Slashdot Mirror
Windows/NetBIOS pop-up Spam:
bofus writes "This article from Wired News presents a new way to deliver unsolicited advertising content - the MS Windows Messenger service.
It appears that the client software hasn't been widely distributed yet, but it's probably only a matter of time before a free clone is circulating. This method could become the delivery method of choice for all kinds of unsolicited junk, given the number of unsecured PCs out there.
On the flip side, if you run a relatively secured machine and have some sort of firewall, this probably shouldn't concern you."
echo echo echo
X(7): A program for managing terminal windows. See also screen(1).
try "net send IPADDR"
it is a cli and batchable, this can be supremely irritating as the only info given with the popup is wins name which is useless unless you are in the same domain/ou.
errr....umm...*whooosh* *whoosh* Is this thing on ?
Everyone should be running one. A good software for Windows one is Kerio Personal Firewall (Formerly Tiny).
It'll block everything you don't want if you set it up correctly.
Is to go into the services panel, and turn off Windows Messenging Service.
/.
Or we could just bitch about it on
ran a story on this yesterday morning:
El Reg
I want to drag this out as long as possible. Bring me my protractor.
Real easy to do this stuff... find a win2k or XP box connected directly to the 'net with port 139 open ...
c:\> net send \\ip_address "message"
Skiers and Riders -- http://www.snowjournal.com
While you're at it disable Remote Registry while you are at it. It truly amazes what services Microsoft deems the average user needs running. I find the whole concept of Remote Registry particularly disturbing.
"Cool this service allows people to modify my registry remotely, sweet!"
While I know there are some legitimate and possibly useful reasons to have these services enabled, why on earth are they enabled by default?
"The words of the prophets are written on the Slashdot walls."
I'm an admin for one of the larger university's in the south, XXXXXXXXXX.edu (name changed to protect the clueless) that doesn't have a firewall. This is due to the fact it's part of a teaching hospital, and has a historical policy of openness. Last week we recieved a windows popup message across most of the campus containing preformatted SPAM text. I don't know how the formatting was done...but some one else has already started this crap.
Always value the individual over the system. --Bruce Lee "I don't need a Sig - I have a custom 191" - me
...we just talked about this :-)
There were many helpful suggestions in those posts.
THERE IS NO DATA. THERE IS O
C:\> net stop messenger
The Messenger service is stopping.
The Messenger service was stopped successfully.
Then when you're up for it, just disable the service entirely from the services administration tool. It won't break any workstation functionality.
So what's next? Spam on my HP Printer?
Much worse in my opinion. MSN Messenger could be uninstalled.
"History doesn't repeat itself, but it does rhyme." Mark Twain
If your NETBIOS ports are open, getting spam should be the least of your worries. You'll be too busy dodging winnuke attacks and fileshare scans/cracking. Close off ports 137 and 138 on any WAN connections. Of course, any competent windows network admin already knows this.
Entrepreneur : (noun), French for "unemployed"
This is talking about Windows Messaging Service, which is part of Win NT/2K/XP, not the MSN Messenger program.
Honest mistake though. Oh yeah, and if you're in windows trillian does seem better overall.
MSN Messenger and Windows Messaging are two seperate things.
1. Log on as administrator or at least with an account that has admin access.
2. Enter control panel
3. Enter "Administrative Tools"
4. Enter "Services"
5. Scroll down and find "Messenger"
6. Right click > properties > startup type > Disabled.
Scroll through the list and see if there's anything else you might want to disable. (You know, like remote registry editing and all that stuff that Microsoft enabled so you wouldn't have to be troubled to do it yourself :-)
Disable the Messenger service in services.msc, or just "net stop Messenger".
... youll see that the messager service uses port 135, not 137 or 139.
Start -> Administrative Tools -> Computer Management
When that comes up, expand 'Services and Applications', and click on Services.
Scroll down to find "Messenger". Right-click and go to Properties. Set 'Startup Type' to 'Disabled'. Hit 'STop' to stop the service. Click OK. Close Computer Management.
Done. You're now clear.
(Many people won't need this. But I'm sure at least one person will.)
Brazil has decided you're cute.
A local university ehre is having some serious issues with that. Of course, people using Macs or Linux are once again quite exuberant about the fact that they aren't affected.
And closing the port or disabling the service on individual systems may not be possible, because different applications need to use the service for other uses. Printer servers for example use it for notification of print job status.
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
This new form of spam is called messenger spam. Messenger (not to be confused with MSN messenger) is a service that is loaded by default upon the startup of Windows XP/2000/NT. Microsoft has used the messenger service for a number of years to send messages between its servers and clients. Here is Microsoft's official description of the messenger service....
The article was posted in March.
Gong!
read the post big guy.
'the messenger service, not to be confused with microsofts instant messaging product'
Sorry but I use remote registry service daily. If you want to do performance monitoring on a remote pc you need remote registry right because the perfdata is a section of the registry. It's also nice when you have a busted uninstaller and need to cleanup the registry before a reboot for a remote client, it's saved me a couple days worth of travel time this year alone! Whether it should have the default permissions that MS sets is another matter, but that is true for just about any MS default.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Frankly, the only time I've seen it used is when I annoy the hell out of my co-workers by sending them anonymous popus using this lovely piece of Windows software.
I tried quite a few nbtstat tricks before I gave up reverse-mapping by NetBIOS name and determined they were external and not from a zombie host inside the firewall.
The tricky part is that they use UDP, since many firewalls "forget" to filter it unless you remind them with a CLI, sledgehammer, and repeated threats to use an etherkiller.
There's no reason to let UDP ports below 1024 in from outside your network, except for the specific services you're running, to the specific servers you're running them on.
Jouster
As for people saying "turn off the messenger service", there are actually valid uses for winpopups. At my last work, I set up a few perl scripts that would use smbclient to warn Samba users when they were over quota. Before that, users would go over quota and wouldn't know about it until things broke after the grace period.
Obviously, you should be filter Netbios ports at the firewall unless you have a damn good reason to have internet access to them. If someone in your network is using this program to spam, the LART them appropriately.
I am glad that I don't have to worry about it here, XWindows baby.
If anything, a poorly configured X server would be even MORE annoying. If you let anyone attach to your X session remotely, they could display pretty much anything on your screen, not just annoying pop-up messages.
I love X, but you have to be careful with it too.
Cheers,
Vic
This is from my previous post at http://slashdot.org/comments.pl?sid=42016&cid=4432 394
a d_license.htm. You will occasionally find that it interferese with pages that make heavy use of Javascript, but you can turn it off when needed. The added protection from annoying web sites is worth the small inconvenience it may sometimes cause.
Note, I'm not karma whoring, I could care less.
--
(You will have to graduate from newbie status in order to take advantage of my advice. This means that you will have to climb the learning curve and actually go read some stuff. You can spend a chunk of cash on products to avoid doing just that, but that's much less fun.)
If you're doing things like turning on file sharing or sharing printers, it's (supposedly) very easy to hack you. I say supposedly only because I haven't actually tried this. It's such an infamous hole though that I do believe it. To turn this off, unbind the NetBIOS protocol from the modem/network card that connects you to the Internet. In Windows 2000, that you means you go to the Properties for your network connection (in the Control Panel) and uncheck the 'File and Printer Sharing for Microsoft Networks' option. (It's very easy to fix this in Win9x too using roughly the same technique.) You may have to reboot, I don't recall. That problem will then be solved.
Now to protect yourself from other intrusions and threats.
If you're just running a dial-up connection and don't leave your machine on the network for extended periods of time, then a product like ZoneAlarm (www.zonelabs.com - look for the free version) will serve you well. Actually, it serves you well in two ways: 1) it protects your machine from the outside world coming into your machine in an unauthorized fashion and 2) it protects adware on your machine from phoning home without your permission (actually it prevents everything from using the Internet until you grant permission, not just adware). This is sufficient for dialup.
For broadband users and users who want to leave their machine on the Internet for extended periods of time (more than a couple hours at a time), I recommend using an honest to goodness separate firewall. There is a lot that can be said about this, far more than I know really, but I well give you a couple pointers.
First of all, one of your options is to use a second PC as the firewall. It will need to have 2 network cards, you will need a router or hub for your home LAN, and you will have to get the cable modem (or DSL for that matter; with which I have no experience - shouldn't be too hard) working with that extra PC (via Windows would be easiest to start with). Once that's setup, go grab a Linux distribution like IPCop (or SmoothWall - they're very similar, in fact they were the same product at one time), and install it on that PC. It will require that you reformat the hard drive, so don't plan on storing any files on it. A small hard drive is sufficient. There are FAQs and forums on the IPCop and SmoothWall sites that will help get you setup.
Your second option in the category of 'real protection' (for home users anyway) is to just go buy a hardware firewall. So instead of a second PC, you just go buy a device that does essentially the same thing. I won't go into detail on these as I have no experience with them. I just thought you should know about them.
Two last points:
-PLEASE keep a current anti-virus product actively running on your machine and keep it up to date. If you need a free one, go to http://www.grisoft.com to get the free personal version of the AVG anti-virus product. This one has saved my butt several times from several infections. It may or may not be the best product out there, but it works for me.
-To protect yourself from browser window popups and other shenanigans, go grab WebWasher at http://www.webwasher.com/en/products/wwash/downlo
As always, this advice is just a starting point. Today's perfect security solution may be an open door tomorrow. It's up to you to keep yourself informed and to take action when problems arise.
Good luck and have fun!
Please mod this post only if you think others should/n't read this. I have enough ego^H^H^Hkarma. Thanks!
While you're at it disable Remote Registry while you are at it. It truly amazes what services Microsoft deems the average user needs running. I find the whole concept of Remote Registry particularly disturbing.
"Cool this service allows people to modify my registry remotely, sweet!"
You do realize that you have to provide authentication (ie. username/pwd) for this to work, don't you? You can't just wander around networks checking out others' systems.
Simon
Coming soon - pyrogyra
A lot of "Paper MCSEs" understand this because the networking exam covers the OSI model. The same thing goes for those "Paper CCNAs".
Here's how it works. When I do a net send "Message", the following occurs. Once the data portion of the net send information is formatted by the appropriate layers, it's handed down to the protocol layer and wrapped in a UDP header with a port number. UDP is the protocol responsible for maintaining a communication session between hosts. The port number is like an apartment number in a street address. A lot of services have to talk using the UDP protocol, so it's divided into port numbers (As an FYI, the same is done for TCP). This in turn is handed down to the network layer where it will get a source and destination address stamp (The IP addresses). That in turn is handed down to the data link layer which stamps on the source and destination MAC addresses (Your computer and the default gateway). From there, it hits the physical layer and is on the wire. Along the way, the data link layer changes every hop that is made because the MAC addresses involved change at each router hop. Once it gets to the destination IP address, the recipient strips off the layers to reveal the data. It knows to hand that data up to the NetBIOS services because they're the ones listening on UDP port 138. Finally, you get a little window trying to sell pr0n. Here's a picture that shows the different layers of a TCP packet and their function.
Here's a rundown on NetBIOS port usage.
UDP port 137 is used for NetBIOS name resolution.
UDP port 138 is used for browsing, domain authentication, and datagrams (This is what the messenger service uses).
TCP port 139 is used for the actual session. This is what you transfer files through.
TCP port 135 is the RPC service. Some people often confuse it with the NetBIOS ports. I don't know why.
So, technically, you'll want to block UDP ports 137 and 138 and TCP port 139. Unfortunately, a lot of home equipment is geared towards the novice and they don't separate the UDP and TCP protocols. You are forced to block both TCP and UDP for any given port number. Because of this, you end up blocking more than is required.
For those interested in this brief tutorial, I highly encourage you to get a CCNA study guide even if you're not going to get the certification. Lots of valuable networking info.
Lucas
MCSE, CCNA, Ex-Microsoft NT Networking and Security Support Rep
In a business intranet, there may be uses for this service. But for a machine connected to the public internet (i.e. a spam target), there's simply no excuse for letting packets in unless they're running on a protocol you know you want to support across the net. For most couch potatoes at home, that means responses to outgoing queries, plus incoming packets on any Instant Messenger, Games, and P2P File Sharing type application you are running. If you're also running a web server, then there's that too. For couch potatoes at work, there may be all sorts of stuff, but there's no reason the business firewall should be letting them in from unknown sources.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
What I did when I first became aware of the problem (yes I'm on a college LAN but we have a class A) is configured Tiny Personal Firewall to only allow UDP/TCP traffic on 137-139 and UDP on 135 (messenger service) to the samba servers and campus netblocks that I might use to access my computer (e.g., resnet, labs, etc), then add a filter rule to deny all other traffic on those ports - works like a charm =)
open up the advanced tab of you TCP/IP settings and goto the WINS tab and click 'disable NetBIOS over TCP/IP' and then 'OK'.
-witty
If you read the wired article and follow the link to the "dispute," AOL sued this company over their icq spam engine. It's important to notice, however, that they sued them over the *trademark* icq (which they infringed upon,) not the underlying spam problem.
Slashdot 's editors are dickheads
I think this may be more useful for most users (verified for 2000 and XP).
Right Click the icon for This Computer on the desktop. Click on manage.
Doubleclick Sessions and Services.
Doubleclick Services.
Scroll down to Messenger, doubleclick it.
Click on Stop. Change pull-down menu from Automatic to Manual.
Click on Apply.
You are done.
The same spam I get in my Hotmail hit me last week through Windows messenger:
"U N I V E R S I T Y D I P L O M A S"
Notice the spacing designed to avoid word filtering? It looks like these guys are thinking ahead!
Port 135 is not messenger. Messenger is an RPC service and port 135 is the RPC port locator on Windows (like portmap on unix). Messenger can use any port at all - blocking port 135 works because client machines connect to port 135 to locate the port that the messenger rpc service is running on. Blocking port 135 may stop a bunch of other things from working, but net stop messenger stops just messenger.
Not that I really care - I would just cut off the port and then worry about only if someone complains.
Moderators, dont mod +5 unless you know it works
The method described above does not disable netbios over tcp/ip - so it has no chance of stopping the popups.
If you firewall off or disable the netbios traffic you should be fine according to microsoft.
I just tested this at home and was unable to disable the popup messages on my win2k box. however firewalling the messanger port or disabling or messanger is a guranteed method of stopping this nonsense.
- Sam