Re: Windows Messenger Pop-up spam

["'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>]

On 2004-12-03 David Gillett wrote:
> On 2004-12-02 Ansgar -59cobalt- Wiechers wrote:
> > But let's assume we're talking not only about messenger spam but
> > malware in general. Why would I rather block specific ports instead
> > of disabling unneeded services? In the latter case I won't *have*
> > anything that needs to be protected at all¹. Plus Personal Firewalls
> > proved theirselves to be much less reliable than one would like to
> > think. Do I have to remind you of the Witty worm?
> >
> > Sure, you can argue that maybe the host acts as a router for some
> > local network (ICS or something). However, I would still have to ask:
> > why does he need to provide any services at all? A router is not
> > supposed to provide services. Period. If one needs Internet
> > connectivity for a local network and needs all computers as
> > workstations, then bite the damn bullet and buy a router. They're not
> > *that* expensive. And of course one would block *everything* except
> > for the desired traffic on the network *perimeter*, not only deny the
> > undesired traffic on the host itself. If there's no LAN but just a
> > single host with Internet connection, then why does the box need to
> > provide any services at all? IMnsHO.
>
>   Messenger is a tiny tiny TINY component of Windows File Sharing /
> NetBIOS.  IF an attacker can get a Messenger window to pop up on your
> screen, then you have a HUGE area of vulnerable services exposed to
> the internet.  Services which you may very often REQUIRE to use LAN
> resources, but never need to use either TO or FROM the Internet.
>
>   Turning off those services entirely is rarely an option.  Turning
> off only the Messenger component still leaves you exposed.

Turning off the services entirely is very well an option if you have
just one host with a dialup connection, cable modem or whatever. Why
must that host provide any services - especially NetBIOS - at all? In
any case where there are more than one box you are better off using a
packet filtering router anyway. But of course in that case you would not
only block specific ports (i.e. NetBIOS), but *allow* only specific
ports and block everything else.

>   Blocking those ports at the perimeter allows you to still use the
> services you need to connect to local resources -- that might include
> local use of the Messenger service, by the way! -- but protects you
> from Internet abusers of that whole family of services. Including, but
> not just limited to, the Messenger service.

I may be wrong, but isn't that *exactly* what I wrote in the mail you
just replied to?

>   I agree that most home users don't need the Messenger service, and
> can free up some resources by turning it off.  But anyone who is
> adequately protected from the much larger range of threats won't see
> it abused, and anyone who sees it abused needs to understand that that
> means they're vulnerable to that much larger range, most of which they
> will STILL be vulnerable to if they turn off the Messenger service.

True. That's why I suggested to disable *all* services they don't need.
Joe Average's computer usually does not need to provide any services to
the outside world, therefore he should disable them (a script to do that
for him can be found under the URL I posted in my last mail).

>   "Turn off services you don't need" is usually a good rule.  But in
> this particular case, the REAL "service" is the whole NetBIOS/CIFS
> family, not just the Messenger component, and turning it off at that
> level tends to break all sorts of things.  So you have to fall back on
> the alternative: "Harden/protect the services you DO need".

I have to disagree here. It *can* be done for single computers (the
description and a script can be found under the URL contained in my last
mail). It cannot be done for computers on a LAN, which need file and
printer sharing or something. However, in the latter case one would of
course use a packet filtering router to block everything except for the
desired traffic on the network perimeter, not host-based packet filters
to block only undesired traffic.

Regards
Ansgar Wiechers
-- 
"Those who would give up liberty for a little temporary safety
deserve neither liberty nor safety, and will lose both."
--Benjamin Franklin