Re: Windows Messenger Pop-up spam

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-12-03 Kevin Davis wrote:
> > But let's assume we're talking not only about messenger spam but
> > malware in general. Why would I rather block specific ports instead
> > of disabling unneeded services? In the latter case I won't *have*
> > anything that needs to be protected at all¹. Plus Personal Firewalls
> > proved theirselves to be much less reliable than one would like to
> > think. Do I have to remind you of the Witty worm?
>
> Disabling unneeded services is not an adequate protection from
> malware. 

It is an adequate protection from malware that tries to attack services.

> There are tons of malware - in fact probably the majority that set up
> their own "server" once it infects the target system.

If malware is already running on the system, the box is 0wned and
schould be rebuilt.

> That's where personal firewalls help.

No.

> A new, unknown process is trying to get out to the net - the firewall
> will catch this and alert the user.

The firewall may possibly catch this and alert the user. Or the malware
may simply sneak around the firewall. Or disable it. You can't rely on
PFWs to control outbound traffic.

> I would agree that one should not put 100% confidence in personal
> firewalls.  All software has bugs and many will have vulnerabilities
> from time to time.

Bugs are an issue with inbound traffic, but not with outbound traffic.

> This fact in itself does not justify permanently discounting it.  The
> first time you find out that your router has a bug in it's firmware do
> you throw it in the trash?

Of course not. However, if its firmware continues being buggy, I would
reconsider that decision.

> The best solution is a multi layered approach (defense in depth).

Defense in depth is a good thing. *If* it gains you security.

> 1. Patch your systems,

Of course.

> 2. Get your systems behind a firewall (a personal firewall if a home
> user).

Firewall on a router: very well. Personal Firewall: most likely not.
Yes, there are some exceptions, but their number is few.

> 3.  Get your system behind a router.

Local networks of any kind: of course. A single home computer: maybe,
but not a must.

> 4.  Harden system by turning off uneeded services.

That would be my second step. No services -> nothing to exploit. I would
consider using a Personal Firewall *only* if for some reason a service
can't be disabled or bound to a specific interface.

> 5.  Employ the use of virus and spyware scanners\blockers

Virus scanners may be useful. However, one should be aware of their
limitations, since each virus scanner is just as good or bad as its
virus definitions. As for spyware scanners/blockers: I usually prefer to
not install spyware in the first place. Avoiding IE/OE helps. Much.

[...]
> > Sure, you can argue that maybe the host acts as a router for some
> > local network (ICS or something). However, I would still have to ask:
> > why does he need to provide any services at all? A router is not
> > supposed to provide services. Period. If one needs Internet
> > connectivity for a local network and needs all computers as
> > workstations, then bite the damn bullet and buy a router. They're not
> > *that* expensive. And of course one would block *everything* except
> > for the desired traffic on the network *perimeter*, not only deny the
> > undesired traffic on the host itself.
>
> The small, inexpensive SOHO routers only block inbound traffic. If a
> user gets some malware on their system, this helps them not.

Neither does a PFW. Once malware is running on your system, you're
toast. Period. Even Microsoft finally did understand that [1].

> > If there's no LAN but just a single host with Internet connection,
> > then why does the box need to provide any services at all? IMnsHO.
>
> You can't make a blanket statement like this for all cases.  In some
> cases this would be true, in others not.
>
> Lets take the Messenger service, for instance.  Some people should
> *not* turn off the Messenger service.  Why?  Maybe they are running
> one of the several virus scanning products that use the Messenger
> service to alert the user of a virus problem.

Any AV software that uses the messenger service for notifying the
(local) user should be trashed *immediately*, because of major
incompetence of the vendor.

> Turn that service off and it is degrading the ability of the virus
> scanner to do it's job properly.  I'm sure that there are other
> examples.  In this particular case, I think that the virus scanners
> that depend on this service are poorly designed.  One could argue that
> this dependency is from one respect is weakening the security of the
> system.

I still fail to see *any* good reason why a single computer (no LAN)
should *not* have all services disabled.

[1] http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin