Full Disclosure mailing list archives
Re: Windows Messenger Popup Spam - advisory amended (followup for those interested)
From: jh <jh () dok org>
Date: Mon, 30 Jun 2003 22:37:24 -0400
On Wed, Jun 25, Joe Stewart wrote:
I have found however, a few points of difference between what the paper describes of the protocol and what I've observed in practice. The paper describes a much more elaborate exchange of packets than the spammers are actually using. The paper says that the conv_who_are_you packet must be answered by the client before the popup will occur. This doesn't seem to be necessary, as I have been able to merely replay the same UDP packet payload again and again, on either port.
Note: I tested this only on w2k. This *does* seem to be dependent on the tools used to send the SPAM. The dump you sent me had one difference from what I've observed: The first flags field on the initial packet is set to 0x28 (Idempotent and NoFack). The commercial tools that I looked at have set this field to 0x08 (NoFack). When the Idempotent flag is set, the remote host won't elicit the conv_who_are_you - no effort is made to get any information about the client and the request is executed. More information on this can be found at http://www.opengroup.org/onlinepubs/9629399/apdxp.htm. I looked at some of the commercial tools again: Direct Advertiser: No demo available (website under construction) Broadcast Advertiser: New demo wouldn't do anything useful SlySender: Still sends DCE requests with 0x08 So, it would seem that there are some new (?) tools floating around.
The paper says that these packets should be dropped as duplicates, but I have observed that you only need to wait for a given timeout to occur before you can send the packet and get a popup again; somewhere on the order of 10 minutes or so.
Yeah. That timeout you speak of is the dupe prevention. You could hex edit the sequence number in your packet dump, try again, and it will work.
And only one packet is necessary, no matter which port you send it to. I've been successful at spoofing a bogus source IP address in the packets generating the popups as well.
Right on. Flipping that Idempotent bit is spiffy, you get a spoofed RPC packet that Windows will happily execute. Whee! Thanks again for the packet dump, very enlightening! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows Messenger Popup Spam - advisory amended (followup for those interested) jh (Jun 30)