus
scanner to do it's job properly.  I'm sure that there are other
examples.  In this particular case, I think that the virus scanners
that depend on this service are poorly designed.  One could argue that
this dependency is from one respect is weakening the security of the

I still fail to see *any* good reason why a single computer (no LAN)
should *not* have all services disabled.

[1] http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Ansgar Wiechers
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]