Security Incidents mailing list archives

RE: Source of Windows PopUp SPAM

From: Rob Keown <Keown () MACDIRECT COM>
Date: Wed, 16 Oct 2002 19:00:10 -0400

Here is another article:
http://www.techtv.com/screensavers/answerstips/story/0,24330,3374542,00.html

-----Original Message-----
From: Ron Trenka [mailto:ron () zowiedigital com]
Sent: Wednesday, October 16, 2002 10:40 AM
To: incidents () securityfocus com
Subject: Re: Source of Windows PopUp SPAM


on 10/15/02 12:29 PM, Lawrence Baldwin at baldwinL () mynetwatchman com wrote:

We've identified a commercial, Windows-based SPAM package which sends SPAM
via popups (all for $699).
I've confirmed that this particular package (which I can't name, yet..)
sends popups via MS RPC.
I suspect this package is running on these Linux systems under VMWARE
emulated Windows sessions.

What is also interesting is that some users, despite running personal
firewalls, are still reporting getting these popups.  This probably

explains

the developers choice to use MS RPC (udp/135) for delivery instead of a
straight Netbios SMB call (tcp/139).  MS RPC would be less overhead, but
also has the potential to reach more people as even those with firewalls

are

often giving 'svchost.exe' server priviledges because they assume it's
necessary:

http://www.dslreports.com/forum/remark,4718327~root=security,1~mode=flat


Anyone have a way to disable this on W2K and NT 4.0 servers?

***********************************************************
* Ron Trenka              | "You do not need a parachute  *
* Zowie Digital Media     | to skydive.  You only need a  *
* www.zowiedigital.com    | parachute to skydive twice."  *
* ron () zowiedigital com    |          www.DarwinAwards.com *
* (212) 627-4991 x22      |                               *
***********************************************************




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Source of Windows PopUp SPAM Lawrence Baldwin (Oct 14)
- RE: Source of Windows PopUp SPAM Brenna Primrose (Oct 16)
- <Possible follow-ups>
- RE: Source of Windows PopUp SPAM Lawrence Baldwin (Oct 15)
  - Re: Source of Windows PopUp SPAM Ron Trenka (Oct 16)
    - Re: Source of Windows PopUp SPAM Michael Katz (Oct 16)
    - Re: Source of Windows PopUp SPAM Nick FitzGerald (Oct 17)
- RE: Source of Windows PopUp SPAM H C (Oct 16)
- RE: Source of Windows PopUp SPAM Rob Keown (Oct 16)
  - RE: Source of Windows PopUp SPAM H C (Oct 17)
    - Re: Source of Windows PopUp SPAM Gary Flynn (Oct 17)
- Re: Source of Windows PopUp SPAM Richard Akerman (Oct 18)
- Re: Source of Windows PopUp SPAM David Kennedy CISSP (Oct 20)