Security Basics mailing list archives
Answering my own question [was Re: NetBIOS Messenger spam - how did it get in?]
From: Damon McMahon <inst_karma () hotmail com>
Date: 28 Oct 2002 22:54:54 -0000
In-Reply-To: <20021025093609.29660.qmail () mail securityfocus com> Thank you to those who took the time to provide some advice. On some further research I have discovered an answer to my question which I believe many on this list may find of interest [below].
The gateway host of my small workgroup has just become a 'victim' of the recent spate of SPAM using the NetBIOS Messenger Service. However, I'm seeking advice on how it managed to get through what I thought was a reasonably secure gateway.
[snip]
I have ZoneAlarm Pro installed on the gateway, which allows NetBIOS traffic over the 192.168.0.0/24 subnet but rejects NetBIOS traffic from any other IP. This rule is explicitly defined in the ZA Pro configuration, and appears to be working as the ZA Pro logs are full of rejected packets from internet IPs attempting to access NetBIOS ports on the host.
As it turns out, the SPAM was not using NetBIOS at all but rather coming through a RPC endpoint on udp/135 which is mapped by the Windows 2000 Services and Controller app (SERVICES.EXE). A detailed comparison of the two methods used by the Messenger Service is given at http://mynetwatchman.com/kb/security/articles/popupspam/netsend.htm . So as it turns out, this was a misconfiguration of ZA Pro on my behalf, and in a way I'm happy this has happened as it has alerted me to the fact that I had some services installed on my gateway which were wide open to accepting traffic from the internet. Given that I'm sure I'm not the only one in this boat, I will repeat the advice given at the above resource: "Users with personal firewalls need to exercise extreme care when granting permissions to RPC-related executables (e.g. svchost.exe or services.exe ). If you mistakenly give these applications full 'server' rights, then you may be susceptable to Messenger SPAM."
Current thread:
- Answering my own question [was Re: NetBIOS Messenger spam - how did it get in?] Damon McMahon (Oct 29)