Security Basics mailing list archives
Re: Windows Messenger Pop-up spam
From: "'Ansgar -59cobalt- Wiechers'" <bugtraq () planetcobalt net>
Date: Fri, 3 Dec 2004 18:41:00 +0100
On 2004-12-03 David Gillett wrote:
On 2004-12-02 Ansgar -59cobalt- Wiechers wrote:But let's assume we're talking not only about messenger spam but malware in general. Why would I rather block specific ports instead of disabling unneeded services? In the latter case I won't *have* anything that needs to be protected at allĀ¹. Plus Personal Firewalls proved theirselves to be much less reliable than one would like to think. Do I have to remind you of the Witty worm? Sure, you can argue that maybe the host acts as a router for some local network (ICS or something). However, I would still have to ask: why does he need to provide any services at all? A router is not supposed to provide services. Period. If one needs Internet connectivity for a local network and needs all computers as workstations, then bite the damn bullet and buy a router. They're not *that* expensive. And of course one would block *everything* except for the desired traffic on the network *perimeter*, not only deny the undesired traffic on the host itself. If there's no LAN but just a single host with Internet connection, then why does the box need to provide any services at all? IMnsHO.Messenger is a tiny tiny TINY component of Windows File Sharing / NetBIOS. IF an attacker can get a Messenger window to pop up on your screen, then you have a HUGE area of vulnerable services exposed to the internet. Services which you may very often REQUIRE to use LAN resources, but never need to use either TO or FROM the Internet. Turning off those services entirely is rarely an option. Turning off only the Messenger component still leaves you exposed.
Turning off the services entirely is very well an option if you have just one host with a dialup connection, cable modem or whatever. Why must that host provide any services - especially NetBIOS - at all? In any case where there are more than one box you are better off using a packet filtering router anyway. But of course in that case you would not only block specific ports (i.e. NetBIOS), but *allow* only specific ports and block everything else.
Blocking those ports at the perimeter allows you to still use the services you need to connect to local resources -- that might include local use of the Messenger service, by the way! -- but protects you from Internet abusers of that whole family of services. Including, but not just limited to, the Messenger service.
I may be wrong, but isn't that *exactly* what I wrote in the mail you just replied to?
I agree that most home users don't need the Messenger service, and can free up some resources by turning it off. But anyone who is adequately protected from the much larger range of threats won't see it abused, and anyone who sees it abused needs to understand that that means they're vulnerable to that much larger range, most of which they will STILL be vulnerable to if they turn off the Messenger service.
True. That's why I suggested to disable *all* services they don't need. Joe Average's computer usually does not need to provide any services to the outside world, therefore he should disable them (a script to do that for him can be found under the URL I posted in my last mail).
"Turn off services you don't need" is usually a good rule. But in this particular case, the REAL "service" is the whole NetBIOS/CIFS family, not just the Messenger component, and turning it off at that level tends to break all sorts of things. So you have to fall back on the alternative: "Harden/protect the services you DO need".
I have to disagree here. It *can* be done for single computers (the description and a script can be found under the URL contained in my last mail). It cannot be done for computers on a LAN, which need file and printer sharing or something. However, in the latter case one would of course use a packet filtering router to block everything except for the desired traffic on the network perimeter, not host-based packet filters to block only undesired traffic. Regards Ansgar Wiechers -- "Those who would give up liberty for a little temporary safety deserve neither liberty nor safety, and will lose both." --Benjamin Franklin
Current thread:
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 01)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 03)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 03)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 07)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 08)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 09)
- Re: Windows Messenger Pop-up spam Michael Painter (Dec 10)
- Message not available
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 13)
- Re: Windows Messenger Pop-up spam 'Ansgar -59cobalt- Wiechers' (Dec 02)
- RE: Windows Messenger Pop-up spam David Gillett (Dec 02)
- <Possible follow-ups>
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 01)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Kevin Davis (Dec 03)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)
- Re: Windows Messenger Pop-up spam Ansgar -59cobalt- Wiechers (Dec 02)