RE: Windows Messenger Pop-up spam

["David Gillett" <gillettdavid () fhda edu>]

  Messenger is a tiny tiny TINY component of Windows File Sharing /
NetBIOS.  IF an attacker can get a Messenger window to pop up on your
screen, then you have a HUGE area of vulnerable services exposed to
the internet.  Services which you may very often REQUIRE to use LAN
resources, but never need to use either TO or FROM the Internet.

  Turning off those services entirely is rarely an option.  Turning off
only the Messenger component still leaves you exposed.

  Blocking those ports at the perimeter allows you to still use the services
you need to connect to local resources -- that might include local use of
the Messenger service, by the way! -- but protects you from Internet abusers
of that whole family of services.  Including, but not just limited to, the
Messenger service.

  I agree that most home users don't need the Messenger service, and can
free up some resources by turning it off.  But anyone who is adequately
protected from the much larger range of threats won't see it abused, and
anyone who sees it abused needs to understand that that means they're
vulnerable to that much larger range, most of which they will STILL be
vulnerable to if they turn off the Messenger service.

  "Turn off services you don't need" is usually a good rule.  But in this
particular case, the REAL "service" is the whole NetBIOS/CIFS family, not
just the Messenger component, and turning it off at that level tends to
break all sorts of things.  So you have to fall back on the alternative:
"Harden/protect the services you DO need".

David Gillett


> -----Original Message-----
> From: 'Ansgar -59cobalt- Wiechers' [mailto:bugtraq () planetcobalt net]
> Sent: Thursday, December 02, 2004 9:08 AM
> To: security-basics () securityfocus com
> Subject: Re: Windows Messenger Pop-up spam
>
>
> David,
>
> On 2004-12-01 David Gillett wrote:
> > From: Ansgar -59cobalt- Wiechers [mailto:bugtraq () planetcobalt net]
> > > On 2004-11-30 Beauford, Jason wrote:
> > > > Block those Ports!
> > >
> > > Why? Simply disable the stupid messenger service (because obviously
> > > it's not needed anyway). There's no need to block any port
> because of
> > > messenger spam.
> >
> > That would be true, if all that ever used those ports was Messenger.
> > But it's NOT!  The same ports are used for a bunch of stuff that you
> > *really* do not want to be exchanging with the wild wild net.
> >
> > Block those ports, and no longer seeing Messenger spam is the
> > *smallest* (if most visible) way in which your system will become
> > safer.
>
> I thought at least you would get my point. However, maybe I have to be
> more verbose.
>
> We were talking about messenger spam only, and therefore it's pretty
> much sufficient to disable the messenger service. No other action
> needed, especially not blocking any ports. Period.
>
> But let's assume we're talking not only about messenger spam
> but malware
> in general. Why would I rather block specific ports instead
> of disabling
> unneeded services? In the latter case I won't *have* anything
> that needs
> to be protected at all¹. Plus Personal Firewalls proved theirselves to
> be much less reliable than one would like to think. Do I have
> to remind
> you of the Witty worm?
>
> Sure, you can argue that maybe the host acts as a router for
> some local
> network (ICS or something). However, I would still have to
> ask: why does
> he need to provide any services at all? A router is not supposed to
> provide services. Period. If one needs Internet connectivity
> for a local
> network and needs all computers as workstations, then bite the damn
> bullet and buy a router. They're not *that* expensive. And of
> course one
> would block *everything* except for the desired traffic on the network
> *perimeter*, not only deny the undesired traffic on the host
> itself. If
> there's no LAN but just a single host with Internet
> connection, then why
> does the box need to provide any services at all? IMnsHO.
>
> Regards
> Ansgar Wiechers
>
> ¹ BTDT²
> ² http://www.ntsvcfg.de/
> --
> "Those who would give up liberty for a little temporary safety
> deserve neither liberty nor safety, and will lose both."
> --Benjamin Franklin