Re: Windows Messenger Popup Spam on UDP Port 1026

["morning_wood" <se_cur_ity () hotmail com>]

so all users should suffer an ISP blocking ports just because some
people run windows???? excuse me? Better would be to just disable
windows mesaging service. or issue a patch for it, as opposed to
blocking port traffic.

wood

----- Original Message ----- 
From: "Joe Stewart" <jstewart () lurhq com>
To: <list () dshield org>
Cc: <full-disclosure () lists netsys com>; <intrusions () incidents org>;
<isc () sans org>
Sent: Friday, June 20, 2003 7:37 PM
Subject: [Full-disclosure] Windows Messenger Popup Spam on UDP Port
1026


> Windows Messenger Popup Spam on UDP Port 1026
>
> URL: http://www.lurhq.com/popup_spam.html
> Release Date: June 20, 2003
> Author: Joe Stewart
>
> LURHQ Corporation has observed traffic to large blocks of IP
addresses
> on UDP port 1026. This traffic started around June 18, 2003 and has
> been constant since that time. LURHQ analysts have determined that
the
> source of the traffic is spammers who have discovered that the
Windows
> Messenger service listens for connections on port 1026 as well as
the
> more widely-known port 135. Windows Messenger has been a target for
> spammers since late last year, because it allows anonymous pop-up
> messages to be displayed on any Windows system running the messenger
> service. Due to widespread abuse, many ISPs have moved to block
> inbound traffic on UDP port 135. It appears the spammers have
adapted,
> so ISPs are urged to block UDP port 1026 inbound as well.
>
> It is possible to disable the messenger service on some platforms
> following the instructions below. However, the fact that you can
> receive these messages points to the fact that your computer is
> unsecured and vulnerable to other possible attacks in the future.
> Disabling the messenger service will stop the pop-up spam, but will
> not protect you in any other way. Home users are encouraged to
install
> personal firewall software to block unauthorized connections to
their
> computers. Users are discourged from purchasing specialized Windows
> Messenger popup blocking software as it is often sold by the same
> company that is sending the popups.
>
> To disable the Messenger Service, follow the instructions for your
> Windows version:
>
> Windows XP Home
>   * Click Start, then click Control Panel.
>   * Double-click Performance and Maintenance.
>   * Double-click Administrative Tools.
>   * Double-click Services.
>   * Scroll down, highlight and right-click on Messenger and choose
>     Properties
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows XP Professional
>   * Click Start, then click Control Panel.
>   * Double-click Administrative Tools
>   * Double-click Services
>   * Scroll down, highlight and right-click on Messenger and choose
>     Properties
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows 2000/NT
>   * Click Start, go to Settings, then click Control Panel.
>   * Double-click Administrative Tools.
>   * Double-click Service.
>   * Double-click Messenger.
>   * In the "Startup type" list, choose Disabled.
>   * Click Stop, and then click OK.
>
> Windows 98/ME
> The Windows Messenger Service cannot be disabled
>
> --
>
> About LURHQ Corporation
> LURHQ Corporation is the trusted provider of Managed Security
> Services. Founded in 1996, LURHQ has built a strong business
> protecting the critical information assets of more than 400
customers
> by offering managed intrusion prevention and protection services.
> LURHQ's 24X7 Incident Handling capabilities enable customers to
> enhance their security posture while reducing the costs of managing
> their security environments. LURHQ's OPEN Service Delivery(TM)
> methodology facilitates a true partnership with customers by
providing
> a real time view of the organization's security status via the
> Sherlock Enterprise Security Portal. For more information visit
> http://www.lurhq.com/
>
> Copyright (c) 2003 LURHQ Corporation. Permission is hereby granted
for
> the redistribution of this document electronically. It is not to be
> altered or edited in any way without the express written consent of
> LURHQ Corporation. If you wish to reprint the whole or any part of
> this document in any other medium excluding electronic media, please
> e-mail advisories () lurhq com for permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS
condition.
> There are NO warranties implied or otherwise with regard to this
> information. In no event shall the author be liable for any damages
> whatsoever arising out of or in connection with the use or spread of
> this information.
>
> Feedback
> Updates and/or comments to:
> LURHQ Corporation
> http://www.lurhq.com/
> advisories () lurhq com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html