Full Disclosure mailing list archives

Re: Windows Messenger Popup Spam - advisory amended

From: jh <jh () dok org>
Date: Wed, 25 Jun 2003 22:31:23 -0500

On Wed, Jun 25, Joe Stewart wrote:

On Monday 23 June 2003 05:19 pm, jh wrote:

1026 is ephemeral, it may not always be this port.


I'd say it's dependent on the the startup order of other listeners. Ephemeral
implies it is short-lived. If you don't install other services that use port
1026 it will probably continue to be bound to port 1026 indefinately. I've
been told that some Windows 2000 server platforms may have messenger
listening on port 1027 due to other services starting first, but popup
spammers are typically targeting the home user running WinXP.


Yah, you are correct. Ephemeral probably wasn't the best choice of
wording, but you understood what I meant anyway.

This is an excellent paper; is it yours?


Yes it is, thanks.

I have found however, a few points of difference between what the paper
describes of the protocol and what I've observed in practice. The paper
describes a much more elaborate exchange of packets than the spammers 
are actually using.


This may be entirely dependent on the handful of the commercial
"advertising tools" that I selected to look at - and clearly several
of them appeared to be ripoffs of each other. Though to be fair, I
have observed this exchange of packets in real life (ie; not caused by
my own testing, just allowing spammers access to my machines).

The paper says that the conv_who_are_you packet
must be answered by the client before the popup will occur.


Your observations are very interesting. I could never get a popup
to display without this transpiring. I noticed other people have had
the same results
(http://www.mynetwatchman.com/kb/security/articles/popupspam/netsend.htm,
as an example).

This doesn't seem to be necessary, as I have been able to merely
replay the same UDP packet payload again and again, on either port.


Is that UDP packet you are replaying the first packet of the
conversation? I'd be interested in looking at it (and what else you
are doing). If you could send that to me off list, I'd appreciate it.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Windows Messenger Popup Spam - advisory amended Joe Stewart (Jun 25)
- Re: Windows Messenger Popup Spam - advisory amended jh (Jun 25)