Windows/NetBIOS pop-up Spam:

bofus writes "This article from Wired News presents a new way to deliver unsolicited advertising content - the MS Windows Messenger service. It appears that the client software hasn't been widely distributed yet, but it's probably only a matter of time before a free clone is circulating. This method could become the delivery method of choice for all kinds of unsolicited junk, given the number of unsecured PCs out there. On the flip side, if you run a relatively secured machine and have some sort of firewall, this probably shouldn't concern you."

already out there

[htmlboy]

two weeks ago, we had a big hulabaloo here at uiuc.edu because of this. all the win2k/xp machines on all of campus still running the messenger service got a popup describing how great our lives would be if only we had a diploma from a non-accredited university. most of the "administrative" users assumed it was a virus and panicked. then three more of the same came in this morning.

i just wish windows would log things like the origin of said messages so the abuse could be addressed at its source.

This is old hat...

[Mysticalfruit]

If you've got a machine out on the internet and you've windows networking turned on, you've probably got bigger problems.

A couple years ago, a co-worker of mine were at his house when he turned on windows networking and set his domain to "WORKGROUP" did the obligatory reboot suffle and started surfing all the shares in the area. It was hilarious, people had their entire C:\ drives shared, etc. Needless to say, after we got him setup with a firewall (linux/maq box) sure enough the logs just rolled with people trying to connect to ports 137/138/139. In one regard may ISP's block the netbios ports on their ingress and egress gateways.

Slap em! :P

[Palos]

Saw this a while ago, looks like it could be fun:
Slap:If your like me you run firewall software that tells you when someone tries to access your system. Sometimes I respond with a few packets of my own just to let them know that I am paying attention. I wrote Slap to make responding to these access attempts easier and more entertaining. Just enter the IP address of the person you wish to slap and click on the Slap button. The program will attempt to access all the ports in the list and send them a packet with a personal message. (The default message is 'Leave Me Alone!') Slap integrates with Black Ice and Zone Alarm and can use information received from these software firewalls to "Auto Slap" intruders and add their attacks to your list of responses. --Here is a cool Wav file to use with this.

Why would anyone pay for this?

[daveman_1]

$700? You've got to be kidding me. I'm not going to waste the time, but it wouldn't be to difficult to make a perl script that increments an IP address range and calls smbclient -M... In fact, it would be really easy for someone to do this one time and send a link to the tone of "Tired of annoying messages like this? Go to www.xxx.net to find out how to eliminate messages like this forever." And that would be the end of this problem. Unfortunately, if you did this as a regular citizen, you'd have the FBI crashing through your window in no time for "hacking"...

Sad really.

Re:Instructions for Windows NT/2000/XP Users

[afidel]

not everyone needs it but it sure can be usefull. Our netapps have the ability to send a message before they are taken offline for maintenance (like we did recently when moving from a couple single filers to a f880 cluster). We also use it with our Samba server to notify the users when their print jobs have cleared the queue (great for plotters or very high traffic lasers).

better, just drop em -- Re:Slap em! :P

[zrodney]

that's cute, but often the ip you have is not the origin, but a hapless victim
which is being used to launch the attack and/or hide the tracks of the real blackhat

by sending data back to that ip, you may be unwittingly being used to help the intruder hide
and you may appear to be the intruder in the logs of the machine which the blackhat is using as a stepping stone

that's probably not what you are trying to do
and that's why I just add those ips to a droplist instead of sending data back

Re:How to do it

[ep32g79]

I discovered the joy's of "net send" back in the eighth grade. I thought it was fun to be able to message my friends at school while they were loged on, admins had disabled the novel send client.

I soon began to use a batch file to repetedly spam them with messages, a little while later I build a Visual C++ program to allow a user to input the user they wished to spam along with their message and how many times to spam them. It was amazing to watch how fast the program I made spread through the junior high.

After about a week and a half I was called into the office and suspended for 3 days because roughly 56 people in my class used my program to harass their classmates.

We did this to a couple script kiddies

[naarok]

At the last place I worked, we had a number of IPs assigned. This made it painfully obvious in the logs when some script kiddie was port scanning us. On a couple occaisions we found that the machine scanning us had netsend active and availble, so we net sended them telling them to stop port scanning or we would take action. We could just picture the 13 year-old kid at the other end freakin out at this message popping up on their monitor.

Let me tell you an idea I had....

[mark-t]

Presumably, the messenger service exists because it is perceived as useful. So simply stopping the service may not be seen as particularly constructive.

What about altering the service so that instead of just popping up a window that you can do nothing with but close, there would exist an additional button [REPLY] on the pop up message window, which would then allow you to respond to the alert message as you see fit? (Sending a message back to the source via the same net send facility that they used to send data to you).

Now I presume, of course, that an authorized administrator would have a large say in what services are going to be running on the computers in his domain, so if he wasn't interested in fielding replies to his authorized alert messages, he could simply have the requirement that the normal "one-way" messenger is the one that gets installed on the domain machines. Meanwhile, unauthorized sends would find themselves the target of maybe hundreds or thousands of replies, potentially causing a D.O.S. for them, even if they weren't actually running the messenger service themselves.

Of course, the new messenger service would also log the time, date, and originating IP of the sender, so that it can be confirmed later -- even if the sender does not happen to be running the messenger service himself.

Now I realize that this doesn't do a thing for handling people who fake their IP address, but I'd bet it go some distance to making this virtually unusable by most of the people who would just use such tools to spam.

I just got spammed by one of these the other day..

[MontyP]

I come home one night to find one of these on my desktops... I thought it was funny and just happen to have taken a screen shot

Messenger_Service_Spam.gif

Misuse aside....

[AtariDatacenter]

I'm glad to see this feature. When I was managing a very large multiuser application, from time to time, I would have to close some sessions were causing problems. Or I would see a problem going on, and would like to know more about what they see on their end. But armed with only an IP address and a vauge hostname, I could only track them reliably as far as what building they were in. "If only I could hit their walld", I said.

BTW, at the same time, UNIX users are in for a treat if their syslogd can accept outside messages. (Default behavior on many OSs, but has been changing.)

Think "kernel.crit".