RE: Source of Windows PopUp SPAM

[H C <keydet89 () yahoo com>]

Of the articles to be published so far, this one is
perhaps the most misleading one I've read so far.  

It would seem Mr. Rose didn't even bother to read some
of the messages that were posted w/ regards to this
messenger spam...or he's simply focusing on a single
aspect of it.

Many of the posts to this list have clearly shown that
this "messenger spam" is not, in fact, coming in over
TCP port 139 (as works w/ 'net send' and the use of
the NetMessageBufferSend() API)...rather, it's coming
in over DCOM/RPC, and is initiated w/ a UDP query to
port 135, the portmapper.

By focusing on TCP port 139 in this instance, Mr.
Rose's readers will certainly prevent the traditional,
'net send' methods of spamming from working...however,
blocking that port will do nothing to protect the
readers from tools such as is available from
DirectAdvertiser.com.

Carv

--- Rob Keown <Keown () MACDIRECT COM> wrote:
> Here is another article:
http://www.techtv.com/screensavers/answerstips/story/0,24330,3374542,00.html
> -----Original Message-----
> From: Ron Trenka [mailto:ron () zowiedigital com]
> Sent: Wednesday, October 16, 2002 10:40 AM
> To: incidents () securityfocus com
> Subject: Re: Source of Windows PopUp SPAM
>
>
> on 10/15/02 12:29 PM, Lawrence Baldwin at
> baldwinL () mynetwatchman com wrote:
>
> > We've identified a commercial, Windows-based SPAM
> package which sends SPAM
> > via popups (all for $699).
> > I've confirmed that this particular package (which
> I can't name, yet..)
> > sends popups via MS RPC.
> > I suspect this package is running on these Linux
> systems under VMWARE
> > emulated Windows sessions.
> >
> > What is also interesting is that some users,
> despite running personal
> > firewalls, are still reporting getting these
> popups.  This probably
> explains
> > the developers choice to use MS RPC (udp/135) for
> delivery instead of a
> > straight Netbios SMB call (tcp/139).  MS RPC would
> be less overhead, but
> > also has the potential to reach more people as
> even those with firewalls
> are
> > often giving 'svchost.exe' server priviledges
> because they assume it's
> > necessary:
http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat
> Anyone have a way to disable this on W2K and NT 4.0
> servers?
***********************************************************
> * Ron Trenka              | "You do not need a
> parachute  *
> * Zowie Digital Media     | to skydive.  You only
> need a  *
> * www.zowiedigital.com    | parachute to skydive
> twice."  *
> * ron () zowiedigital com    |         
> www.DarwinAwards.com *
> * (212) 627-4991 x22      |                         
>      *
***********************************************************
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com