Home page logo

basics logo Security Basics mailing list archives

Re: Windows Messenger Pop-up spam
From: "'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>
Date: Fri, 3 Dec 2004 18:41:00 +0100

On 2004-12-03 David Gillett wrote:
On 2004-12-02 Ansgar -59cobalt- Wiechers wrote:
But let's assume we're talking not only about messenger spam but
malware in general. Why would I rather block specific ports instead
of disabling unneeded services? In the latter case I won't *have*
anything that needs to be protected at allĀ¹. Plus Personal Firewalls
proved theirselves to be much less reliable than one would like to
think. Do I have to remind you of the Witty worm?

Sure, you can argue that maybe the host acts as a router for some
local network (ICS or something). However, I would still have to ask:
why does he need to provide any services at all? A router is not
supposed to provide services. Period. If one needs Internet
connectivity for a local network and needs all computers as
workstations, then bite the damn bullet and buy a router. They're not
*that* expensive. And of course one would block *everything* except
for the desired traffic on the network *perimeter*, not only deny the
undesired traffic on the host itself. If there's no LAN but just a
single host with Internet connection, then why does the box need to
provide any services at all? IMnsHO.

  Messenger is a tiny tiny TINY component of Windows File Sharing /
NetBIOS.  IF an attacker can get a Messenger window to pop up on your
screen, then you have a HUGE area of vulnerable services exposed to
the internet.  Services which you may very often REQUIRE to use LAN
resources, but never need to use either TO or FROM the Internet.

  Turning off those services entirely is rarely an option.  Turning
off only the Messenger component still leaves you exposed.

Turning off the services entirely is very well an option if you have
just one host with a dialup connection, cable modem or whatever. Why
must that host provide any services - especially NetBIOS - at all? In
any case where there are more than one box you are better off using a
packet filtering router anyway. But of course in that case you would not
only block specific ports (i.e. NetBIOS), but *allow* only specific
ports and block everything else.

  Blocking those ports at the perimeter allows you to still use the
services you need to connect to local resources -- that might include
local use of the Messenger service, by the way! -- but protects you
from Internet abusers of that whole family of services. Including, but
not just limited to, the Messenger service.

I may be wrong, but isn't that *exactly* what I wrote in the mail you
just replied to?

  I agree that most home users don't need the Messenger service, and
can free up some resources by turning it off.  But anyone who is
adequately protected from the much larger range of threats won't see
it abused, and anyone who sees it abused needs to understand that that
means they're vulnerable to that much larger range, most of which they
will STILL be vulnerable to if they turn off the Messenger service.

True. That's why I suggested to disable *all* services they don't need.
Joe Average's computer usually does not need to provide any services to
the outside world, therefore he should disable them (a script to do that
for him can be found under the URL I posted in my last mail).

  "Turn off services you don't need" is usually a good rule.  But in
this particular case, the REAL "service" is the whole NetBIOS/CIFS
family, not just the Messenger component, and turning it off at that
level tends to break all sorts of things.  So you have to fall back on
the alternative: "Harden/protect the services you DO need".

I have to disagree here. It *can* be done for single computers (the
description and a script can be found under the URL contained in my last
mail). It cannot be done for computers on a LAN, which need file and
printer sharing or something. However, in the latter case one would of
course use a packet filtering router to block everything except for the
desired traffic on the network perimeter, not host-based packet filters
to block only undesired traffic.

Ansgar Wiechers
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]