Date: Wed, 16 Oct 2002 11:35:45 -0600 (MDT) From: Ralph Forsythe <rf-list@centerone.com> To: freebsd-isp@freebsd.org Subject: [ISN] Spam Masquerades as Admin Alerts (fwd) Message-ID: <Pine.LNX.4.44.0210161133180.16808-100000@blue.centerone.com>
next in thread | raw e-mail | index | archive | help
Generally I don't forward stuff, but this is something a few people might want to read through. I block all netbios in and out of my networks by default just from a security standpoint (including 135 - use a VPN if you need it!), but I suspect most people dont. Pop-up ads on web sites are bad enough, but this... <shudder> -rf ---------- Forwarded message ---------- Date: Wed, 16 Oct 2002 02:24:08 -0500 (CDT) From: InfoSec News <isn@c4i.org> To: isn@attrition.org Subject: [ISN] Spam Masquerades as Admin Alerts http://www.wired.com/news/technology/0,1282,55795,00.html By Brian McWilliams Oct. 15, 2002 PDT A new breed of pop-up ads is appearing mysteriously on Microsoft Windows users' computers. The so-called "Messenger spams" have security experts and system administrators scratching their heads -- and recipients fuming. Some of the ads, which hit Windows systems through backdoor networking ports and not by e-mail or Web browsing, appear to have been generated by Direct Advertiser, a $700 software program developed by Florida-based DirectAdvertiser.com. By tapping into Messenger, a Windows service originally designed to enable system administrators to send messages to users on a network, Direct Advertiser can deliver "completely anonymous and virtually untraceable" ads "straight to the screen of your client," according to the company's website. "Now somebody on the other side of the world can sit there and pop up messages on your screen," said Gary Flynn, a security engineer at James Madison University, where users have recently reported receiving pop-up spam selling university diplomas. The Messenger service, not to be confused with Microsoft's MSN Messenger chat client, is enabled by default on Windows 2000, NT and XP systems, according to Lawrence Baldwin, operator of the myNetWatchman computer intrusion reporting service. Baldwin said potentially millions of systems may be vulnerable to the pop-ups, also known as "NetBIOS Spam." According to DirectAdvertiser.com's lead developer Lenard Iszak, the program can generate about 5,000 pop-up messages per hour, hitting more than one recipient per second. A demonstration of the Direct Advertiser software enables users to target a range of Internet addresses, such as those assigned to a specific ISP or a particular country. Zoltan Kovacs, founder of DirectAdvertiser.com, said the company has sold about 200 copies of the program since launching two months ago. According to Kovacs, the software is ideal for advertising 900-number and other telephone services. "I have customers who call me back and tell me they love it and it generates hundreds of calls right away," said Kovacs, who noted that Direct Advertiser is a good alternative to bulk e-mail because its messages are not regulated by spam laws. According to Flynn, many network administrators are puzzled over how the ads have weaseled through firewalls onto users' computers. While Windows Messenger traditionally uses commonly protected ports 137 and 139, Flynn said the recent pop-ups appear to use port 135, which is often left unprotected by a firewall because it's a vital conduit for communicating with a Microsoft service called RPC. Since mid-September, numerous myNetWatchman participants have received repeated probes on port 135 from a handful of Internet protocol addresses assigned to Everyones Internet (EV1.net), an Internet service provider in Houston, according to Baldwin. The numeric addresses translate into "NetBIOS machine names" that begin with WEBPOPUP and that have appeared in several recent ads, he said. EV1.net officials, who did not respond to interview requests, are investigating the issue, according to Baldwin. Now that spammers have pioneered the Windows Messenger technology, worm writers may be next to target the service, according to Harlan Carvey, a security engineer with a financial services firm. "I'm sure we're going to see spyware or malware that makes use of this," Carvey said. Carvey and other security experts said users can protect themselves from unwanted pop-ups by disabling the Windows Messenger service and/or properly configuring their firewalls. According to Kovacs, he hasn't promoted Direct Advertiser aside from touting it in a link from the control panel of StealthMail Master, a program he also markets that promises to hide bulk e-mailers' IP addresses. In December 2001, DirectAdvertiser.com's Iszak lost a dispute with America Online over the domain ICQmultipager.com. According to an archive of the site, ICQ MultiPager enabled users to broadcast ads to users of AOL's ICQ chat service. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY of the mail. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0210161133180.16808-100000>