Re: Odd Behavior - Windows Messenger Service

[jklemenc () fnal gov]

This is because, by default, the Messenger service is started. It is one of
the many services that hide behind the catch-all MS Networking Ports
(tcp/139 & tcp/445). In a MS world using NET SEND, one must be able to
resolve both your NetBios name and be able to route to your IP address, and
they cannot hide their identity. However, using smbclient on Unix
platforms, they can mask themselves pretty easily. Either your machine name
is the same as your DNS name -OR- the spammer made an anonymous IPC$
connection to your machine, asked for the NetBios name, then sent you a
message using:
smbclient -M <your NetBios machine name> -U <the From user, spoofed> -I
<your IP address>

This is one of the many reasons to NOT have the MS Networking ports exposed
to the Internet. Even though you disabled the shares and such, the Server
and Client services were probably still running. MS does not disable these
by default since they are the core of MS Networking. I would rather MS take
the UNIX approach, or at least the RPC style, and have each listening
service be on their own port instead of via named-pipes over a common port.
But this is all a leftover from the old WFW NetBios days...

Why is the message on your uninitialized desktop? Well, a Message can
either be sent to a specific logged-in user -OR- to an entire machine.
Using the smbclient example above, it is sent to a machine, where it sits
on a 'console' until someone finally logs in. This is the same as having a
Windows server where after you log in, you have some PopUps about
applications that failed to start or items that exceeded the Perf Monitor
values, etc. Nothing different there except this message came from an
outside source. If you want to know more, perform a search on the various
Security Focus lists archives about the 'Universitiy Diploma' popup spam.
Basically, I re-iterated the same above as I did originally on those lists.




|---------+-------------------------------------->
|         |           morning_wood               |
|         |           <se_cur_ity () hotmail com>   |
|         |           Sent by:                   |
|         |           full-disclosure-admin@lists|
|         |           .netsys.com                |
|         |                                      |
|         |                                      |
|         |           07/16/2003 03:11 PM        |
|         |                                      |
|---------+-------------------------------------->
  
> ------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                                                     
         |
  |       To:       Martin <nakal () web de>, full-disclosure () lists netsys com                                       
               |
  |       cc:                                                                                                           
         |
  |       Subject:  Re: [Full-disclosure] Odd Behavior - Windows Messenger Service                                      
         |
  
> ------------------------------------------------------------------------------------------------------------------------------|




> I can confirm this behavior. This service is enabled on Windows 2000
> and XP by default.
> I noticed it on my sister's PC after she clicked away 3 advertisement
> pop-ups and growling at the PC. I think that the average user does
> not know how to disable it.
> (And btw: NO, the average MS-Windows user is NOT USING any firewalls.)


more to the point... THERE WAS NO LOGIN PERIOD
this was a fresh install.. waiting at the login prompt.. the pop up was
there before any user ( admin ) settings initialized or login took place.
once again.. this is out of  the box install following all prompts, no
sharing etc. ( only setting computer name and workgroup )reboot.. sit at
login prompt.. login.. pop up was waiting on an uninitialized desktop..
this is my question / issue...   NOT my personal security or lack of
knowlege about basic networking / security.
disabling the service is easy, im reporting on default out of the box
behavior, not how to get rid of it or protect myself.
please all.. re-read my scenario...

donnie


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html