Answering my own question [was Re: NetBIOS Messenger spam - how did it get in?]

[Damon McMahon <inst_karma () hotmail com>]

In-Reply-To: <20021025093609.29660.qmail () mail securityfocus com>

Thank you to those who took the time to provide some
advice. On some further research I have discovered an
answer to my question which I believe many on this list
may find of interest [below].

> The gateway host of my small workgroup has just become
> a 'victim' of the recent spate of SPAM using the
> NetBIOS Messenger Service. However, I'm seeking advice
> on how it managed to get through what I thought was a
> reasonably secure gateway.

[snip]

> I have ZoneAlarm Pro installed on the gateway, which
> allows NetBIOS traffic over the 192.168.0.0/24 subnet
> but rejects NetBIOS traffic from any other IP. This
> rule is explicitly defined in the ZA Pro configuration,
> and appears to be working as the ZA Pro logs are full
> of rejected packets from internet IPs attempting to
> access NetBIOS ports on the host.

As it turns out, the SPAM was not using NetBIOS at all
but rather coming through a RPC endpoint on udp/135
which is mapped by the Windows 2000 Services and
Controller app (SERVICES.EXE). A detailed comparison of
the two methods used by the Messenger Service is given
at
http://mynetwatchman.com/kb/security/articles/popupspam/netsend.htm
.

So as it turns out, this was a misconfiguration of ZA
Pro on my behalf, and in a way I'm happy this has
happened as it has alerted me to the fact that I had
some services installed on my gateway which were wide
open to accepting traffic from the internet. Given that
I'm sure I'm not the only one in this boat, I will
repeat the advice given at the above resource:

"Users with personal firewalls need to exercise extreme
care when granting permissions to RPC-related
executables (e.g. svchost.exe or services.exe ). If you
mistakenly give these applications full 'server'
rights, then you may be susceptable to Messenger SPAM."