Re: Spam Masquerades as Admin Alerts

[InfoSec News <isn () c4i org>]

Forwarded from: H C <keydet89 () yahoo com>
Cc: gizmo () surfthe net

> I think there is a bit of confusion in this article.
>
> This practice, from what I have discovered, seems to be specific to
> the Windows Messaging service, not Windows Messenger (aka Microsoft
> Messenger or MSN Messenger).

I don't see where you found the "confusion"...McWilliams specifically
referred to the service and even provided a link to an MS KB article.
 
> A good firewall, with a proper protection policy enabled, would
> prevent these pop-ups.

Some of the folks on the public lists have "good firewalls"...but they
still get hit w/ this stuff.  The reason is b/c some of them have to
allow DCOM/RPC portmapper (UDP 135) through for a specific purpose.

> Most personal firewalls will do this.  In fact, protecting your
> NetBIOS ports is a baseline best practice for Windows and other SMB
> enabled systems.

NetBIOS ports aren't used by the DirectAdvertiser application.  They
are used by the "net send" command, and the NetMessageBufferSend() API
(which 'net send' uses)...however the popups most folks are seeing are
coming in over DCOM/RPC.

Again...I'm not all that clear on where you found "confusion" in the
article.  To be quite honest, it was relatively clear.  The only folks
who might be confused by it are those who chose not to read it
completely.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.