Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

...continuing saga of Windows Messenger SPAM, was re: (blank)

From: Gary Flynn <flynngn () jmu edu>
Date: Tue, 15 Oct 2002 20:57:58 -0400
Couple followup notes that may be of interest.

1) From the DirectAdvertisor test page, the first packet is sent to 
   UDP-135 whether or not other ports are open. I took out the 
   router filters blocking 137-139,445 and the initial packet was 
   still sent to UDP-135. There was speculation on my part that the 
   way the messages were sent depended on what ports were available. 
   I haven't tested the demo version to see if its the same.

2) After the intial packet to UDP-135, which looks as though contains
   the message data, there is a back and forth exchange on high UDP
   ports that Ethreal labels an RPC "who are you" conversation.

3) Using the information in "Using DCOM with Firewalls", I added the
   following registry entry:

   HKEY_LOCAL_MACHINE/Software/Microsoft/RPC/Internet/PortsInternetAvailable
  
   and set its value to "N" (without the quotes). After doing so, 
   the DirectAdvertisor demo page was not able to send me a message.

   This may be an alternative to shutting down the Messenger service
   altogether if that causes local problems. I've seen some people say 
   it might be used for things like spooler messages. 

   Of course, if the Messenger service functionality is desired from 
   remote systems, access will have to be controlled via an external 
   device like a firewall or they'll have to live with abuse. Perhaps 
   Microsoft will offer a patch that will allow the service to be 
   configured with the list of allowed IP addresses that can use the 
   service. And perhaps set the default so that only addresses on the 
   local network (as defined by the computer's IP address and subnet
   mask) can access the Messenger service. Or disable the Messenger
   service network access altogether by default.

4) I tried removed the following registry entries and rebooting the 
   computer but the message was still received. I was hoping removing 
   the UDP affiliated one would prevent the problem without having
   to stop the Messenger service:

   HKEY_LOCAL_MACHINE/Software/Microsoft/RPC/ClientProtocols/

     ncadg_ip_udp
     ncacn_ip_tcp
     ncacn_http
     ncacn_np

5) I'm monitoring both UDP and TCP network traffic now to see if there
   are any other uses for UDP-135. I had thought previously everything
   used 135-TCP. If so, maybe UDP-135 can be blocked without affecting
   other services. However, if Messenger can also be contacted on
   the TCP port....

6) Does anyone have any resources indicating what applications may
   break if the Messenger service is shut down? If it isn't accessible
   via IP?

All tests performed on XP Home.

Useful RPC References:

Microsoft RPC
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/overviews.asp

Using DCOM with Firewalls
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/msdn_dcomfirewall.asp

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: