Technology

Busting Pop-up Spam


By Tim Mullen I hate spam. I know "hate" is a strong word, but it is the truth. I think

spammers should be strung up and beaten like a pinata on Cinco de

Mayo and then set on fire.

I hope that aliens are not monitoring spam in order to make a value judgment

as to whether or not to vaporize the earth; clearly the universe does not

need a race of creatures endowed with diminutive genitalia that must

refinance their house in order to afford a mail order diploma or a new

satellite dish. Of course, they would spare Nigeria, as it is clearly a

country populated entirely of Ministers of Something, each with 28 million

dollars in the bank just waiting to be dispersed to anyone willing to give

them the assistance they so urgently need.

Who is buying this stuff? Apparently it must be lucrative or we would not

be seeing so much of it. I understand the law of averages and that only a

fraction of a percent of the total spam broadcast needs a response to make

it profitable, but how many people really buy toner cartridges from an

e-mail?

Not only is spam a waste of bandwidth and system resources, but the

purveyors of spam are getting better and better at delivering it-- dealing

with it is a constant battle. Blacklist servers, gateway filters, and third

party client apps can help cut down on spam, but something always seems to

get through.

If all of that were not enough, spammers have now begun moving outside of

e-mail, and are leveraging idiosyncrasies with other network services in

order to push their content.

Direct Advertiser is one such marketing product. As reported last week, if

you give this product

an IP range, it will deliver your message directly to Windows users whether

they want them or not. These are not e-mails -- these are pop-up message

windows from the Messenger Service that deliver in-your-face spam right to

the recipients interactive session. For the low low price of $700, you too

can cheese your way into the spam market by delivering unsolicited

advertisements directly to a user in the most irritating way yet.

A BETTER MOUSETRAP. Mind you, Messenger Service or pop-ups are nothing new. Many, many years

back, we use to take perverse pleasure in scanning for open NetBIOS ports on

unsuspecting machines, using "net send" to display a harmless "You hacked!

All of your Base are belong to us!" message on the console, and watching for

the panicked user to take the box offline. Hey, it was fun at the time.

Back then, you had to have open NetBIOS ports for that to work -- you had to

be able to hit the box with TCP 139. While this is still an issue

(unfortunately), it is not as common as it used to be. The difference with

this product is that it uses UDP 135: the RPC endpoint mapper. This is the

part that has stumped many sys admins, and I was a bit taken aback myself. I

was well aware that one could message someone else over TCP 139, but I had

no idea that you could invoke the messenger service via the end point

mapper.

After a little experimentation, I found that the capability of using UDP 135

was built into "net send" all along.

If you have NetBIOS bound to your interface, someone using net send will, by

default, pipe the message over SMB to TCP 139. But if NetBIOS is not bound

to the interface, net send will use UDP 135 instead. It takes the "net"

command a bit longer to figure this out, but it does work.

The Direct Advertiser product just skips the preliminaries, knowing that

smart system administrators close TCP 139, and goes right for the

undocumented back door.

That bugs me. It's not just that nobody knew that you could do it, it's

that you can do it in the first place. The end point mapper is supposed to

map clients to available RPC ports -- you should not be able control

services via unauthenticated UDP packets.

Granted, you should not have UDP 135 open to the net anyway, but it is

actually a quite common thing to see. The real question, which we should

probably pose to Microsoft, is what other surprises are in store through

this overlooked entryway into our systems? Dave Aitel of Immunity has

already published a vulnerability where an unauthenticated attacker can

disable the RPC service via UDP 135, thus crippling many other network

services. It is reasonable to expect other issues in the future.

The lesson in both cases is to turn off services you don't need and to only

allow required ports to be open. That way, when the spammers build a

better mouse trap, you won't be the first to step on it. SecurityFocus Online columnist Timothy M. Mullen is CIO and Chief

Software Architect for AnchorIS.Com, a developer of secure, enterprise-based

accounting software.


Monsanto vs. GMO Haters
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus