Home page logo

basics logo Security Basics mailing list archives

RE: Windows Messenger Pop-up spam
From: Steven Trewick <STrewick () joplings co uk>
Date: Mon, 6 Dec 2004 11:50:11 -0000

-----Original Message-----
From: H Carvey [mailto:keydet89 () yahoo com]
Sent: 03 December 2004 12:10
To: security-basics () securityfocus com
Subject: Re: Windows Messenger Pop-up spam

In-Reply-To: <20041202173019.B10318 () planetcobalt net>

Which will merely have lulled them into a false sense of security,
since the traffic is still making it to their IP stack. For windows
boxen, this is almost as good as "game over"

You may want to give at least one reason for this opinion.

I, too, would like to see something to support this statement.  

"Game over", how?  Sure, the traffic still makes it to the IP 
stack, I agree...but how does this result in "game over" with 
respect to Messenger spam?  Turn the Messenger service off 
and there's nothing there to handle the input...end of story. 
 *That's* "game over".  

Harlan, as you well know, there are *many* other things listening
to/on the subset of ports used by messenger spam, turning
off the messenger service in no way blinds/deafens the *rest* of 
the RPC subsystem, where $DEITY knows how many vulns have been
(and remain to be) discovered.

Simply turning off the service in no way increases the security 
of the machine, because those ports and the multiplicity of 
services that use them will still be exposed, quite obviously.

Anyone sufficently addled as to run a machine exposed in this 
way is also extremely unlikely to be patched up the eyeballs, 
thus we have exposed *and* vulnerable services.  Thus it will 
be game over when the first worm reaches the machine.

As a rough guide, the last time I saw someone connect a box so 
configured to the internet, it took less than five minutes
to succumb to some variety of lsass exploit, which will
have arrived via those exact same ports (135/9, 445, et al)

The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. 
If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in 
this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group 
operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by 
viruses being passed.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]