the News Letter Archives - from May 2003

          from May 2003 - Messenger Spam

An old friend reappears, the infamous NetBios/SMB ("net send") messenger popup. This type of spam should NOT be confused with any of the popular instant messaging programs such MSN IM (MicroSoft Network Instant Messenger), AIM (AOL Instant Messenger), ICQ nor similar. These are real messaging programs. Windows Messenger spam is an intentional misuse of a LAN/WAN/Intranet messaging ability of most Windows systems that allows the root Admin to send important messages to all users on their LAN/WAN/Intranet. Important messages about a service blackout or printers not working or a very special meeting of all graphic designers or similar. People who have workstations on a LAN/WAN/Intranet are undoubtedly familiar with Messenger messages. People using the 'Net who haven't secured their NetBios ports may also be familiar with them, though they've been seeing the "bad" version, fake diplomas, how to enlarge their privates, lose weight with radioactive tea, and similar. Windows Messenger spam will look like a normal alert message ("system failure due to...", "unable to locate .dll", "this program has performed an illegal function and will now close", "LAN: All traffic will cease from 2pm-4pm for a system upgrade" and similar).

Windows 95 and Windows 98/98SE users have most likely already hardened their NetBios settings, there are several virii that look for this exploit in these OS. Just in case, here's how to harden Windows 95 and Windows 98/98SE to disallow Windows Messenger spam. Note: If you're on a LAN/WAN/Intranet, be sure to check with your root Admin about doing any of these, there are different methods for closing off this spam and your root Admin may have selected a different method which will still allow Messenger messages from root Admin only. Home users (and non networked surfers) can freely do these:
  1. Start,

  2. Control Panel (you may also go directly to Control Panel),

  3. Network,

  4. Configuration,

  5. IPX/SPX compatible protocol,

  6. Make sure "I want to enable NetBios" is unchecked on the NetBios tab.

  7. Apply - OK
As an added protection, blocking TCP ports 135, 139, 445 and UDP ports 135, 137, 138 will ensure messenger spam isn't allowed. All other Windows users should also block these ports. In addition, some firewalls offer the ability to block all NetBios/Bios ports. The way for Windows NT/2000/XP to internally block Messenger spam is slightly different than shown above:
  1. Start,

  2. Administrative Tools,

  3. Services,

  4. Messenger,

  5. Select "Startup type: Disabled" and click the "Stop" button to stop the service,

  6. Apply - OK
We'll repeat it here again, knowing that several dozen IT will contact us anyway because Debra Ditz and Steven Stupid trashed their network connections: DO NOT ALTER YOUR MACHINE IN ANY WAY IF YOU ARE ON A LAN/WAN/INTRANET, NOR ANY NETWORKED SYSTEM WITHOUT FIRST CHECKING WITH YOUR ROOT ADMIN/BOFH/IT OR SIMILAR. Home users and non networked surfers may freely (at their own risk) muck around in their machines.

Wondering how Windows Messenger spam came about? The underlying technology is very simple, all you need is any Windows OS and the exact IP of the machine you want to contact (be online if the receiving machine isn't on your network). Open a DOS prompt and type:

C:\>net send 172.16.1.140 "hello there"

Alter the various elements (main drive:\>net send quadratic dotted IP "message to send"). If the receiving machine is online or on your network, and they've not hardened themselves to NetBios messages an alert window will popup with your message. Unfortunately, several unscrupulous (though legal) software companies have produced software that allows mass sending of messages (hence, Windows Messenger spam). While less than 500 copies were ever purchased, the people using them are less than ethical and have likely made multiple installs, sold copies to others, backward engineered the software guts for new similar programs, and similar. The most notorious of these is Direct Advertiser. Fortunately, their website is currently nothing more than a placeholder page saying they're rebuilding everything and will be back soon. Since this message has been there since late 2002, looks like the refinance to rebuild fell through and they'll not be back (if at all) anytime soon.

The collapse of Direct Advertiser doesn't mean that surfers and network users should let down their guard, however. There's still those less-than-500 copies of the mass sending program to consider, clones of the program, and the fact that any hyper caffeinated scriptkiddie could do the same thing with a special DOS program. Harden your NetBios ports (as detailed by OS above), block NetBios ports (TCP ports 135, 139, 445 and UDP ports 135, 137, 138) and pay attention to weird NetBios/Bios scans in your firewall logs.

SA Egg Rocket
          

Michael Dana Murphy, Senior Editor
Brandon Kaufman, Senior Consultant

click me and go to the Archives click me and go to the Headlines click me to search The News Letter


© copyright 1999, 2003, Pacoima Ranch Offices. All rights reserved.

Best in any Generation 7 Browser (Netscape 8.x+, Mozilla 1.0x+, Internet Explorer 7.x+, Opera 8.x+ and WebTV Classic, Deluxe or MSNTV Spring 2005). For best viewing, we recommend Internet Explorer 7.x+, Firefox 1.x+, and Opera 8.x+. These fonts are used throughout the site (click the name, unzip and install if you are missing any - Windows only, please) Arial, Arial Black, Arial Rounded MT Bold, Times New Roman, and Verdana.

click me and return to the main entrance to Pacoima Ranch    click me and go to the entrance page of The News Letter